diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000000..cd2051c110 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +* @muursh @wborgeaud @Nashtare diff --git a/.github/workflows/continuous-integration-workflow.yml b/.github/workflows/continuous-integration-workflow.yml index 7c18a405a9..48b06cfd9d 100644 --- a/.github/workflows/continuous-integration-workflow.yml +++ b/.github/workflows/continuous-integration-workflow.yml @@ -51,14 +51,6 @@ jobs: CARGO_INCREMENTAL: 1 RUST_BACKTRACE: 1 - - name: Check in evm subdirectory - run: cargo check --manifest-path evm/Cargo.toml - env: - RUSTFLAGS: -Copt-level=3 -Cdebug-assertions -Coverflow-checks=y -Cdebuginfo=0 - RUST_LOG: 1 - CARGO_INCREMENTAL: 1 - RUST_BACKTRACE: 1 - - name: Run cargo test run: cargo test --workspace env: @@ -67,8 +59,8 @@ jobs: CARGO_INCREMENTAL: 1 RUST_BACKTRACE: 1 - wasm32: - name: wasm32 compatibility + wasm: + name: Check wasm32 compatibility runs-on: ubuntu-latest timeout-minutes: 30 if: "! contains(toJSON(github.event.commits.*.message), '[skip-ci]')" @@ -86,7 +78,7 @@ jobs: with: cache-on-failure: true - - name: Check in plonky2 subdirectory + - name: Check in plonky2 subdirectory for wasm targets run: cargo check --manifest-path plonky2/Cargo.toml --target wasm32-unknown-unknown --no-default-features env: RUSTFLAGS: -Copt-level=3 -Cdebug-assertions -Coverflow-checks=y -Cdebuginfo=0 @@ -94,7 +86,7 @@ jobs: CARGO_INCREMENTAL: 1 RUST_BACKTRACE: 1 - - name: Check in starky subdirectory + - name: Check in starky subdirectory for wasm targets run: cargo check --manifest-path starky/Cargo.toml --target wasm32-unknown-unknown --no-default-features env: RUSTFLAGS: -Copt-level=3 -Cdebug-assertions -Coverflow-checks=y -Cdebuginfo=0 @@ -102,6 +94,41 @@ jobs: CARGO_INCREMENTAL: 1 RUST_BACKTRACE: 1 + no_std: + name: Test Suite in no-std + runs-on: ubuntu-latest + timeout-minutes: 30 + if: "! contains(toJSON(github.event.commits.*.message), '[skip-ci]')" + steps: + - name: Checkout sources + uses: actions/checkout@v4 + + - name: Install nightly toolchain + uses: dtolnay/rust-toolchain@master + with: + toolchain: nightly-2024-02-01 + + - name: Set up rust cache + uses: Swatinem/rust-cache@v2 + with: + cache-on-failure: true + + - name: Run cargo test in plonky2 subdirectory (no-std) + run: cargo test --manifest-path plonky2/Cargo.toml --no-default-features --lib + env: + RUSTFLAGS: -Copt-level=3 -Cdebug-assertions -Coverflow-checks=y -Cdebuginfo=0 + RUST_LOG: 1 + CARGO_INCREMENTAL: 1 + RUST_BACKTRACE: 1 + + - name: Run cargo test in starky subdirectory (no-std) + run: cargo test --manifest-path starky/Cargo.toml --no-default-features --lib + env: + RUSTFLAGS: -Copt-level=3 -Cdebug-assertions -Coverflow-checks=y -Cdebuginfo=0 + RUST_LOG: 1 + CARGO_INCREMENTAL: 1 + RUST_BACKTRACE: 1 + lints: name: Formatting and Clippy runs-on: ubuntu-latest diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 0000000000..dd901fda49 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,19 @@ +# Changelog + +All notable changes to this project will be documented in this file. + +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). + +## Unreleased + +- Fix CTLs with exactly two looking tables ([#1555](https://github.com/0xPolygonZero/plonky2/pull/1555)) +- Make Starks without constraints provable ([#1552](https://github.com/0xPolygonZero/plonky2/pull/1552)) + +## [0.2.1] - 2024-03-01 (`starky` crate only) + +### Changed +- Always compile cross_table_lookups::debug_utils ([#1540](https://github.com/0xPolygonZero/plonky2/pull/1540)) + +## [0.2.0] - 2024-02-20 +- Initial CHANGELOG tracking. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000000..7bfabd1c02 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,100 @@ +# Guidance for external contributors + +Do you feel keen and able to help with Plonky2? That's great! We +encourage external contributions! + +We want to make it easy for you to contribute, but at the same time we +must manage the burden of reviewing external contributions. We are a +small team, and the time we spend reviewing external contributions is +time we are not developing ourselves. + +We also want to help you to avoid inadvertently duplicating work that +is already underway, or building something that we will not +want to incorporate. + +First and foremost, please keep in mind that this is a highly +technical piece of software and contributing is only suitable for +experienced mathematicians, cryptographers and software engineers. + +The Polygon Zero Team reserves the right to accept or reject any +external contribution for any reason, including a simple lack of time +to maintain it (now or in the future); we may even decline to review +something that is not considered a sufficiently high priority for us. + +To avoid disappointment, please communicate your intention to +contribute openly, while respecting the limited time and availability +we have to review and provide guidance for external contributions. It +is a good idea to drop a note in our public Discord #development +channel of your intention to work on something, whether an issue, a +new feature, or a performance improvement. This is probably all that's +really required to avoid duplication of work with other contributors. + +What follows are some more specific requests for how to write PRs in a +way that will make them easy for us to review. Deviating from these +guidelines may result in your PR being rejected, ignored or forgotten. + + +## General guidance for your PR + +Obviously PRs will not be considered unless they pass our Github +CI. The Github CI is not executed for PRs from forks, but you can +simulate the Github CI by running the commands in +`.github/workflows/ci.yml`. + +Under no circumstances should a single PR mix different purposes: Your +PR is either a bug fix, a new feature, or a performance improvement, +never a combination. Nor should you include, for example, two +unrelated performance improvements in one PR. Please just submit +separate PRs. The goal is to make reviewing your PR as simple as +possible, and you should be thinking about how to compose the PR to +minimise the burden on the reviewer. + +Also note that any PR that depends on unstable features will be +automatically rejected. The Polygon Zero Team may enable a small +number of unstable features in the future for our exclusive use; +nevertheless we aim to minimise the number of such features, and the +number of uses of them, to the greatest extent possible. + +Here are a few specific guidelines for the three main categories of +PRs that we expect: + + +### The PR fixes a bug + +In the PR description, please clearly but briefly describe + +1. the bug (could be a reference to a GH issue; if it is from a + discussion (on Discord/email/etc. for example), please copy in the + relevant parts of the discussion); +2. what turned out to the cause the bug; and +3. how the PR fixes the bug. + +Wherever possible, PRs that fix bugs should include additional tests +that (i) trigger the original bug and (ii) pass after applying the PR. + + +### The PR implements a new feature + +If you plan to contribute an implementation of a new feature, please +double-check with the Polygon Zero team that it is a sufficient +priority for us that it will be reviewed and integrated. + +In the PR description, please clearly but briefly describe + +1. what the feature does +2. the approach taken to implement it + +All PRs for new features must include a suitable test suite. + + +### The PR improves performance + +Performance improvements are particularly welcome! Please note that it +can be quite difficult to establish true improvements for the +workloads we care about. To help filter out false positives, the PR +description for a performance improvement must clearly identify + +1. the target bottleneck (only one per PR to avoid confusing things!) +2. how performance is measured +3. characteristics of the machine used (CPU, OS, #threads if appropriate) +4. performance before and after the PR diff --git a/Cargo.toml b/Cargo.toml index 5bb77ff700..c17611bdd6 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -1,7 +1,19 @@ [workspace] -members = ["evm", "field", "maybe_rayon", "plonky2", "starky", "util", "gen"] +members = ["field", "maybe_rayon", "plonky2", "starky", "util", "gen"] resolver = "2" +[workspace.dependencies] +ahash = { version = "0.8.7", default-features = false, features = ["compile-time-rng"] } # NOTE: Be sure to keep this version the same as the dependency in `hashbrown`. +anyhow = { version = "1.0.40", default-features = false } +hashbrown = { version = "0.14.3", default-features = false, features = ["ahash", "serde"] } # NOTE: When upgrading, see `ahash` dependency. +itertools = { version = "0.11.0", default-features = false } +log = { version = "0.4.14", default-features = false } +num = { version = "0.4", default-features = false, features = ["rand"] } +rand = { version = "0.8.4", default-features = false } +serde = { version = "1.0", default-features = false, features = ["derive"] } +static_assertions = { version = "1.1.0", default-features = false } +unroll = { version = "0.1.5", default-features = false } + [profile.release] opt-level = 3 incremental = true @@ -9,4 +21,12 @@ incremental = true #codegen-units = 1 [profile.bench] -opt-level = 3 \ No newline at end of file +opt-level = 3 + +[workspace.package] +edition = "2021" +license = "MIT OR Apache-2.0" +homepage = "https://github.com/0xPolygonZero/plonky2" +repository = "https://github.com/0xPolygonZero/plonky2" +keywords = ["cryptography", "SNARK", "PLONK", "FRI", "plonky2"] +categories = ["cryptography"] diff --git a/field/LICENSE-APACHE b/LICENSE-APACHE similarity index 100% rename from field/LICENSE-APACHE rename to LICENSE-APACHE diff --git a/field/LICENSE-MIT b/LICENSE-MIT similarity index 100% rename from field/LICENSE-MIT rename to LICENSE-MIT diff --git a/README.md b/README.md index 189f10a2d3..77b73a36ce 100644 --- a/README.md +++ b/README.md @@ -14,4 +14,63 @@ git submodule update --init --recursive - cuda NTT ``` cargo run --release -p plonky2_field --features=cuda --example fft -``` \ No newline at end of file +``` + +## Running + +To see recursion performance, one can run this bench, which generates a chain of three recursion proofs: + +```sh +RUSTFLAGS=-Ctarget-cpu=native cargo run --release --example bench_recursion -- -vv +``` + +## Jemalloc + +Plonky2 prefers the [Jemalloc](http://jemalloc.net) memory allocator due to its superior performance. To use it, include `jemallocator = "0.5.0"` in your `Cargo.toml` and add the following lines +to your `main.rs`: + +```rust +use jemallocator::Jemalloc; + +#[global_allocator] +static GLOBAL: Jemalloc = Jemalloc; +``` + +Jemalloc is known to cause crashes when a binary compiled for x86 is run on an Apple silicon-based Mac under [Rosetta 2](https://support.apple.com/en-us/HT211861). If you are experiencing crashes on your Apple silicon Mac, run `rustc --print target-libdir`. The output should contain `aarch64-apple-darwin`. If the output contains `x86_64-apple-darwin`, then you are running the Rust toolchain for x86; we recommend switching to the native ARM version. + +## Contributing guidelines + +See [CONTRIBUTING.md](./CONTRIBUTING.md). + +## Licenses + +All crates of this monorepo are licensed under either of + +* Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0) +* MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT) + +at your option. + + +## Security + +This code has not yet been audited, and should not be used in any production systems. + +While Plonky2 is configurable, its defaults generally target 100 bits of security. The default FRI configuration targets 100 bits of *conjectured* security based on the conjecture in [ethSTARK](https://eprint.iacr.org/2021/582). + +Plonky2's default hash function is Poseidon, configured with 8 full rounds, 22 partial rounds, a width of 12 field elements (each ~64 bits), and an S-box of `x^7`. [BBLP22](https://tosc.iacr.org/index.php/ToSC/article/view/9850) suggests that this configuration may have around 95 bits of security, falling a bit short of our 100 bit target. + + +## Links + +#### Actively maintained + +- [Polygon Zero's zkEVM](https://github.com/0xPolygonZero/zk_evm), an efficient Type 1 zkEVM built on top of Starky and plonky2 + +#### No longer maintained + +- [System Zero](https://github.com/0xPolygonZero/system-zero), a zkVM built on top of Starky +- [Waksman](https://github.com/0xPolygonZero/plonky2-waksman), Plonky2 gadgets for permutation checking using Waksman networks +- [Insertion](https://github.com/0xPolygonZero/plonky2-insertion), Plonky2 gadgets for insertion into a list +- [u32](https://github.com/0xPolygonZero/plonky2-u32), Plonky2 gadgets for u32 arithmetic +- [ECDSA](https://github.com/0xPolygonZero/plonky2-ecdsa), Plonky2 gadgets for the ECDSA algorithm diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..d8e87e74ee --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,17 @@ +# Polygon Technology Security Information + +## Link to vulnerability disclosure details (Bug Bounty). +- Websites and Applications: https://hackerone.com/polygon-technology +- Smart Contracts: https://immunefi.com/bounty/polygon + +## Languages that our team speaks and understands. +Preferred-Languages: en + +## Security-related job openings at Polygon. +https://polygon.technology/careers + +## Polygon security contact details. +security@polygon.technology + +## The URL for accessing the security.txt file. +Canonical: https://polygon.technology/security.txt diff --git a/evm/.cargo/katex-header.html b/evm/.cargo/katex-header.html deleted file mode 100644 index 20723b5d27..0000000000 --- a/evm/.cargo/katex-header.html +++ /dev/null @@ -1 +0,0 @@ -../../.cargo/katex-header.html \ No newline at end of file diff --git a/evm/Cargo.toml b/evm/Cargo.toml index 3398463654..e59df23509 100644 --- a/evm/Cargo.toml +++ b/evm/Cargo.toml @@ -2,7 +2,6 @@ name = "plonky2_evm" description = "Implementation of STARKs for the Ethereum Virtual Machine" version = "0.1.1" -license = "MIT or Apache-2.0" authors = ["Daniel Lubarov ", "William Borgeaud "] readme = "README.md" repository = "https://github.com/0xPolygonZero/plonky2" @@ -14,7 +13,7 @@ edition = "2021" anyhow = "1.0.40" bytes = "1.4.0" env_logger = "0.10.0" -eth_trie_utils = { git = "https://github.com/0xPolygonZero/eth_trie_utils.git", rev = "7fc3c3f54b3cec9c6fc5ffc5230910bd1cb77f76" } +eth_trie_utils = { git = "https://github.com/0xPolygonZero/eth_trie_utils.git", rev = "e9ec4ec2aa2ae976b7c699ef40c1ffc716d87ed5" } ethereum-types = "0.14.0" hex = { version = "0.4.3", optional = true } hex-literal = "0.4.1" @@ -60,7 +59,3 @@ required-features = ["asmtools"] [[bench]] name = "stack_manipulation" harness = false - -# Display math equations properly in documentation -[package.metadata.docs.rs] -rustdoc-args = ["--html-in-header", ".cargo/katex-header.html"] diff --git a/evm/LICENSE-APACHE b/evm/LICENSE-APACHE deleted file mode 100644 index 1b5ec8b78e..0000000000 --- a/evm/LICENSE-APACHE +++ /dev/null @@ -1,176 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - -TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - -1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - -2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - -3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - -4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - -5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - -6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - -7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - -8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - -9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - -END OF TERMS AND CONDITIONS diff --git a/evm/LICENSE-MIT b/evm/LICENSE-MIT deleted file mode 100644 index 72dc60d84b..0000000000 --- a/evm/LICENSE-MIT +++ /dev/null @@ -1,19 +0,0 @@ -The MIT License (MIT) - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. diff --git a/evm/README.md b/evm/README.md deleted file mode 100644 index a5c201550b..0000000000 --- a/evm/README.md +++ /dev/null @@ -1,36 +0,0 @@ -# Provable Stateless ZK-EVM - -Included here is an implementation of a stateless, recursive ZK-EVM client implemented using Plonky2. It currently supports the full Merkle-Patricia Trie and has all Shanghai opcodes implemented. - -## Performance - -This implementation is able to provide transaction level proofs which are then recursively aggregated into a block proof. This means that proofs for a block can be efficiently distributed across a cluster of computers. As these proofs use Plonky2 they are CPU and Memory bound. The ability to scale horizontally across transactions increases the total performance of the system dramatically. End-to-end workflows are currently in progress to support this proving mode against live evm networks. - -Furthermore the implementation itself is highly optimized to provide fast proving times on generally available cloud instances and does not require GPUs or special hardware. - -## Ethereum Compatibility - -The aim of this module is to initially provide full ethereum compatibility. Today, all [EVM tests](https://github.com/0xPolygonZero/evm-tests) for the Shanghai hardfork are implemented. Work is progressing on supporting the upcoming [Cancun](https://github.com/0xPolygonZero/plonky2/labels/cancun) EVM changes. Furthermore, this prover uses the full ethereum state tree and hashing modes. - -## Audits - -Audits for the ZK-EVM will begin on November 27th, 2023. See the [Audit RC1 Milestone](https://github.com/0xPolygonZero/plonky2/milestone/2?closed=1). This README will be updated with the proper branches and hashes when the audit has commenced. - -## Documentation / Specification - -The current specification is located in the [/spec](/spec) directory, with the most currently up-to-date PDF [available here](https://github.com/0xPolygonZero/plonky2/blob/main/evm/spec/zkevm.pdf). Further documentation will be made over the coming months. - -## License -Copyright (c) 2023 PT Services DMCC - -Licensed under either of: -* Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or http://www.apache.org/licenses/LICENSE-2.0) -* MIT license ([LICENSE-MIT](LICENSE-MIT) or http://opensource.org/licenses/MIT) - -at your option. - -The SPDX license identifier for this project is `MIT OR Apache-2.0`. - -### Contribution - -Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions. diff --git a/evm/benches/stack_manipulation.rs b/evm/benches/stack_manipulation.rs deleted file mode 100644 index 20f865120f..0000000000 --- a/evm/benches/stack_manipulation.rs +++ /dev/null @@ -1,75 +0,0 @@ -use criterion::{criterion_group, criterion_main, BenchmarkId, Criterion}; -use plonky2_evm::cpu::kernel::assemble_to_bytes; - -fn criterion_benchmark(c: &mut Criterion) { - rotl_group(c); - rotr_group(c); - insert_group(c); - delete_group(c); - replace_group(c); - shuffle_group(c); - misc_group(c); -} - -fn rotl_group(c: &mut Criterion) { - let mut group = c.benchmark_group("rotl"); - group.sample_size(10); - group.bench_function(BenchmarkId::from_parameter(8), |b| { - b.iter(|| assemble("%stack (a, b, c, d, e, f, g, h) -> (b, c, d, e, f, g, h, a)")) - }); -} - -fn rotr_group(c: &mut Criterion) { - let mut group = c.benchmark_group("rotr"); - group.sample_size(10); - group.bench_function(BenchmarkId::from_parameter(8), |b| { - b.iter(|| assemble("%stack (a, b, c, d, e, f, g, h) -> (h, a, b, c, d, e, f, g)")) - }); -} - -fn insert_group(c: &mut Criterion) { - let mut group = c.benchmark_group("insert"); - group.sample_size(10); - group.bench_function(BenchmarkId::from_parameter(8), |b| { - b.iter(|| assemble("%stack (a, b, c, d, e, f, g, h) -> (a, b, c, d, 123, e, f, g, h)")) - }); -} - -fn delete_group(c: &mut Criterion) { - let mut group = c.benchmark_group("delete"); - group.sample_size(10); - group.bench_function(BenchmarkId::from_parameter(8), |b| { - b.iter(|| assemble("%stack (a, b, c, d, e, f, g, h) -> (a, b, c, e, f, g, h)")) - }); -} - -fn replace_group(c: &mut Criterion) { - let mut group = c.benchmark_group("replace"); - group.sample_size(10); - group.bench_function(BenchmarkId::from_parameter(8), |b| { - b.iter(|| assemble("%stack (a, b, c, d, e, f, g, h) -> (a, b, c, 5, e, f, g, h)")) - }); -} - -fn shuffle_group(c: &mut Criterion) { - let mut group = c.benchmark_group("shuffle"); - group.sample_size(10); - group.bench_function(BenchmarkId::from_parameter(8), |b| { - b.iter(|| assemble("%stack (a, b, c, d, e, f, g, h) -> (g, d, h, a, f, e, b, c)")) - }); -} - -fn misc_group(c: &mut Criterion) { - let mut group = c.benchmark_group("misc"); - group.sample_size(10); - group.bench_function(BenchmarkId::from_parameter(8), |b| { - b.iter(|| assemble("%stack (a, b, c, a, e, f, g, h) -> (g, 1, h, g, f, 3, b, b)")) - }); -} - -criterion_group!(benches, criterion_benchmark); -criterion_main!(benches); - -fn assemble(code: &str) { - assemble_to_bytes(&[code.into()]); -} diff --git a/evm/spec/.gitignore b/evm/spec/.gitignore deleted file mode 100644 index ba6d400798..0000000000 --- a/evm/spec/.gitignore +++ /dev/null @@ -1,7 +0,0 @@ -## Files generated by pdflatex, bibtex, etc. -*.aux -*.log -*.out -*.toc -*.bbl -*.blg diff --git a/evm/spec/Makefile b/evm/spec/Makefile deleted file mode 100644 index 979545288e..0000000000 --- a/evm/spec/Makefile +++ /dev/null @@ -1,20 +0,0 @@ -DOCNAME=zkevm - -all: pdf - -.PHONY: clean - -quick: - pdflatex $(DOCNAME).tex - -pdf: - pdflatex $(DOCNAME).tex - bibtex $(DOCNAME).aux - pdflatex $(DOCNAME).tex - pdflatex $(DOCNAME).tex - -view: pdf - open $(DOCNAME).pdf - -clean: - rm -f *.blg *.bbl *.aux *.log diff --git a/evm/spec/bibliography.bib b/evm/spec/bibliography.bib deleted file mode 100644 index 1d83d297e9..0000000000 --- a/evm/spec/bibliography.bib +++ /dev/null @@ -1,30 +0,0 @@ -@misc{stark, - author = {Eli Ben-Sasson and - Iddo Bentov and - Yinon Horesh and - Michael Riabzev}, - title = {Scalable, transparent, and post-quantum secure computational integrity}, - howpublished = {Cryptology ePrint Archive, Report 2018/046}, - year = {2018}, - note = {\url{https://ia.cr/2018/046}}, -} - -@misc{plonk, - author = {Ariel Gabizon and - Zachary J. Williamson and - Oana Ciobotaru}, - title = {PLONK: Permutations over Lagrange-bases for Oecumenical Noninteractive arguments of Knowledge}, - howpublished = {Cryptology ePrint Archive, Report 2019/953}, - year = {2019}, - note = {\url{https://ia.cr/2019/953}}, -} - -@article{yellowpaper, - title={Ethereum: A secure decentralised generalised transaction ledger}, - author={Wood, Gavin and others}, - journal={Ethereum project yellow paper}, - volume={151}, - number={2014}, - pages={1--32}, - year={2014} -} diff --git a/evm/spec/cpulogic.tex b/evm/spec/cpulogic.tex deleted file mode 100644 index 318e2db487..0000000000 --- a/evm/spec/cpulogic.tex +++ /dev/null @@ -1,285 +0,0 @@ -\section{CPU logic} -\label{cpulogic} - -The CPU is in charge of coordinating the different STARKs, proving the correct execution of the instructions it reads and guaranteeing -that the final state of the EVM corresponds to the starting state after executing the input transaction. All design choices were made -to make sure these properties can be adequately translated into constraints of degree at most 3 while minimizing the size of the different -table traces (number of columns and number of rows). - -In this section, we will detail some of these choices. - -\subsection{Kernel} -The kernel is in charge of the proving logic. This section aims at providing a high level overview of this logic. For details about any specific part of the logic, one can consult the various ``asm'' files in the \href{https://github.com/0xPolygonZero/plonky2/tree/main/evm/src/cpu/kernel}{``kernel'' folder}. - -We prove one transaction at a time. These proofs can later be aggregated recursively to prove a block. Proof aggregation is however not in the scope of this section. Here, we assume that we have an initial state of the EVM, and we wish to prove that a single transaction was correctly executed, leading to a correct update of the state. - -Since we process one transaction at a time, a few intermediary values need to be provided by the prover. Indeed, to prove that the registers in the EVM state are correctly updated, we need to have access to their initial values. When aggregating proofs, we can also constrain those values to match from one transaction to the next. Let us consider the example of the transaction number. Let $n$ be the number of transactions executed so far in the current block. If the current proof is not a dummy one (we are indeed executing a transaction), then the transaction number should be updated: $n := n+1$. Otherwise, the number remains unchanged. We can easily constrain this update. When aggregating the previous transaction proof ($lhs$) with the current one ($rhs$), we also need to check that the output transaction number of $lhs$ is the same as the input transaction number of $rhs$. - -Those prover provided values are stored in memory prior to entering the kernel, and are used in the kernel to assert correct updates. The list of prover provided values necessary to the kernel is the following: -\begin{enumerate} - \item the previous transaction number: $t_n$, - \item the gas used before executing the current transaction: $g\_u_0$, - \item the gas used after executing the current transaction: $g\_u_1$, - \item the state, transaction and receipts MPTs before executing the current transaction: $\texttt{tries}_0$, - \item the hash of all MPTs before executing the current transaction: $\texttt{digests}_0$, - \item the hash of all MPTs after executing the current transaction: $\texttt{digests}_1$, - \item the RLP encoding of the transaction. -\end{enumerate} - -\paragraph*{Initialization:} The first step consists in initializing: -\begin{itemize} - \item The shift table: it maps the number of bit shifts $s$ with its shifted value $1 << s$. Note that $0 \leq s \leq 255$. - \item The initial MPTs: the initial state, transaction and receipt tries $\texttt{tries}_0$ are loaded from memory and hashed. The hashes are then compared to $\texttt{digests}\_0$. - \item We load the transaction number $t\_n$ and the current gas used $g\_u_0$ from memory. -\end{itemize} - -If no transaction is provided, we can halt after this initialization. Otherwise, we start processing the transaction. The transaction is provided as its RLP encoding. We can deduce the various transaction fields (such as its type or the transfer value) from its encoding. Based on this, the kernel updates the state trie by executing the transaction. Processing the transaction also includes updating the transactions MPT with the transaction at hand. - -The processing of the transaction returns a boolean ``success'' that indicates whether the transaction was executed successfully, along with the leftover gas. - -The following step is then to update the receipts MPT. Here, we update the transaction's bloom filter. We store ``success'', the leftover gas, the transaction bloom filter and the logs in memory. We also store some additional information that facilitates the RLP encoding of the receipts later. - -If there are any withdrawals, they are performed at this stage. - -Finally, once the three MPTs have been updated, we need to carry out final checks: -\begin{itemize} - \item the gas used after the execution is equal to $g\_u_1$, - \item the new transaction number is $n+1$ if there was a transaction, - \item the three MPTs are hashed and checked against $\texttt{digests}_1$. -\end{itemize} -Once those final checks are performed, the program halts. - -\subsection{Simple opcodes VS Syscalls} -For simplicity and efficiency, EVM opcodes are categorized into two groups: ``simple opcodes'' and ``syscalls''. Simple opcodes are generated directly in Rust, in \href{https://github.com/0xPolygonZero/plonky2/blob/main/evm/src/witness/operation.rs}{operation.rs}. Every call to a simple opcode adds exactly one row to the \href{https://github.com/0xPolygonZero/plonky2/blob/main/evm/spec/tables/cpu.tex}{cpu table}. Syscalls are more complex structures written with simple opcodes, in the kernel. - -Whenever we encounter a syscall, we switch to kernel mode and execute its associated code. At the end of each syscall, we run EXIT\_KERNEL, which resets the kernel mode to its state right before the syscall. It also sets the PC to point to the opcode right after the syscall. - -Exceptions are handled differently for simple opcodes and syscalls. When necessary, simple opcodes throw an exception (see \ref{exceptions}). This activates the ``exception flag'' in the CPU and runs the exception operations. On the other hand, syscalls handle exceptions in the kernel directly. - -\subsection{Privileged instructions} - -To ease and speed-up proving time, the zkEVM supports custom, privileged instructions that can only be executed by the kernel. -Any appearance of those privileged instructions in a contract bytecode for instance would result in an unprovable state. - -In what follows, we denote by $p_{BN}$ the characteristic of the BN254 curve base field, curve for which Ethereum supports the -ecAdd, ecMul and ecPairing precompiles. - -\begin{enumerate}[align=left] - \item[0x0C.] \texttt{ADDFP254}. Pops 2 elements from the stack interpreted as BN254 base field elements, and pushes their addition modulo $p_{BN}$ onto the stack. - - \item[0x0D.] \texttt{MULFP254}. Pops 2 elements from the stack interpreted as BN254 base field elements, and pushes their product modulo $p_{BN}$ onto the stack. - - \item[0x0E.] \texttt{SUBFP254}. Pops 2 elements from the stack interpreted as BN254 base field elements, and pushes their difference modulo $p_{BN}$ onto the stack. - This instruction behaves similarly to the SUB (0x03) opcode, in that we subtract the second element of the stack from the initial (top) one. - - \item[0x0F.] \texttt{SUBMOD}. Pops 3 elements from the stack, and pushes the modular difference of the first two elements of the stack by the third one. - It is similar to the SUB instruction, with an extra pop for the custom modulus. - - \item[0x21.] \texttt{KECCAK\_GENERAL}. Pops 2 elements (a Memory address, followed by a length $\ell$) and pushes the hash of the memory portion starting at the - constructed address and of length $\ell$. It is similar to KECCAK256 (0x20) instruction, but can be applied to any memory section (i.e. even privileged ones). - - \item[0x49.] \texttt{PROVER\_INPUT}. Pushes a single prover input onto the stack. - - \item[0xC0-0xDF.] \texttt{MSTORE\_32BYTES}. Pops 2 elements from the stack (a Memory address, and then a value), and pushes - a new address' onto the stack. The value is being decomposed into bytes and written to memory, starting from the fetched address. The new address being pushed is computed as the - initial address + the length of the byte sequence being written to memory. Note that similarly to PUSH (0x60-0x7F) instructions, there are 32 MSTORE\_32BYTES instructions, each - corresponding to a target byte length (length 0 is ignored, for the same reasons as MLOAD\_32BYTES, see below). Writing to memory an integer fitting in $n$ bytes with a length $\ell < n$ will - result in the integer being truncated. On the other hand, specifying a length $\ell$ greater than the byte size of the value being written will result in padding with zeroes. This - process is heavily used when resetting memory sections (by calling MSTORE\_32BYTES\_32 with the value 0). - - \item[0xF6.] \texttt{GET\_CONTEXT}. Pushes the current context onto the stack. The kernel always has context 0. - - \item[0xF7.] \texttt{SET\_CONTEXT}. Pops the top element of the stack and updates the current context to this value. It is usually used when calling another contract or precompile, - to distinguish the caller from the callee. - - \item[0xF8.] \texttt{MLOAD\_32BYTES}. Pops 2 elements from the stack (a Memory address, and then a length $\ell$), and pushes - a value onto the stack. The pushed value corresponds to the U256 integer read from the big-endian sequence of length $\ell$ from the memory address being fetched. Note that an - empty length is not valid, nor is a length greater than 32 (as a U256 consists in at most 32 bytes). Missing these conditions will result in an unverifiable proof. - - \item[0xF9.] \texttt{EXIT\_KERNEL}. Pops 1 element from the stack. This instruction is used at the end of a syscall, before proceeding to the rest of the execution logic. - The popped element, \textit{kexit\_info}, contains several pieces of information like the current program counter, the current amount of gas used, and whether we are in kernel (i.e. privileged) mode or not. - - \item[0xFB.] \texttt{MLOAD\_GENERAL}. Pops 1 elements (a Memory address), and pushes the value stored at this memory - address onto the stack. It can read any memory location, general (similarly to MLOAD (0x51) instruction) or privileged. - - \item[0xFC.] \texttt{MSTORE\_GENERAL}. Pops 2 elements (a value and a Memory address), and writes the popped value from - the stack at the fetched address. It can write to any memory location, general (similarly to MSTORE (0x52) / MSTORE8 (0x53) instructions) or privileged. -\end{enumerate} - - -\subsection{Memory addresses} -\label{memoryaddresses} - -Kernel operations deal with memory addresses as single U256 elements. -However, when processing the operations to generate the proof witness, the CPU will decompose these into three components: - -\begin{itemize} - \item[context.] The context of the memory address. The Kernel context is special, and has value 0. - - \item[segment.] The segment of the memory address, corresponding to a specific section given a context (eg. MPT data, global metadata, etc.). - - \item[virtual.] The offset of the memory address, within a segment given a context. -\end{itemize} - -To easily retrieve these components, we scale them so that they can represent a memory address as: - -$$ \mathrm{addr} = 2^{64} \cdot \mathrm{context} + 2^{32} \cdot \mathrm{segment} + \mathrm{offset}$$ - -This allows to easily retrieve each component individually once a Memory address has been decomposed into 32-bit limbs. - - -\subsection{Stack handling} -\label{stackhandling} - -\subsubsection{Top of the stack} - -The majority of memory operations involve the stack. The stack is a segment in memory, and stack operations (popping or pushing) use the memory channels. -Every CPU instruction performs between 0 and 3 pops, and may push at most once. However, for efficiency purposes, we hold the top of the stack in -the first memory channel \texttt{current\_row.mem\_channels[0]}, only writing it in memory if necessary. - -\paragraph*{Motivation:} - -See \href{https://github.com/0xPolygonZero/plonky2/issues/1149}{this issue}. - -\paragraph*{Top reading and writing:} - -When a CPU instruction modifies the stack, it must update the top of the stack accordingly. There are three cases. - -\begin{itemize} - \item \textbf{The instruction pops and pushes:} The new top of the stack is stored in \texttt{next\_row.mem\_channels[0]}; it may be computed by the instruction, -or it could be read from memory. In either case, the instruction is responsible for setting \texttt{next\_row.mem\_channels[0]}'s flags and address columns correctly. -After use, the previous top of the stack is discarded and doesn't need to be written in memory. - \item \textbf{The instruction pushes, but doesn't pop:} The new top of the stack is stored in \texttt{next\_row.mem\_channels[0]}; it may be computed by the instruction, -or it could be read from memory. In either case, the instruction is responsible for setting \texttt{next\_row.mem\_channels[0]}'s flags and address columns correctly. -If the stack wasn't empty (\texttt{current\_row.stack\_len > 0}), the instruction performs a memory read in \texttt{current\_row.partial\_ channel}. \texttt{current\_row.partial\_channel} -shares its values with \texttt{current\_ row.mem\_channels[0]} (which holds the current top of the stack). If the stack was empty, \texttt{current\_row.partial\_channel} -is disabled. - \item \textbf{The instruction pops, but doesn't push:} After use, the current top of the stack is discarded and doesn't need to be written in memory. -If the stack isn't empty now (\texttt{current\_row.stack\_len > num\_pops}), the new top of the stack is set in \texttt{next\_row.mem\_channels[0]} -with a memory read from the stack segment. If the stack is now empty, \texttt{next\_row.mem\_channels[0]} is disabled. -\end{itemize} - -In the last two cases, there is an edge case if \texttt{current\_row.stack\_len} is equal to a \texttt{special\_len}. For a strictly pushing instruction, -this happens if the stack is empty, and \texttt{special\_len = 0}. For a strictly popping instruction, this happens if the next stack is empty, i.e. if -all remaining elements are popped, and \texttt{special\_len = num\_pops}. Note that we do not need to check for values below \texttt{num\_pops}, since this -would be a stack underflow exception which is handled separately. -The edge case is detected with the compound flag -$$\texttt{1 - not\_special\_len * stack\_inv\_aux,}$$ -where $$\texttt{not\_special\_len = current\_row - special\_len}$$ - - -and \texttt{stack\_inv\_aux} is constrained to be the modular inverse of \texttt{not\_special\_ len} if it's non-zero, or 0 otherwise. The flag is 1 -if \texttt{stack\_len} is equal to \texttt{special\_len}, and 0 otherwise. - -This logic can be found in code in the \texttt{eval\_packed\_one} function of \href{https://github.com/0xPolygonZero/plonky2/blob/main/evm/src/cpu/stack.rs}{stack.rs}. -The function multiplies all of the stack constraints with the degree 1 filter associated with the current instruction. - -\paragraph*{Operation flag merging:} - -To reduce the total number of columns, many operation flags are merged together (e.g. \texttt{DUP} and \texttt{SWAP}) and are distinguished with the binary decomposition of their opcodes. -The filter for a merged operation is now of degree 2: for example, \texttt{is\_swap = dup\_swap * opcode\_bits[4]} since the 4th bit is set to 1 for a \texttt{SWAP} and 0 for a \texttt{DUP}. -If the two instructions have different stack behaviors, this can be a problem: \texttt{eval\_packed\_one}'s constraints are already of degree 3 and it can't support degree 2 filters. - -When this happens, stack constraints are defined manually in the operation's dedicated file (e.g. \texttt{dup\_swap.rs}). Implementation details vary case-by-case and can be found in the files. - -\subsubsection{Stack length checking} - -The CPU must make sure that the stack length never goes below zero and, in user mode, never grows beyond the maximum stack size. When this happens, an honest prover should trigger the -corresponding exception. If a malicious prover doesn't trigger the exception, constraints must fail the proof. - -\paragraph*{Stack underflow:} -There is no explicit constraint checking for stack underflow. An underflow happens when the CPU tries to pop the empty stack, which would perform a memory read at virtual address \texttt{-1}. -Such a read cannot succeed: in Memory, the range-check argument requires the gap between two consecutive addresses to be lower than the length of the Memory trace. Since the prime of the Plonky2 field is 64-bit long, -this would require a Memory trace longer than $2^{32}$. - -\paragraph*{Stack overflow:} -An instruction can only push at most once, meaning that an overflow occurs whenever the stack length is exactly one more than the maximum stack size ($1024+1$) in user mode. -To constrain this, the column \texttt{stack\_len\_bounds\_aux} contains: - -\begin{itemize} - \item[--] the modular inverse of \texttt{stack\_len - 1025} if we're in user mode and \texttt{stack\_len $\neq$ 1025}, - \item[--] 0 if \texttt{stack\_len = 1025} or if we're in kernel mode. -\end{itemize} -Then overflow can be checked with the flag -$$\texttt{(1 - is\_kernel\_mode) - stack\_len * stack\_len\_bounds\_aux}.$$ -The flag is 1 if \texttt{stack\_len = 1025} and we're in user mode, and 0 otherwise. - -Because \texttt{stack\_len\_bounds\_aux} is a shared general column, we only check this constraint after an instruction that can actually trigger an overflow, -i.e. a pushing, non-popping instruction. - -\subsection{Gas handling} - -\subsubsection{Out of gas errors} - -The CPU table has a ``gas'' register that keeps track of the gas used by the transaction so far. - -The crucial invariant in our out-of-gas checking method is that at any point in the program's execution, we have not used more gas than we have available; that is ``gas'' is at most the gas allocation for the transaction (which is stored separately by the kernel). We assume that the gas allocation will never be $2^{32}$ or more, so if ``gas'' does not fit in one limb, then we've run out of gas. - -When a native instruction (one that is not a syscall) is executed, a constraint ensures that the ``gas'' register is increased by the correct amount. This is not automatic for syscalls; the syscall handler itself must calculate and charge the appropriate amount. - -If everything goes smoothly and we have not run out of gas, ``gas'' should be no more than the gas allowance at the point that we STOP, REVERT, stack overflow, or whatever. Indeed, because we assume that the gas overflow handler is invoked \textit{as soon as} we've run out of gas, all these termination methods verify that $\texttt{gas} \leq \texttt{allowance}$, and jump to \texttt{exc\_out\_of\_gas} if this is not the case. This is also true for the out-of-gas handler, which checks that: -\begin{enumerate} - \item we have not yet run out of gas - \item we are about to run out of gas -\end{enumerate} -and ``PANIC'' if either of those statements does not hold. - -When we do run out of gas, however, this event must be handled. Syscalls are responsible for checking that their execution would not cause the transaction to run out of gas. If the syscall detects that it would need to charge more gas than available, it aborts the transaction (or the current code) by jumping to \texttt{fault\_exception}. In fact, \texttt{fault\_exception} is in charge of handling all exceptional halts in the kernel. - -Native instructions do this differently. If the prover notices that execution of the instruction would cause an out-of-gas error, it must jump to the appropriate handler instead of executing the instruction. (The handler contains special code that PANICs if the prover invoked it incorrectly.) - -\subsubsection{Overflow} - -We must be careful to ensure that ``gas'' does not overflow to prevent denial of service attacks. - -Note that a syscall cannot be the instruction that causes an overflow. This is because every syscall is required to verify that its execution does not cause us to exceed the gas limit. Upon entry into a syscall, a constraint verifies that $\texttt{gas} < 2^{32}$. Some syscalls may have to be careful to ensure that the gas check is performed correctly (for example, that overflow modulo $2^{256}$ does not occur). So we can assume that upon entry and exit out of a syscall, $\texttt{gas} < 2^{32}$. - -Similarly, native instructions alone cannot cause wraparound. The most expensive instruction, JUMPI, costs 10 gas. Even if we were to execute $2^{32}$ consecutive JUMPI instructions, the maximum length of a trace, we are nowhere close to consuming $2^{64} - 2^{32} + 1$ (= Goldilocks prime) gas. - -The final scenario we must tackle is an expensive syscall followed by many expensive native instructions. Upon exit from a syscall, $\texttt{gas} < 2^{32}$. Again, even if that syscall is followed by $2^{32}$ native instructions of cost 10, we do not see wraparound modulo Goldilocks. - - -\subsection{Exceptions} -\label{exceptions} - -Sometimes, when executing user code (i.e. contract or transaction code), the EVM halts exceptionally (i.e. outside of a STOP, a RETURN or a REVERT). -When this happens, the CPU table invokes a special instruction with a dedicated operation flag \texttt{exception}. -Exceptions can only happen in user mode; triggering an exception in kernel mode would make the proof unverifiable. -No matter the exception, the handling is the same: - --- The opcode which would trigger the exception is not executed. The operation flag set is \texttt{exception} instead of the opcode's flag. - --- We push a value to the stack which contains: the current program counter (to retrieve the faulty opcode), and the current value of \texttt{gas\_used}. -The program counter is then set to the corresponding exception handler in the kernel (e.g. \texttt{exc\_out\_of\_gas}). - --- The exception handler verifies that the given exception would indeed be triggered by the faulty opcode. If this is not the case (if the exception has already happened or if it doesn't happen after executing -the faulty opcode), then the kernel panics: there was an issue during witness generation. - --- The kernel consumes the remaining gas and returns from the current context with \texttt{success} set to 0 to indicate an execution failure. - -Here is the list of the possible exceptions: - -\begin{enumerate}[align=left] - \item[\textbf{Out of gas:}] Raised when a native instruction (i.e. not a syscall) in user mode pushes the amount of gas used over the current gas limit. -When this happens, the EVM jumps to \texttt{exc\_out\_of\_gas}. The kernel then checks that the consumed gas is currently below the gas limit, -and that adding the gas cost of the faulty instruction pushes it over it. -If the exception is not raised, the prover will panic when returning from the execution: the remaining gas is checked to be positive after STOP, RETURN or REVERT. - \item[\textbf{Invalid opcode:}] Raised when the read opcode is invalid. It means either that it doesn't exist, or that it's a privileged instruction and -thus not available in user mode. When this happens, the EVM jumps to \texttt{exc\_invalid\_opcode}. The kernel then checks that the given opcode is indeed invalid. -If the exception is not raised, decoding constraints ensure no operation flag is set to 1, which would make it a padding row. Halting constraints would then make the proof -unverifiable. - \item[\textbf{Stack underflow:}] Raised when an instruction which pops from the stack is called when the stack doesn't have enough elements. -When this happens, the EVM jumps to \texttt{exc\_stack\_overflow}. The kernel then checks that the current stack length is smaller than the minimum -stack length required by the faulty opcode. -If the exception is not raised, the popping memory operation's address offset would underflow, and the Memory range check would require the Memory trace to be too -large ($>2^{32}$). - \item[\textbf{Invalid JUMP destination:}] Raised when the program counter jumps to an invalid location (i.e. not a JUMPDEST). When this happens, the EVM jumps to -\texttt{exc\_invalid\_jump\_destination}. The kernel then checks that the opcode is a JUMP, and that the destination is not a JUMPDEST by checking the -JUMPDEST segment. -If the exception is not raised, jumping constraints will fail the proof. - \item[\textbf{Invalid JUMPI destination:}] Same as the above, for JUMPI. - \item[\textbf{Stack overflow:}] Raised when a pushing instruction in user mode pushes the stack over 1024. When this happens, the EVM jumps -to \texttt{exc\_stack\_overflow}. The kernel then checks that the current stack length is exactly equal to 1024 (since an instruction can only -push once at most), and that the faulty instruction is pushing. -If the exception is not raised, stack constraints ensure that a stack length of 1025 in user mode will fail the proof. -\end{enumerate} diff --git a/evm/spec/framework.tex b/evm/spec/framework.tex deleted file mode 100644 index c20e46db67..0000000000 --- a/evm/spec/framework.tex +++ /dev/null @@ -1,159 +0,0 @@ -\section{STARK framework} -\label{framework} - - -\subsection{Cost model} - -Our zkEVM is designed for efficient verification by STARKs \cite{stark}, particularly by an AIR with degree 3 constraints. In this model, the prover bottleneck is typically constructing Merkle trees, particularly constructing the tree containing low-degree extensions of witness polynomials. - - -\subsection{Field selection} -\label{field} -Our zkEVM is designed to have its execution traces encoded in a particular prime field $\mathbb{F}_p$, with $p = 2^{64} - 2^{32} + 1$. A nice property of this field is that it can represent the results of many common \texttt{u32} operations. For example, (widening) \texttt{u32} multiplication has a maximum value of $(2^{32} - 1)^2$, which is less than $p$. In fact a \texttt{u32} multiply-add has a maximum value of $p - 1$, so the result can be represented with a single field element, although if we were to add a carry in bit, this no longer holds. - -This field also enables a very efficient reduction method. Observe that -$$ -2^{64} \equiv 2^{32} - 1 \pmod p -$$ -and consequently -\begin{align*} - 2^{96} &\equiv 2^{32} (2^{32} - 1) \pmod p \\ - &\equiv 2^{64} - 2^{32} \pmod p \\ - &\equiv -1 \pmod p. -\end{align*} -To reduce a 128-bit number $n$, we first rewrite $n$ as $n_0 + 2^{64} n_1 + 2^{96} n_2$, where $n_0$ is 64 bits and $n_1, n_2$ are 32 bits each. Then -\begin{align*} - n &\equiv n_0 + 2^{64} n_1 + 2^{96} n_2 \pmod p \\ - &\equiv n_0 + (2^{32} - 1) n_1 - n_2 \pmod p -\end{align*} -After computing $(2^{32} - 1) n_1$, which can be done with a shift and subtraction, we add the first two terms, subtracting $p$ if overflow occurs. We then subtract $n_2$, adding $p$ if underflow occurs. - -At this point we have reduced $n$ to a \texttt{u64}. This partial reduction is adequate for most purposes, but if we needed the result in canonical form, we would perform a final conditional subtraction. - -\subsection{Cross-table lookups} -\label{ctl} -The various STARK tables carry out independent operations, but on shared values. We need to check that the shared values are identical in all the STARKs that require them. This is where cross-table lookups (CTLs) come in handy. - -Suppose STARK $S_1$ requires an operation -- say $Op$ -- that is carried out by another STARK $S_2$. Then $S_1$ writes the input and output of $Op$ in its own table, and provides the inputs to $S_2$. $S_2$ also writes the inputs and outputs in its rows, and the table's constraints check that $Op$ is carried out correctly. We then need to ensure that the inputs and outputs are the same in $S_1$ and $S_2$. - -In other words, we need to ensure that the rows -- reduced to the input and output columns -- of $S_1$ calling $Op$ are permutations of the rows of $S_2$ that carry out $Op$. Our CTL protocol is based on logUp and is similar to our range-checks. - -To prove this, the first step is to only select the rows of interest in $S_1$ and $S_2$, and filter out the rest. Let $f^1$ be the filter for $S_1$ and $f^2$ the filter for $S_2$. $f^1$ and $f^2$ are constrained to be in $\{0, 1\}$. $f^1 = 1$ (resp. $f^2 = 1$) whenever the row at hand carries out $Op$ in $S_1$ (resp. in $S_2$), and 0 otherwise. Let also $(\alpha, \beta)$ be two random challenges. - -The idea is to create subtables $S_1'$ and $S_2'$ of $S_1$ and $S_2$ respectively, such that $f^1 = 1$ and $f^2 = 1$ for all their rows. The columns in the subtables are limited to the ones whose values must be identical (the inputs and outputs of $Op$ in our example). - -Note that for design and constraint reasons, filters are limited to (at most) degree 2 combinations of columns. - -Let $\{c^{1, i}\}_{i=1}^m$ be the columns in $S_1'$ an $\{c^{2,i}\}_{i=1}^m$ be the columns in $S_2'$. - -The prover defines a ``running sum'' $Z$ for $S_1'$ such that: -\begin{gather*} - Z^{S_1}_{n-1} = \frac{1}{\sum_{j=0}^{m-1} \alpha^j \cdot c^{1, j}_{n-1} + \beta} \\ - Z^{S_1}_{i+1} = Z^{S_1}_i + f^1_i \cdot \frac{1}{\sum_{j=0}^{m-1} \alpha^j \cdot c^{1, j}_i + \beta} -\end{gather*} -The second equation ``selects'' the terms of interest thanks to $f^1$ and filters out the rest. - -Similarly, the prover constructs a running sum $Z^{S_2}$for $S_2$. Note that $Z$ is computed ``upside down'': we start with $Z_{n-1}$ and the final sum is in $Z_0$. - -On top of the constraints to check that the running sums were correctly constructed, the verifier checks that $Z^{S_1}_0 = Z^{S_2}_0$. -This ensures that the columns in $S_1'$ and the columns in $S_2'$ are permutations of each other. - -In other words, the CTL argument is a logUp lookup argument where $S_1'$ is the looking table, $S_2'$ is the looked table, and $S_1' = S_2'$ (all the multiplicities are 1). -For more details about logUp, see the next section. - -To sum up, for each STARK $S$, the prover: -\begin{enumerate} - \item constructs a running sum $Z_i^l$ for each table looking into $S$ (called looking sums here), - \item constructs a running sum $Z^S$ for $S$ (called looked sum here), - \item sends the final value for each running sum $Z_{i, 0}^l$ and $Z^S_0$ to the verifier, - \item sends a commitment to $Z_i^l$ and $Z^S$ to the verifier. -\end{enumerate} -Then, for each STARK $S$, the verifier: -\begin{enumerate} - \item computes the sum $Z = \sum_i Z_{i, 0}^l$, - \item checks that $Z = Z^S_0$, - \item checks that each $Z_i^l$ and $Z^S$ was correctly constructed. -\end{enumerate} - - -\subsection{Range-checks} -\label{rc} -In most cases, tables deal with U256 words, split into 32-bit limbs (to avoid overflowing the field). To prevent a malicious prover from cheating, it is crucial to range-check those limbs. -\subsubsection{What to range-check?} -One can note that every element that ever appears on the stack has been pushed. Therefore, enforcing a range-check on pushed elements is enough to range-check all elements on the stack. Similarly, all elements in memory must have been written prior, and therefore it is enough to range-check memory writes. However, range-checking the PUSH and MSTORE opcodes is not sufficient. -\begin{enumerate} - \item Pushes and memory writes for ``MSTORE\_32BYTES'' are range-checked in ``BytePackingStark''. - \item Syscalls, exceptions and prover inputs are range-checked in ``ArithmeticStark''. - \item The inputs and outputs of binary and ternary arithmetic operations are range-checked in ``ArithmeticStark''. - \item The inputs' bits of logic operations are checked to be either 1 or 0 in ``LogicStark''. Since ``LogicStark'' only deals with bitwise operations, this is enough to have range-checked outputs as well. - \item The inputs of Keccak operations are range-checked in ``KeccakStark''. The output digest is written as bytes in ``KeccakStark''. Those bytes are used to reconstruct the associated 32-bit limbs checked against the limbs in ``CpuStark''. This implicitly ensures that the output is range-checked. -\end{enumerate} -Note that some operations do not require a range-check: -\begin{enumerate} - \item ``MSTORE\_GENERAL'' read the value to write from the stack. Thus, the written value was already range-checked by a previous push. - \item ``EQ'' reads two -- already range-checked -- elements on the stack, and checks they are equal. The output is either 0 or 1, and does therefore not need to be checked. - \item ``NOT'' reads one -- already range-checked -- element. The result is constrained to be equal to $\texttt{0xFFFFFFFF} - \texttt{input}$, which implicitly enforces the range check. - \item ``PC'': the program counter cannot be greater than $2^{32}$ in user mode. Indeed, the user code cannot be longer than $2^{32}$, and jumps are constrained to be JUMPDESTs. Moreover, in kernel mode, every jump is towards a location within the kernel, and the kernel code is smaller than $2^{32}$. These two points implicitly enforce $PC$'s range check. - \item ``GET\_CONTEXT'', ``DUP'' and ``SWAP'' all read and push values that were already written in memory. The pushed values were therefore already range-checked. -\end{enumerate} -Range-checks are performed on the range $[0, 2^{16} - 1]$, to limit the trace length. - -\subsubsection{Lookup Argument} -To enforce the range-checks, we leverage \href{https://eprint.iacr.org/2022/1530.pdf}{logUp}, a lookup argument by Ulrich Häbock. Given a looking table $s = (s_1, ..., s_n)$ and a looked table $t = (t_1, ..., t_m)$, the goal is to prove that -$$\forall 1 \leq i \leq n, \exists 1 \leq j \leq r \texttt{ such that } s_i = t_j$$ -In our case, $t = (0, .., 2^{16} - 1)$ and $s$ is composed of all the columns in each STARK that must be range-checked. - -The logUp paper explains that proving the previous assertion is actually equivalent to proving that there exists a sequence $l$ such that: -$$ \sum_{i=1}^n \frac{1}{X - s_i} = \sum_{j=1}^r \frac{l_j}{X-t_j}$$ - -The values of $s$ can be stored in $c$ different columns of length $n$ each. In that case, the equality becomes: -$$\sum_{k=1}^c \sum_{i=1}^n \frac{1}{X - s_i^k} = \sum_{j=1}^r \frac{l_j}{X-t_j}$$ - -The `multiplicity' $m_i$ of value $t_i$ is defined as the number of times $t_i$ appears in $s$. In other words: -$$m_i = |s_j \in s; s_j = t_i|$$ - -Multiplicities provide a valid sequence of values in the previously stated equation. Thus, if we store the multiplicities, and are provided with a challenge $\alpha$, we can prove the lookup argument by ensuring: -$$\sum_{k=1}^c \sum_{i=1}^n \frac{1}{\alpha - s_i^k} = \sum_{j=1}^r \frac{m_j}{\alpha-t_j}$$ -However, the equation is too high degree. To circumvent this issue, Häbock suggests providing helper columns $h_i$ and $d$ such that at a given row $i$: -\begin{gather*} - h_i^k = \frac{1}{\alpha + s_i^k } \forall 1 \leq k \leq c \\ - d_i = \frac{1}{\alpha + t_i} -\end{gather*} - -The $h$ helper columns can be batched together to save columns. We can batch at most $\texttt{constraint\_degree} - 1$ helper functions together. In our case, we batch them 2 by 2. At row $i$, we now have: -\begin{align*} - h_i^k = \frac{1}{\alpha + s_i^{2k}} + \frac{1}{\alpha + s_i^{2k+1}} \forall 1 \leq k \leq c/2 \\ -\end{align*} -If $c$ is odd, then we have one extra helper column: -$$h_i^{c/2+1} = \frac{1}{\alpha + s_i^{c}}$$ - -For clarity, we will assume that $c$ is even in what follows. - -Let $g$ be a generator of a subgroup of order $n$. We extrapolate $h, m$ and $d$ to get polynomials such that, for $f \in \{h^k, m, g\}$: $f(g^i) = f_i$. -We can define the following polynomial: -$$ Z(x) := \sum_{i=1}^n \big[\sum_{k=1}^{c/2} h^k(x) - m(x) * d(x)\big]$$ - - -\subsubsection{Constraints} -With these definitions and a challenge $\alpha$, we can finally check that the assertion holds with the following constraints: -\begin{gather*} - Z(1) = 0 \\ - Z(g \alpha) = Z(\alpha) + \sum_{k=1}^{c/2} h^k(\alpha) - m(\alpha) d(\alpha) -\end{gather*} -These ensure that -We also need to ensure that $h^k$ is well constructed for all $1 \leq k \leq c/2$: -$$ - h(\alpha)^k \cdot (\alpha + s_{2k}) \cdot (\alpha + s_{2k+1}) = (\alpha + s_{2k}) + (\alpha + s_{2k+1}) -$$ - -Note: if $c$ is odd, we have one unbatched helper column $h^{c/2+1}$ for which we need a last constraint: -$$ - h(\alpha)^{c/2+1} \cdot (\alpha + s_{c}) = 1 -$$ - -Finally, the verifier needs to ensure that the table $t$ was also correctly computed. In each STARK, $t$ is computed starting from 0 and adding at most 1 at each row. This construction is constrained as follows: -\begin{enumerate} - \item $t(1) = 0$ - \item $(t(g^{i+1}) - t(g^{i})) \cdot ((t(g^{i+1}) - t(g^{i})) - 1) = 0$ - \item $t(g^{n-1}) = 2^{16} - 1$ -\end{enumerate} diff --git a/evm/spec/introduction.tex b/evm/spec/introduction.tex deleted file mode 100644 index cb969a168d..0000000000 --- a/evm/spec/introduction.tex +++ /dev/null @@ -1,3 +0,0 @@ -\section{Introduction} - -TODO diff --git a/evm/spec/mpts.tex b/evm/spec/mpts.tex deleted file mode 100644 index 3f6733a535..0000000000 --- a/evm/spec/mpts.tex +++ /dev/null @@ -1,94 +0,0 @@ -\section{Merkle Patricia Tries} -\label{tries} -The \emph{EVM World state} is a representation of the different accounts at a particular time, as well as the last processed transactions together with their receipts. The world state is represented using \emph{Merkle Patricia Tries} (MPTs) \cite[App.~D]{yellowpaper}, and there are three different tries: the state trie, the transaction trie and the receipt trie. - -For each transaction we need to show that the prover knows preimages of the hashed initial and final EVM states. When the kernel starts execution, it stores these three tries within the {\tt Segment::TrieData} segment. The prover loads the initial tries from the inputs into memory. Subsequently, the tries are modified during transaction execution, inserting new nodes or deleting existing nodes. - -An MPT is composed of five different nodes: branch, extension, leaf, empty and digest nodes. Branch and leaf nodes might contain a payload whose format depends on the particular trie. The nodes are encoded, primarily using RLP encoding and Hex-prefix encoding (see \cite{yellowpaper} App. B and C, respectively). The resulting encoding is then hashed, following a strategy similar to that of normal Merkle trees, to generate the trie hashes. - -Insertion and deletion is performed in the same way as other MPTs implementations. The only difference is for inserting extension nodes where we create a new node with the new data, instead of modifying the existing one. In the rest of this section we describe how the MPTs are represented in memory, how they are given as input, and how MPTs are hashed. - -\subsection{Internal memory format} - -The tries are stored in kernel memory, specifically in the {\tt Segment:TrieData} segment. Each node type is stored as -\begin{enumerate} - \item An empty node is encoded as $(\texttt{MPT\_NODE\_EMPTY})$. - \item A branch node is encoded as $(\texttt{MPT\_NODE\_BRANCH}, c_1, \dots, c_{16}, v)$, where each $c_i$ is a pointer to a child node, and $v$ is a pointer to a value. If a branch node has no associated value, then $v = 0$, i.e. the null pointer. - \item An extension node is encoded as $(\texttt{MPT\_NODE\_EXTENSION}, k, c)$, $k$ represents the part of the key associated with this extension, and is encoded as a 2-tuple $(\texttt{packed\_nibbles}, \texttt{num\_nibbles})$. $c$ is a pointer to a child node. - \item A leaf node is encoded as $(\texttt{MPT\_NODE\_LEAF}, k, v)$, where $k$ is a 2-tuple as above, and $v$ is a pointer to a value. - \item A digest node is encoded as $(\texttt{MPT\_NODE\_HASH}, d)$, where $d$ is a Keccak256 digest. -\end{enumerate} - -On the other hand the values or payloads are represented differently depending on the particular trie. - -\subsubsection{State trie} -The state trie payload contains the account data. Each account is stored in 4 contiguous memory addresses containing -\begin{enumerate} - \item the nonce, - \item the balance, - \item a pointer to the account's storage trie, - \item a hash of the account's code. -\end{enumerate} -The storage trie payload in turn is a single word. - -\subsubsection{Transaction Trie} -The transaction trie nodes contain the length of the RLP encoded transaction, followed by the bytes of the RLP encoding of the transaction. - -\subsubsection{Receipt Trie} -The payload of the receipts trie is a receipt. Each receipt is stored as -\begin{enumerate} - \item the length in words of the payload, - \item the status, - \item the cumulative gas used, - \item the bloom filter, stored as 256 words. - \item the number of topics, - \item the topics - \item the data length, - \item the data. -\end{enumerate} - - -\subsection{Prover input format} - -The initial state of each trie is given by the prover as a nondeterministic input tape. This tape has a slightly different format: -\begin{enumerate} - \item An empty node is encoded as $(\texttt{MPT\_NODE\_EMPTY})$. - \item A branch node is encoded as $(\texttt{MPT\_NODE\_BRANCH}, v_?, c_1, \dots, c_{16})$. Here $v_?$ consists of a flag indicating whether a value is present, followed by the actual value payload if one is present. Each $c_i$ is the encoding of a child node. - \item An extension node is encoded as $(\texttt{MPT\_NODE\_EXTENSION}, k, c)$, where $k$ represents the part of the key associated with this extension, and is encoded as a 2-tuple $(\texttt{packed\_nibbles}, \texttt{num\_nibbles})$. $c$ is a pointer to a child node. - \item A leaf node is encoded as $(\texttt{MPT\_NODE\_LEAF}, k, v)$, where $k$ is a 2-tuple as above, and $v$ is a value payload. - \item A digest node is encoded as $(\texttt{MPT\_NODE\_HASH}, d)$, where $d$ is a Keccak256 digest. -\end{enumerate} -Nodes are thus given in depth-first order, enabling natural recursive methods for encoding and decoding this format. -The payload of state and receipt tries is given in the natural sequential way. The transaction an receipt payloads contain variable size data, thus the input is slightly different. The prover input for for the transactions is the transaction RLP encoding preceded by its length. For the receipts is in the natural sequential way, except that topics and data are preceded by their lengths, respectively. - -\subsection{Encoding and Hashing} - -Encoding is done recursively starting from the trie root. Leaf, branch and extension nodes are encoded as the RLP encoding of list containing the hex prefix encoding of the node key as well as - -\begin{description} - \item[Leaf Node:] the encoding of the the payload, - \item[Branch Node:] the hash or encoding of the 16 children and the encoding of the payload, - \item[Extension Node:] the hash or encoding of the child and the encoding of the payload. -\end{description} -For the rest of the nodes we have: -\begin{description} - \item[Empty Node:] the encoding of an empty node is {\tt 0x80}, - \item[Digest Node:] the encoding of a digest node stored as $({\tt MPT\_HASH\_NODE}, d)$ is $d$. -\end{description} - -The payloads in turn are RLP encoded as follows -\begin{description} - \item[State Trie:] Encoded as a list containing nonce, balance, storage trie hash and code hash. - \item[Storage Trie:] The RLP encoding of the value (thus the double RLP encoding) - \item[Transaction Trie:] The RLP encoded transaction. - \item[Receipt Trie:] Depending on the transaction type it's encoded as ${\sf RLP}({\sf RLP}({\tt receipt}))$ for Legacy transactions or ${\sf RLP}({\tt txn\_type}||{\sf RLP}({\tt receipt}))$ for transactions of type 1 or 2. Each receipt is encoded as a list containing: - \begin{enumerate} - \item the status, - \item the cumulative gas used, - \item the bloom filter, stored as a list of length 256. - \item the list of topics - \item the data string. - \end{enumerate} -\end{description} - -Once a node is encoded it is written to the {\tt Segment::RlpRaw} segment as a sequence of bytes. Then the RLP encoded data is hashed if the length of the data is more than 32 bytes. Otherwise we return the encoding. Further details can be found in the \href{https://github.com/0xPolygonZero/plonky2/tree/main/evm/src/cpu/mpt/hash}{mpt hash folder}. \ No newline at end of file diff --git a/evm/spec/tables.tex b/evm/spec/tables.tex deleted file mode 100644 index 43b45eb584..0000000000 --- a/evm/spec/tables.tex +++ /dev/null @@ -1,10 +0,0 @@ -\section{Tables} -\label{tables} - -\input{tables/cpu} -\input{tables/arithmetic} -\input{tables/byte-packing} -\input{tables/logic} -\input{tables/memory} -\input{tables/keccak-f} -\input{tables/keccak-sponge} diff --git a/evm/spec/tables/arithmetic.tex b/evm/spec/tables/arithmetic.tex deleted file mode 100644 index 19be4638f6..0000000000 --- a/evm/spec/tables/arithmetic.tex +++ /dev/null @@ -1,54 +0,0 @@ -\subsection{Arithmetic} -\label{arithmetic} - -Each row of the arithmetic table corresponds to a binary or ternary arithmetic operation. Each of these operations has an associated flag $f_{op}$ in the table, such that $f_{\texttt{op}} = 1$ whenever the operation is $\texttt{op}$ and 0 otherwise. The full list of operations carried out by the table is as follows: -\paragraph*{Binary operations:} \begin{itemize} - \item basic operations: ``add'', ``mul'', ``sub'' and ``div'', - \item comparisons: ``lt'' and ``gt'', - \item shifts: ``shr'' and ``shl'', - \item ``byte'': given $x_1, x_2$, returns the $x_1$-th ``byte'' in $x_2$, - \item modular operations: ``mod'', ``AddFp254'', ``MulFp254'' and ``SubFp254'', - \item range-check: no operation is performed, as this is only used to range-check the input and output limbs in the range [$0, 2^{16} - 1$]. - \end{itemize} -For `mod', the second input is the modulus. ``AddFp254'', ``MulFp254'' and ``SubFp254'' are modular operations modulo ``Fp254'` -- the prime for the BN curve's base field. - -\paragraph*{Ternary operations:} There are three ternary operations: modular addition ``AddMod'', modular multiplication ``MulMod'' and modular subtraction ``SubMod''. - -Besides the flags, the arithmetic table needs to store the inputs, output and some auxiliary values necessary to constraints. The input and output values are range-checked to ensure their canonical representation. Inputs are 256-bits words. To avoid having too large a range-check, inputs are therefore split into sixteen 16-bits limbs, and range-checked in the range $[0, 2^{16}-1]$. - -Overall, the table comprises the following columns: -\begin{itemize} - \item 17 columns for the operation flags $f_{op}$, - \item 1 column $op$ containing the opcode, - \item 16 columns for the 16-bit limbs $x_{0, i}$ of the first input $x_{0}$, - \item 16 columns for the 16-bit limbs $x_{1, i}$ of the second input $x_{1}$, - \item 16 columns for the 16-bit limbs $x_{2, i}$ of the third input $x_{2}$, - \item 16 columns for the 16-bit limbs $r_i$ of the output $r$, - \item 32 columns for auxiliary values $\texttt{aux}_i$, - \item 1 column $\texttt{range\_counter}$ containing values in the range [$0, 2^{16}-1$], for the range-check, - \item 1 column storing the frequency of appearance of each value in the range $[0, 2^{16} - 1]$. -\end{itemize} - -\paragraph{Note on $op$:} The opcode column is only used for range-checks. For optimization purposes, we check all arithmetic operations against the cpu table together. To ensure correctness, we also check that the operation's opcode corresponds to its behavior. But range-check is not associated to a unique operation: any operation in the cpu table might require its values to be checked. Thus, the arithmetic table cannot know its opcode in advance: it needs to store the value provided by the cpu table. - -\subsubsection{Auxiliary columns} -The way auxiliary values are leveraged to efficiently check correctness is not trivial, but it is explained in detail in each dedicated file. Overall, five files explain the implementations of the various checks. Refer to: -\begin{enumerate} - \item ``mul.rs'' for details on multiplications. - \item ``addcy.rs'' for details on addition, subtraction, ``lt'' and ``gt''. - \item ``modular.rs'' for details on how modular operations are checked. Note that even though ``div'' and ``mod'' are generated and checked in a separate file, they leverage the logic for modular operations described in ``modular.rs''. - \item ``byte'' for details on how ``byte'' is checked. - \item ``shift.rs'' for details on how shifts are checked. -\end{enumerate} - -\paragraph*{Note on ``lt'' and ``gt'':} For ``lt'' and ``gt'', auxiliary columns hold the difference $d$ between the two inputs $x_1, x_2$. We can then treat them similarly to subtractions by ensuring that $x_1 - x_2 = d$ for ``lt'' and $x_2 - x_1 = d$ for ``gt''. An auxiliary column $cy$ is used for the carry in additions and subtractions. In the comparisons case, it holds the overflow flag. Contrary to subtractions, the output of ``lt'' and ``gt'' operations is not $d$ but $cy$. - -\paragraph*{Note on ``div'':} It might be unclear why ``div'' and ``mod'' are dealt with in the same file. - -Given numerator and denominator $n, d$, we compute, like for other modular operations, the quotient $q$ and remainder $\texttt{rem}$: -$$div(x_1, x_2) = q * x_2 + \texttt{rem}$$. -We then set the associated auxiliary columns to $\texttt{rem}$ and the output to $q$. - -This is why ``div'' is essentially a modulo operation, and can be addressed in almost the same way as ``mod''. The only difference is that in the ``mod'' case, the output is $\texttt{rem}$ and the auxiliary value is $q$. - -\paragraph{Note on shifts:} ``shr'' and ``shl'' are internally constrained as ``div'' and ``mul'' respectively with shifted operands. Indeed, given inputs $s, x$, the output should be $x >> s$ for ``shr'' (resp. $x << s$ for ``shl''). Since shifts are binary operations, we can use the third input columns to store $s_{\texttt{shifted}} = 1 << s$. Then, we can use the ``div'' logic (resp. ``mul'' logic) to ensure that the output is $\frac{x}{s_{\texttt{shifted}}}$ (resp. $x * s_{\texttt{shifted}}$). \ No newline at end of file diff --git a/evm/spec/tables/byte-packing.tex b/evm/spec/tables/byte-packing.tex deleted file mode 100644 index 6305b7226b..0000000000 --- a/evm/spec/tables/byte-packing.tex +++ /dev/null @@ -1,59 +0,0 @@ -\subsection{Byte Packing} -\label{byte-packing} - -The BytePacking STARK module is used for reading and writing non-empty byte sequences of length at most 32 to memory. -The "packing" term highlights that reading a sequence in memory will pack the bytes into an EVM word (i.e. U256), while -the "unpacking" operation consists in breaking down an EVM word into its byte sequence and writing it to memory. - -This allows faster memory copies between two memory locations, as well as faster memory reset -(see \href{https://github.com/0xPolygonZero/plonky2/blob/main/evm/src/cpu/kernel/asm/memory/memcpy.asm}{memcpy.asm} and -\href{https://github.com/0xPolygonZero/plonky2/blob/main/evm/src/cpu/kernel/asm/memory/memset.asm}{memset.asm} modules). - -The `BytePackingStark' table has one row per packing/unpacking operation. - -Each row contains the following columns: -\begin{enumerate} - \item 5 columns containing information on the initial memory address from which the sequence starts - (namely a flag differentiating read and write operations, address context, segment and offset values, as well as timestamp), - \item 32 columns $b_i$ indicating the length of the byte sequence ($b_i = 1$ if the length is $i+1$, and $b_i = 0$ otherwise), - \item 32 columns $v_i$ indicating the values of the bytes that have been read or written during a sequence, - \item 2 columns $r_i$ needed for range-checking the byte values. -\end{enumerate} - -\paragraph{Notes on columns generation:} -Whenever a byte unpacking operation is called, the value $\texttt{val}$ is read from the stack, but because the EVM and the STARKs use different endianness, we need to convert $\texttt{val}$ to a little-endian byte sequence. Only then do we resize it to the appropriate length, and prune extra zeros and higher bytes in the process. Finally, we reverse the byte order and write this new sequence into the $v_i$ columns of the table. - -Whenever the operation is a byte packing, the bytes are read one by one from memory and stored in the $v_i$ columns of the BytePackingStark table. - -Note that because of the different endianness on the memory and EVM sides, we write bytes starting with the last one. - -The $b_i$ columns hold a boolean value. $b_i = 1$ whenever we are currently reading or writing the i-th element in the byte sequence. $b_i = 0$ otherwise. - -\paragraph{Cross-table lookups:} -The read or written bytes need to be checked against both the cpu and the memory tables. Whenever we call $\texttt{MSTORE\_32BYTES}$, $\texttt{MLOAD\_32BYTES}$ or $\texttt{PUSH}$ on the cpu side, we make use of `BytePackingStark' to make sure we are carrying out the correct operation on the correct values. For this, we check that the following values correspond: -\begin{enumerate} - \item the address (comprising the context, the segment, and the virtual address), - \item the length of the byte sequence, - \item the timestamp, - \item the value (either written to or read from the stack) -\end{enumerate} - -The address here corresponds to the address of the first byte. - -On the other hand, we need to make sure that the read and write operations correspond to the values read or stored on the memory side. We therefore need a CTL for each byte, checking that the following values are identical in `MemoryStark' and `BytePackingStark': -\begin{enumerate} - \item a flag indicating whether the operation is a read or a write, - \item the address (context, segment and virtual address), - \item the byte (followed by 0s to make sure the memory address contains a byte and not a U256 word), - \item the timestamp -\end{enumerate} - -Note that the virtual address has to be recomputed based on the length of the sequence of bytes. The virtual address for the $i$-th byte is written as: -$$ \texttt{virt} + \sum_{j=0}^{31} b_j * j - i$$ -where $\sum_{j=0}^{31} b_j * j$ is equal to $\texttt{sequence\_length} - 1$. - -\paragraph*{Note on range-check:} Range-checking is necessary whenever we do a memory unpacking operation that will -write values to memory. These values are constrained by the range-check to be 8-bit values, i.e. fitting between 0 and 255 included. -While range-checking values read from memory is not necessary, because we use the same $\texttt{byte\_values}$ columns for both read -and write operations, this extra condition is enforced throughout the whole trace regardless of the operation type. - diff --git a/evm/spec/tables/cpu.tex b/evm/spec/tables/cpu.tex deleted file mode 100644 index 7bca5a9f5e..0000000000 --- a/evm/spec/tables/cpu.tex +++ /dev/null @@ -1,73 +0,0 @@ -\subsection{CPU} -\label{cpu} - -The CPU is the central component of the zkEVM. Like any CPU, it reads instructions, executes them and modifies the state (registers and the memory) -accordingly. The constraining of some complex instructions (e.g. Keccak hashing) is delegated to other tables. -This section will only briefly present the CPU and its columns. Details about the CPU logic will be provided later. - -\subsubsection{CPU flow} - -An execution run can be decomposed into two distinct parts: -\begin{itemize} - \item \textbf{CPU cycles:} The bulk of the execution. In each row, the CPU reads the current code at the program counter (PC) address, and executes it. The current code can be the kernel code, -or whichever code is being executed in the current context (transaction code or contract code). Executing an instruction consists in modifying the registers, possibly -performing some memory operations, and updating the PC. - \item \textbf{Padding:} At the end of the execution, we need to pad the length of the CPU trace to the next power of two. When the program counter reaches the special halting label -in the kernel, execution halts. Constraints ensure that every subsequent row is a padding row and that execution cannot resume. -\end{itemize} - -In the CPU cycles phase, the CPU can switch between different contexts, which correspond to the different environments of the possible calls. Context 0 is the kernel itself, which -handles initialization (input processing, transaction parsing, transaction trie updating...) and termination (receipt creation, final trie checks...) before and after executing the transaction. Subsequent contexts are created when -executing user code (transaction or contract code). In a non-zero user context, syscalls may be executed, which are specific instructions written in the kernel. They don't change the context -but change the code context, which is where the instructions are read from. - -\subsubsection{CPU columns} - -\paragraph*{Registers:} \begin{itemize} - \item \texttt{context}: Indicates which context we are in. 0 for the kernel, and a positive integer for every user context. Incremented by 1 at every call. - \item \texttt{code\_context}: Indicates in which context the code to execute resides. It's equal to \texttt{context} in user mode, but is always 0 in kernel mode. - \item \texttt{program\_counter}: The address of the instruction to be read and executed. - \item \texttt{stack\_len}: The current length of the stack. - \item \texttt{is\_kernel\_mode}: Boolean indicating whether we are in kernel (i.e. privileged) mode. This means we are executing kernel code, and we have access to -privileged instructions. - \item \texttt{gas}: The current amount of gas used in the current context. It is eventually checked to be below the current gas limit. Must fit in 32 bits. - \item \texttt{clock}: Monotonic counter which starts at 0 and is incremented by 1 at each row. Used to enforce correct ordering of memory accesses. - \item \texttt{opcode\_bits}: 8 boolean columns, which are the bit decomposition of the opcode being read at the current PC. -\end{itemize} - -\paragraph*{Operation flags:} Boolean flags. During CPU cycles phase, each row executes a single instruction, which sets one and only one operation flag. No flag is set during -padding. The decoding constraints ensure that the flag set corresponds to the opcode being read. -There isn't a 1-to-1 correspondance between instructions and flags. For efficiency, the same flag can be set by different, unrelated instructions (e.g. \texttt{eq\_iszero}, which represents -the \texttt{EQ} and the \texttt{ISZERO} instructions). When there is a need to differentiate them in constraints, we filter them with their respective opcode: since the first bit of \texttt{EQ}'s opcode -(resp. \texttt{ISZERO}'s opcode) is 0 (resp. 1), we can filter a constraint for an EQ instruction with \texttt{eq\_iszero * (1 - opcode\_bits[0])} -(resp. \texttt{eq\_iszero * opcode\_bits[0]}). - -\paragraph*{Memory columns:} The CPU interacts with the EVM memory via its memory channels. At each row, a memory channel can execute a write, a read, or be disabled. A full memory channel is composed of: -\begin{itemize} - \item \texttt{used}: Boolean flag. If it's set to 1, a memory operation is executed in this channel at this row. If it's set to 0, no operation is done but its columns might be reused for other purposes. - \item \texttt{is\_read}: Boolean flag indicating if a memory operation is a read or a write. - \item 3 \texttt{address} columns. A memory address is made of three parts: \texttt{context}, \texttt{segment} and \texttt{virtual}. - \item 8 \texttt{value} columns. EVM words are 256 bits long, and they are broken down in 8 32-bit limbs. -\end{itemize} -The last memory channel is a partial channel: it doesn't have its own \texttt{value} columns and shares them with the first full memory channel. This allows us to save eight columns. - -\paragraph*{General columns:} There are 8 shared general columns. Depending on the instruction, they are used differently: -\begin{itemize} - \item \texttt{Exceptions}: When raising an exception, the first three general columns are the bit decomposition of the exception code. -They are used to jump to the correct exception handler. - \item \texttt{Logic}: For EQ, and ISZERO operations, it's easy to check that the result is 1 if \texttt{input0} and \texttt{input1} are equal. It's more difficult -to prove that, if the result is 0, the inputs are actually unequal. To prove it, each general column contains the modular inverse of $(\texttt{input0}_i - \texttt{input1}_i)$ -for each limb $i$ (or 0 if the limbs are equal). Then the quantity $\texttt{general}_i * (\texttt{input0}_i - \texttt{input1}_i)$ will be 1 if and only if $\texttt{general}_i$ is -indeed the modular inverse, which is only possible if the difference is non-zero. - \item \texttt{Jumps}: For jumps, we use the first two columns: \texttt{should\_jump} and \texttt{cond\_sum\_pinv}. \texttt{should\_jump} conditions whether the EVM should jump: it's -1 for a JUMP, and $\texttt{condition} \neq 0$ for a JUMPI. To check if the condition is actually non-zero for a JUMPI, \texttt{cond\_sum\_pinv} stores the modular inverse of -\texttt{condition} (or 0 if it's zero). - \item \texttt{Shift}: For shifts, the logic differs depending on whether the displacement is lower than $2^{32}$, i.e. if it fits in a single value limb. -To check if this is not the case, we must check that at least one of the seven high limbs is not zero. The general column \texttt{high\_limb\_sum\_inv} holds the modular inverse -of the sum of the seven high limbs, and is used to check it's non-zero like the previous cases. -Contrary to the logic operations, we do not need to check limbs individually: each limb has been range-checked to 32 bits, meaning that it's not possible for the sum to -overflow and be zero if some of the limbs are non-zero. - \item \texttt{Stack}: \texttt{stack\_inv}, \texttt{stack\_inv\_aux} and \texttt{stack\_inv\_aux\_2} are used by popping-only (resp. pushing-only) instructions to check if the stack is empty after (resp. was empty -before) the instruction. \texttt{stack\_len\_bounds\_ aux} is used to check that the stack doesn't overflow in user mode. We use the last four columns to prevent conflicts with the other general columns. -See \ref{stackhandling} for more details. -\end{itemize} diff --git a/evm/spec/tables/keccak-f.tex b/evm/spec/tables/keccak-f.tex deleted file mode 100644 index 7eee4b53fc..0000000000 --- a/evm/spec/tables/keccak-f.tex +++ /dev/null @@ -1,65 +0,0 @@ -\subsection{Keccak-f} -\label{keccak-f} - -This table computes the Keccak-f[1600] permutation. - -\subsubsection{Keccak-f Permutation} -To explain how this table is structured, we first need to detail how the permutation is computed. \href{https://keccak.team/keccak_specs_summary.html}{This page} gives a pseudo-code for the permutation. Our implementation differs slightly -- but remains equivalent -- for optimization and constraint degree reasons. - -Let: -\begin{itemize} - \item $S$ be the sponge width ($S=25$ in our case) - \item $\texttt{NUM\_ROUNDS}$ be the number of Keccak rounds ($\texttt{NUM\_ROUNDS} = 24$) - \item $RC$ a vector of round constants of size $\texttt{NUM\_ROUNDS}$ - \item $I$ be the input of the permutation, comprised of $S$ 64-bit elements -\end{itemize} - -The first step is to reshape $I$ into a $5 \times 5$ matrix. We initialize the state $A$ of the sponge with $I$: $$A[x, y] := I[x, y] \text{ } \forall x, y \in \{0..4\}$$ - -We store $A$ in the table, and subdivide each 64-bit element into two 32-bit limbs. -Then, for each round $i$, we proceed as follows: -\begin{enumerate} - \item First, we define $C[x] := \texttt{xor}_{i=0}^4 A[x, i]$. We store $C$ as bits in the table. This is because we need to apply a rotation on its elements' bits and carry out \texttt{ xor } operations in the next step. - \item Then, we store a second vector $C'$ in bits, such that: $$C'[x, z] = C[x, z] \texttt{ xor } C[x-1, z] \texttt{ xor } C[x+1, z-1]$$. - \item We then need to store the updated value of $A$: $$A'[x, y] = A[x, y] \texttt{ xor } C[x, y] \texttt{ xor } C'[x, y]$$ Note that this is equivalent to the equation in the official Keccak-f description: $$A'[x, y] = A[x, y] \texttt{ xor } C[x-1, z] \texttt{ xor } C[x+1, z-1]$$. - \item The previous three points correspond to the $\theta$ step in Keccak-f. We can now move on to the $\rho$ and $\pi$ steps. These steps are written as: $$B[y, 2\times x + 3 \times y] := \texttt{rot}(A'[x, y], r[x, y])$$ where $\texttt{rot(a, s)}$ is the bitwise cyclic shift operation, and $r$ is the matrix of rotation offsets. We do not need to store $B$: $B$'s bits are only a permutation of $A'$'s bits. - \item The $\chi$ step updates the state once again, and we store the new values: $$A''[x, y] := B[x, y] \texttt{ xor } (\texttt{not }B[x+1, y] \texttt{ and } B[x+2, y])$$ Because of the way we carry out constraints (as explained below), we do not need to store the individual bits for $A''$: we only need the 32-bit limbs. - \item The final step, $\iota$, consists in updating the first element of the state as follows: $$A'''[0, 0] = A''[0, 0] \texttt{ xor } RC[i]$$ where $$A'''[x, y] = A''[x, y] \forall (x, y) \neq (0, 0)$$ Since only the first element is updated, we only need to store $A'''[0, 0]$ of this updated state. The remaining elements are fetched from $A''$. However, because of the bitwise $\texttt{xor}$ operation, we do need columns for the bits of $A''[0, 0]$. -\end{enumerate} - -Note that all permutation elements are 64-bit long. But they are stored as 32-bit limbs so that we do not overflow the field. - -It is also important to note that all bitwise logic operations ($\texttt{ xor }$, $\texttt{ not }$ and $\texttt{ and}$) are checked in this table. This is why we need to store the bits of most elements. The logic table can only carry out eight 32-bit logic operations per row. Thus, leveraging it here would drastically increase the number of logic rows, and incur too much overhead in proving time. - - - -\subsubsection{Columns} -Using the notations from the previous section, we can now list the columns in the table: -\begin{enumerate} - \item $\texttt{NUM\_ROUND}S = 24$ columns $c_i$ to determine which round is currently being computed. $c_i = 1$ when we are in the $i$-th round, and 0 otherwise. These columns' purpose is to ensure that the correct round constants are used at each round. - \item $1$ column $t$ which stores the timestamp at which the Keccak operation was called in the cpu. This column enables us to ensure that inputs and outputs are consistent between the cpu, keccak-sponge and keccak-f tables. - \item $5 \times 5 \times 2 = 50 $columns to store the elements of $A$. As a reminder, each 64-bit element is divided into two 32-bit limbs, and $A$ comprises $S = 25$ elements. - \item $5 \times 64 = 320$ columns to store the bits of the vector $C$. - \item $5 \times 64 = 320$ columns to store the bits of the vector $C'$. - \item $5 \times 5 \times 64 = 1600$ columns to store the bits of $A'$. - \item $5 \times 5 \times 2 = 50$ columns to store the 32-bit limbs of $A''$. - \item $64$ columns to store the bits of $A''[0, 0]$. - \item $2$ columns to store the two limbs of $A'''[0, 0]$. -\end{enumerate} - -In total, this table comprises 2,431 columns. - -\subsubsection{Constraints} -Some constraints checking that the elements are computed correctly are not straightforward. Let us detail them here. - -First, it is important to highlight the fact that a $\texttt{xor}$ between two elements is of degree 2. Indeed, for $x \texttt{ xor } y$, the constraint is $x + y - 2 \times x \times y$, which is of degree 2. This implies that a $\texttt{xor}$ between 3 elements is of degree 3, which is the maximal constraint degree for our STARKs. - -We can check that $C'[x, z] = C[x, z] \texttt{ xor } C[x - 1, z] \texttt{ xor } C[x + 1, z - 1]$. However, we cannot directly check that $C[x] = \texttt{xor}_{i=0}^4 A[x, i]$, as it would be a degree 5 constraint. Instead, we use $C'$ for this constraint. We see that: -$$\texttt{xor}_{i=0}^4 A'[x, i, z] = C'[x, z]$$ -This implies that the difference $d = \sum_{i=0}^4 A'[x, i, z] - C'[x, z]$ is either 0, 2 or 4. We can therefore enforce the following degree 3 constraint instead: -$$d \times (d - 2) \times (d - 4) = 0$$ - -Additionally, we have to check that $A'$ is well constructed. We know that $A'$ should be such that $A'[x, y, z] = A[x, y, z] \texttt{ xor } C[x, z] \texttt{ xor } C'[x, z]$. Since we do not have the bits of $A$ elements but the bits of $A'$ elements, we check the equivalent degree 3 constraint: -$$A[x, y, z] = A'[x, y, z] \texttt{ xor } C[x, z] \texttt { xor } C'[x, z]$$ - -Finally, the constraints for the remaining elements, $A''$ and $A'''$ are straightforward: $A''$ is a three-element bitwise $\texttt{xor}$ where all bits involved are already storedn and $A'''[0, 0]$ is the output of a simple bitwise $\texttt{xor}$ with a round constant. \ No newline at end of file diff --git a/evm/spec/tables/keccak-sponge.tex b/evm/spec/tables/keccak-sponge.tex deleted file mode 100644 index a712335b8f..0000000000 --- a/evm/spec/tables/keccak-sponge.tex +++ /dev/null @@ -1,66 +0,0 @@ -\subsection{KeccakSponge} -\label{keccak-sponge} - -This table computes the Keccak256 hash, a sponge-based hash built on top of the Keccak-f[1600] permutation. An instance of KeccakSponge takes as input a Memory address $a$, -a length $l$, and computes the Keccak256 digest of the memory segment starting at $a$ and of size $l$. An instance can span many rows, each individual row being a single call to -the Keccak table. Note that all the read elements must be bytes; the proof will be unverifiable if this is not the case. Following the Keccak specifications, the input string is padded to the next multiple of 136 bytes. -Each row contains the following columns: -\begin{itemize} - \item Read bytes: - \begin{itemize} - \item 3 address columns: \texttt{context}, \texttt{segment} and the offset \texttt{virt} of $a$. - \item \texttt{timestamp}: the timestamp which will be used for all memory reads of this instance. - \item \texttt{already\_absorbed\_bytes}: keeps track of how many bytes have been hashed in the current instance. At the end of an instance, we should have absorbed $l$ bytes in total. - \item \texttt{KECCAK\_RATE\_BYTES} \texttt{block\_bytes} columns: the bytes being absorbed at this row. They are read from memory and will be XORed to the rate part of the current state. - \end{itemize} - \item Input columns: - \begin{itemize} - \item \texttt{KECCAK\_RATE\_U32S} \texttt{original\_rate\_u32s} columns: hold the rate part of the state before XORing it with \texttt{block\_bytes}. At the beginning of an instance, they are initialized with 0. - \item \texttt{KECCAK\_RATE\_U32s} \texttt{xored\_rate\_u32s} columns: hold the original rate XORed with \texttt{block\_bytes}. - \item \texttt{KECCAK\_CAPACITY\_U32S} \texttt{original\_capacity\_u32s} columns: hold the capacity part of the state before applying the Keccak permutation. - \end{itemize} - \item Output columns: - \begin{itemize} - \item \texttt{KECCAK\_DIGEST\_BYTES} \texttt{updated\_digest\_state\_bytes columns}: the beginning of the output state after applying the Keccak permutation. At the last row of an instance, they hold the computed hash. -They are decomposed in bytes for endianness reasons. - \item \texttt{KECCAK\_WIDTH\_MINUS\_DIGEST\_U32S} \texttt{partial\_updated\_state\_u32s} columns: the rest of the output state. They are discarded for the final digest, but are used between instance rows. - \end{itemize} - \item Helper columns: - \begin{itemize} - \item \texttt{is\_full\_input\_block}: indicates if the current row has a full input block, i.e. \texttt{block\_bytes} contains only bytes read from memory and no padding bytes. - \item \texttt{KECCAK\_RATE\_BYTES} \texttt{is\_final\_input\_len} columns: in the final row of an instance, indicate where the final read byte is. If the $i$-th column is set to 1, it means that -all bytes after the $i$-th are padding bytes. In a full input block, all columns are set to 0. - \end{itemize} -\end{itemize} - -For each instance, constraints ensure that: -\begin{itemize} - \item at each row: - \begin{itemize} - \item \texttt{is\_full\_input\_block} and \texttt{is\_final\_input\_len} columns are all binary. - \item Only one column in \texttt{is\_full\_input\_block} and \texttt{is\_final\_input\_len} is set to 1. - \item \texttt{xored\_rate\_u32s} is \texttt{original\_rate\_u32s} XOR \texttt{block\_bytes}. - \item The CTL with Keccak ensures that (\texttt{updated\_digest\_state\_bytes columns}, \texttt{partial\_updated\_state\_u32s}) is the Keccak permutation output of (\texttt{xored\_rate\_u32s}, \texttt{original\_capacity\_u32s}). - \end{itemize} - \item at the first row: - \begin{itemize} - \item \texttt{original\_rate\_u32s} is all 0. - \item \texttt{already\_absorbed\_bytes} is 0. - \end{itemize} - \item at each full input row (i.e. \texttt{is\_full\_input\_block} is 1, all \texttt{is\_final\_input\_len} columns are 0): - \begin{itemize} - \item \texttt{context}, \texttt{segment}, \texttt{virt} and \texttt{timestamp} are unchanged in the next row. - \item Next \texttt{already\_absorbed\_bytes} is current \texttt{already\_absorbed\_bytes} + \texttt{KECCAK\_RATE\_BYTES}. - \item Next (\texttt{original\_rate\_u32s}, \texttt{original\_capacity\_u32s}) is current (\texttt{updated\_digest\_state\_bytes columns}, \texttt{partial\_updated\_state\_u32s}). - \item The CTL with Memory ensures that \texttt{block\_bytes} is filled with contiguous memory elements [$a$ + \texttt{already\_absorbed\_bytes}, $a$ + \texttt{already\_absorbed\_bytes} + \texttt{KECCAK\_RATE\_BYTES} - 1] - \end{itemize} - \item at the final row (i.e. \texttt{is\_full\_input\_block} is 0, \texttt{is\_final\_input\_len}'s $i$-th column is 1 for a certain $i$, the rest are 0): - \begin{itemize} - \item The CTL with Memory ensures that \texttt{block\_bytes} is filled with contiguous memory elements [$a$ + \texttt{already\_absorbed\_bytes}, $a$ + \texttt{already\_absorbed\_bytes} + $i$ - 1]. The rest are padding bytes. - \item The CTL with CPU ensures that \texttt{context}, \texttt{segment}, \texttt{virt} and \texttt{timestamp} match the \texttt{KECCAK\_GENERAL} call. - \item The CTL with CPU ensures that $l$ = \texttt{already\_absorbed\_bytes} + $i$. - \item The CTL with CPU ensures that \texttt{updated\_digest\_state\_bytes} is the output of the \texttt{KECCAK\_GENERAL} call. - \end{itemize} -\end{itemize} - -The trace is padded to the next power of two with dummy rows, whose \texttt{is\_full\_input\_block} and \texttt{is\_final\_input\_len} columns are all 0. diff --git a/evm/spec/tables/logic.tex b/evm/spec/tables/logic.tex deleted file mode 100644 index e2425fc4a8..0000000000 --- a/evm/spec/tables/logic.tex +++ /dev/null @@ -1,18 +0,0 @@ -\subsection{Logic} -\label{logic} - -Each row of the logic table corresponds to one bitwise logic operation: either AND, OR or XOR. Each input for these operations is represented as 256 bits, while the output is stored as eight 32-bit limbs. - -Each row therefore contains the following columns: -\begin{enumerate} - \item $f_{\texttt{and}}$, an ``is and'' flag, which should be 1 for an OR operation and 0 otherwise, - \item $f_{\texttt{or}}$, an ``is or'' flag, which should be 1 for an OR operation and 0 otherwise, - \item $f_{\texttt{xor}}$, an ``is xor'' flag, which should be 1 for a XOR operation and 0 otherwise, - \item 256 columns $x_{1, i}$ for the bits of the first input $x_1$, - \item 256 columns $x_{2, i}$ for the bits of the second input $x_2$, - \item 8 columns $r_i$ for the 32-bit limbs of the output $r$. -\end{enumerate} - -Note that we need all three flags because we need to be able to distinguish between an operation row and a padding row -- where all flags are set to 0. - -The subdivision into bits is required for the two inputs as the table carries out bitwise operations. The result, on the other hand, is represented in 32-bit limbs since we do not need individual bits and can therefore save the remaining 248 columns. Moreover, the output is checked against the cpu, which stores values in the same way. diff --git a/evm/spec/tables/memory.tex b/evm/spec/tables/memory.tex deleted file mode 100644 index d39e99b23d..0000000000 --- a/evm/spec/tables/memory.tex +++ /dev/null @@ -1,87 +0,0 @@ -\subsection{Memory} -\label{memory} - -For simplicity, let's treat addresses and values as individual field elements. The generalization to multi-element addresses and values is straightforward. - -Each row of the memory table corresponds to a single memory operation (a read or a write), and contains the following columns: - -\begin{enumerate} - \item $a$, the target address - \item $r$, an ``is read'' flag, which should be 1 for a read or 0 for a write - \item $v$, the value being read or written - \item $\tau$, the timestamp of the operation -\end{enumerate} -The memory table should be ordered by $(a, \tau)$. Note that the correctness of the memory could be checked as follows: -\begin{enumerate} - \item Verify the ordering by checking that $(a_i, \tau_i) \leq (a_{i+1}, \tau_{i+1})$ for each consecutive pair. - \item Enumerate the purportedly-ordered log while tracking the ``current'' value of $v$. - \begin{enumerate} - \item Upon observing an address which doesn't match that of the previous row, if the address is zero-initialized - and if the operation is a read, check that $v = 0$. - \item Upon observing a write, don't constrain $v$. - \item Upon observing a read at timestamp $\tau_i$ which isn't the first operation at this address, check that $v_i = v_{i-1}$. - \end{enumerate} -\end{enumerate} - -The ordering check is slightly involved since we are comparing multiple columns. To facilitate this, we add an additional column $e$, where the prover can indicate whether two consecutive addresses changed. An honest prover will set -$$ -e_i \leftarrow \begin{cases} - 1 & \text{if } a_i \neq a_{i + 1}, \\ - 0 & \text{otherwise}. -\end{cases} -$$ -We also introduce a range-check column $c$, which should hold: -$$ -c_i \leftarrow \begin{cases} - a_{i + 1} - a_i - 1 & \text{if } e_i = 1, \\ - \tau_{i+1} - \tau_i & \text{otherwise}. -\end{cases} -$$ -The extra $-1$ ensures that the address actually changed if $e_i = 1$. -We then impose the following transition constraints: -\begin{enumerate} - \item $e_i (e_i - 1) = 0$, - \item $(1 - e_i) (a_{i + 1} - a_i) = 0$, - \item $c_i < 2^{32}$. -\end{enumerate} -The third constraint emulates a comparison between two addresses or timestamps by bounding their difference; this assumes that all addresses and timestamps fit in 32 bits and that the field is larger than that. - -\subsubsection{Virtual memory} - -In the EVM, each contract call has its own address space. Within that address space, there are separate segments for code, main memory, stack memory, calldata, and returndata. Thus each address actually has three compoments: -\begin{enumerate} - \item an execution context, representing a contract call, - \item a segment ID, used to separate code, main memory, and so forth, and so on - \item a virtual address. -\end{enumerate} -The comparisons now involve several columns, which requires some minor adaptations to the technique described above; we will leave these as an exercise to the reader. - -Note that an additional constraint check is required: whenever we change the context or the segment, the virtual address must be range-checked to $2^{32}$. -Without this check, addresses could start at -1 (i.e. $p - 2$) and then increase properly. - -\subsubsection{Timestamps} - -Memory operations are sorted by address $a$ and timestamp $\tau$. For a memory operation in the CPU, we have: -$$\tau = \texttt{NUM\_CHANNELS} \times \texttt{cycle} + \texttt{channel}.$$ -Since a memory channel can only hold at most one memory operation, every CPU memory operation's timestamp is unique. - -Note that it doesn't mean that all memory operations have unique timestamps. There are two exceptions: - -\begin{itemize} - \item Before the CPU cycles, we write some global metadata in memory. These extra operations are done at timestamp $\tau = 0$. - \item Some tables other than CPU can generate memory operations, like KeccakSponge. When this happens, these operations all have the timestamp of the CPU row of the instruction which invoked the table (for KeccakSponge, KECCAK\_GENERAL). -\end{itemize} - -\subsubsection{Memory initialization} - -By default, all memory is zero-initialized. However, to save numerous writes, we allow some specific segments to be initialized with arbitrary values. - -\begin{itemize} - \item The read-only kernel code (in segment 0, context 0) is initialized with its correct values. It's checked by hashing the segment and verifying -that the hash value matches a verifier-provided one. - \item The code segment (segment 0) in other contexts is initialized with externally-provided account code, then checked against the account code hash. -If the code is meant to be executed, there is a soundness concern: if the code is malformed and ends with an incomplete PUSH, then the missing bytes must -be 0 accordingly to the Ethereum specs. To prevent the issue, we manually write 33 zeros (at most 32 bytes for the PUSH argument, and an extra one for -the post-PUSH PC value). - \item The ``TrieData'' segment is initialized with the input tries. The stored tries are hashed and checked against the provided initial hash. Note that the length of the segment and the pointers -- within the ``TrieData'' segment -- for the three tries are provided as prover inputs. The length is then checked against a value computed when hashing the tries. -\end{itemize} diff --git a/evm/spec/zkevm.pdf b/evm/spec/zkevm.pdf deleted file mode 100644 index 3b10fba30b..0000000000 Binary files a/evm/spec/zkevm.pdf and /dev/null differ diff --git a/evm/spec/zkevm.tex b/evm/spec/zkevm.tex deleted file mode 100644 index ee2c38a54e..0000000000 --- a/evm/spec/zkevm.tex +++ /dev/null @@ -1,61 +0,0 @@ -\documentclass[12pt]{article} -\usepackage{amsmath} -\usepackage{amssymb} -\usepackage{cite} -\usepackage{draftwatermark} -\usepackage[margin=1.5in]{geometry} -\usepackage{hyperref} -\usepackage{makecell} -\usepackage{mathtools} -\usepackage{tabularx} -\usepackage{enumitem} -\usepackage[textwidth=1.25in]{todonotes} - -% Scale for DRAFT watermark. -\SetWatermarkFontSize{24cm} -\SetWatermarkScale{5} -\SetWatermarkLightness{0.92} - -% Hyperlink colors. -\hypersetup{ - colorlinks=true, - linkcolor=blue, - citecolor=blue, - urlcolor=blue, -} - -% We want all section autorefs to say "Section". -\def\sectionautorefname{Section} -\let\subsectionautorefname\sectionautorefname -\let\subsubsectionautorefname\sectionautorefname - -% \abs{...}, \floor{...} and \ceil{...} -\DeclarePairedDelimiter\abs{\lvert}{\rvert} -\DeclarePairedDelimiter\ceil{\lceil}{\rceil} -\DeclarePairedDelimiter\floor{\lfloor}{\rfloor} - -\title{The Polygon Zero zkEVM} -%\author{Polygon Zero Team} -\date{DRAFT\\\today} - -\begin{document} -\maketitle - -\begin{abstract} - We describe the design of Polygon Zero's zkEVM, ... -\end{abstract} - -\newpage -{\hypersetup{hidelinks} \tableofcontents} -\newpage - -\input{introduction} -\input{framework} -\input{tables} -\input{mpts} -\input{cpulogic} - -\bibliography{bibliography}{} -\bibliographystyle{ieeetr} - -\end{document} diff --git a/evm/src/all_stark.rs b/evm/src/all_stark.rs deleted file mode 100644 index cd7a2d3c38..0000000000 --- a/evm/src/all_stark.rs +++ /dev/null @@ -1,297 +0,0 @@ -use core::ops::Deref; - -use plonky2::field::extension::Extendable; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; - -use crate::arithmetic::arithmetic_stark; -use crate::arithmetic::arithmetic_stark::ArithmeticStark; -use crate::byte_packing::byte_packing_stark::{self, BytePackingStark}; -use crate::config::StarkConfig; -use crate::cpu::cpu_stark; -use crate::cpu::cpu_stark::CpuStark; -use crate::cpu::membus::NUM_GP_CHANNELS; -use crate::cross_table_lookup::{CrossTableLookup, TableIdx, TableWithColumns}; -use crate::keccak::keccak_stark; -use crate::keccak::keccak_stark::KeccakStark; -use crate::keccak_sponge::columns::KECCAK_RATE_BYTES; -use crate::keccak_sponge::keccak_sponge_stark; -use crate::keccak_sponge::keccak_sponge_stark::KeccakSpongeStark; -use crate::logic; -use crate::logic::LogicStark; -use crate::memory::memory_stark; -use crate::memory::memory_stark::MemoryStark; -use crate::stark::Stark; - -/// Structure containing all STARKs and the cross-table lookups. -#[derive(Clone)] -pub struct AllStark, const D: usize> { - pub(crate) arithmetic_stark: ArithmeticStark, - pub(crate) byte_packing_stark: BytePackingStark, - pub(crate) cpu_stark: CpuStark, - pub(crate) keccak_stark: KeccakStark, - pub(crate) keccak_sponge_stark: KeccakSpongeStark, - pub(crate) logic_stark: LogicStark, - pub(crate) memory_stark: MemoryStark, - pub(crate) cross_table_lookups: Vec>, -} - -impl, const D: usize> Default for AllStark { - /// Returns an `AllStark` containing all the STARKs initialized with default values. - fn default() -> Self { - Self { - arithmetic_stark: ArithmeticStark::default(), - byte_packing_stark: BytePackingStark::default(), - cpu_stark: CpuStark::default(), - keccak_stark: KeccakStark::default(), - keccak_sponge_stark: KeccakSpongeStark::default(), - logic_stark: LogicStark::default(), - memory_stark: MemoryStark::default(), - cross_table_lookups: all_cross_table_lookups(), - } - } -} - -impl, const D: usize> AllStark { - pub(crate) fn num_lookups_helper_columns(&self, config: &StarkConfig) -> [usize; NUM_TABLES] { - [ - self.arithmetic_stark.num_lookup_helper_columns(config), - self.byte_packing_stark.num_lookup_helper_columns(config), - self.cpu_stark.num_lookup_helper_columns(config), - self.keccak_stark.num_lookup_helper_columns(config), - self.keccak_sponge_stark.num_lookup_helper_columns(config), - self.logic_stark.num_lookup_helper_columns(config), - self.memory_stark.num_lookup_helper_columns(config), - ] - } -} - -/// Associates STARK tables with a unique index. -#[derive(Debug, Copy, Clone, Eq, PartialEq)] -pub enum Table { - Arithmetic = 0, - BytePacking = 1, - Cpu = 2, - Keccak = 3, - KeccakSponge = 4, - Logic = 5, - Memory = 6, -} - -impl Deref for Table { - type Target = TableIdx; - - fn deref(&self) -> &Self::Target { - // Hacky way to implement `Deref` for `Table` so that we don't have to - // call `Table::Foo as usize`, but perhaps too ugly to be worth it. - [&0, &1, &2, &3, &4, &5, &6][*self as TableIdx] - } -} - -/// Number of STARK tables. -pub(crate) const NUM_TABLES: usize = Table::Memory as usize + 1; - -impl Table { - /// Returns all STARK table indices. - pub(crate) const fn all() -> [Self; NUM_TABLES] { - [ - Self::Arithmetic, - Self::BytePacking, - Self::Cpu, - Self::Keccak, - Self::KeccakSponge, - Self::Logic, - Self::Memory, - ] - } -} - -/// Returns all the `CrossTableLookups` used for proving the EVM. -pub(crate) fn all_cross_table_lookups() -> Vec> { - vec![ - ctl_arithmetic(), - ctl_byte_packing(), - ctl_keccak_sponge(), - ctl_keccak_inputs(), - ctl_keccak_outputs(), - ctl_logic(), - ctl_memory(), - ] -} - -/// `CrossTableLookup` for `ArithmeticStark`, to connect it with the `Cpu` module. -fn ctl_arithmetic() -> CrossTableLookup { - CrossTableLookup::new( - vec![cpu_stark::ctl_arithmetic_base_rows()], - arithmetic_stark::ctl_arithmetic_rows(), - ) -} - -/// `CrossTableLookup` for `BytePackingStark`, to connect it with the `Cpu` module. -fn ctl_byte_packing() -> CrossTableLookup { - let cpu_packing_looking = TableWithColumns::new( - *Table::Cpu, - cpu_stark::ctl_data_byte_packing(), - Some(cpu_stark::ctl_filter_byte_packing()), - ); - let cpu_unpacking_looking = TableWithColumns::new( - *Table::Cpu, - cpu_stark::ctl_data_byte_unpacking(), - Some(cpu_stark::ctl_filter_byte_unpacking()), - ); - let cpu_push_packing_looking = TableWithColumns::new( - *Table::Cpu, - cpu_stark::ctl_data_byte_packing_push(), - Some(cpu_stark::ctl_filter_byte_packing_push()), - ); - let cpu_jumptable_read_looking = TableWithColumns::new( - *Table::Cpu, - cpu_stark::ctl_data_jumptable_read(), - Some(cpu_stark::ctl_filter_syscall_exceptions()), - ); - let byte_packing_looked = TableWithColumns::new( - *Table::BytePacking, - byte_packing_stark::ctl_looked_data(), - Some(byte_packing_stark::ctl_looked_filter()), - ); - CrossTableLookup::new( - vec![ - cpu_packing_looking, - cpu_unpacking_looking, - cpu_push_packing_looking, - cpu_jumptable_read_looking, - ], - byte_packing_looked, - ) -} - -/// `CrossTableLookup` for `KeccakStark` inputs, to connect it with the `KeccakSponge` module. -/// `KeccakStarkSponge` looks into `KeccakStark` to give the inputs of the sponge. -/// Its consistency with the 'output' CTL is ensured through a timestamp column on the `KeccakStark` side. -fn ctl_keccak_inputs() -> CrossTableLookup { - let keccak_sponge_looking = TableWithColumns::new( - *Table::KeccakSponge, - keccak_sponge_stark::ctl_looking_keccak_inputs(), - Some(keccak_sponge_stark::ctl_looking_keccak_filter()), - ); - let keccak_looked = TableWithColumns::new( - *Table::Keccak, - keccak_stark::ctl_data_inputs(), - Some(keccak_stark::ctl_filter_inputs()), - ); - CrossTableLookup::new(vec![keccak_sponge_looking], keccak_looked) -} - -/// `CrossTableLookup` for `KeccakStark` outputs, to connect it with the `KeccakSponge` module. -/// `KeccakStarkSponge` looks into `KeccakStark` to give the outputs of the sponge. -fn ctl_keccak_outputs() -> CrossTableLookup { - let keccak_sponge_looking = TableWithColumns::new( - *Table::KeccakSponge, - keccak_sponge_stark::ctl_looking_keccak_outputs(), - Some(keccak_sponge_stark::ctl_looking_keccak_filter()), - ); - let keccak_looked = TableWithColumns::new( - *Table::Keccak, - keccak_stark::ctl_data_outputs(), - Some(keccak_stark::ctl_filter_outputs()), - ); - CrossTableLookup::new(vec![keccak_sponge_looking], keccak_looked) -} - -/// `CrossTableLookup` for `KeccakSpongeStark` to connect it with the `Cpu` module. -fn ctl_keccak_sponge() -> CrossTableLookup { - let cpu_looking = TableWithColumns::new( - *Table::Cpu, - cpu_stark::ctl_data_keccak_sponge(), - Some(cpu_stark::ctl_filter_keccak_sponge()), - ); - let keccak_sponge_looked = TableWithColumns::new( - *Table::KeccakSponge, - keccak_sponge_stark::ctl_looked_data(), - Some(keccak_sponge_stark::ctl_looked_filter()), - ); - CrossTableLookup::new(vec![cpu_looking], keccak_sponge_looked) -} - -/// `CrossTableLookup` for `LogicStark` to connect it with the `Cpu` and `KeccakSponge` modules. -fn ctl_logic() -> CrossTableLookup { - let cpu_looking = TableWithColumns::new( - *Table::Cpu, - cpu_stark::ctl_data_logic(), - Some(cpu_stark::ctl_filter_logic()), - ); - let mut all_lookers = vec![cpu_looking]; - for i in 0..keccak_sponge_stark::num_logic_ctls() { - let keccak_sponge_looking = TableWithColumns::new( - *Table::KeccakSponge, - keccak_sponge_stark::ctl_looking_logic(i), - Some(keccak_sponge_stark::ctl_looking_logic_filter()), - ); - all_lookers.push(keccak_sponge_looking); - } - let logic_looked = - TableWithColumns::new(*Table::Logic, logic::ctl_data(), Some(logic::ctl_filter())); - CrossTableLookup::new(all_lookers, logic_looked) -} - -/// `CrossTableLookup` for `MemoryStark` to connect it with all the modules which need memory accesses. -fn ctl_memory() -> CrossTableLookup { - let cpu_memory_code_read = TableWithColumns::new( - *Table::Cpu, - cpu_stark::ctl_data_code_memory(), - Some(cpu_stark::ctl_filter_code_memory()), - ); - let cpu_memory_gp_ops = (0..NUM_GP_CHANNELS).map(|channel| { - TableWithColumns::new( - *Table::Cpu, - cpu_stark::ctl_data_gp_memory(channel), - Some(cpu_stark::ctl_filter_gp_memory(channel)), - ) - }); - let cpu_push_write_ops = TableWithColumns::new( - *Table::Cpu, - cpu_stark::ctl_data_partial_memory::(), - Some(cpu_stark::ctl_filter_partial_memory()), - ); - let cpu_set_context_write = TableWithColumns::new( - *Table::Cpu, - cpu_stark::ctl_data_memory_old_sp_write_set_context::(), - Some(cpu_stark::ctl_filter_set_context()), - ); - let cpu_set_context_read = TableWithColumns::new( - *Table::Cpu, - cpu_stark::ctl_data_memory_new_sp_read_set_context::(), - Some(cpu_stark::ctl_filter_set_context()), - ); - let keccak_sponge_reads = (0..KECCAK_RATE_BYTES).map(|i| { - TableWithColumns::new( - *Table::KeccakSponge, - keccak_sponge_stark::ctl_looking_memory(i), - Some(keccak_sponge_stark::ctl_looking_memory_filter(i)), - ) - }); - let byte_packing_ops = (0..32).map(|i| { - TableWithColumns::new( - *Table::BytePacking, - byte_packing_stark::ctl_looking_memory(i), - Some(byte_packing_stark::ctl_looking_memory_filter(i)), - ) - }); - let all_lookers = vec![ - cpu_memory_code_read, - cpu_push_write_ops, - cpu_set_context_write, - cpu_set_context_read, - ] - .into_iter() - .chain(cpu_memory_gp_ops) - .chain(keccak_sponge_reads) - .chain(byte_packing_ops) - .collect(); - let memory_looked = TableWithColumns::new( - *Table::Memory, - memory_stark::ctl_data(), - Some(memory_stark::ctl_filter()), - ); - CrossTableLookup::new(all_lookers, memory_looked) -} diff --git a/evm/src/arithmetic/addcy.rs b/evm/src/arithmetic/addcy.rs deleted file mode 100644 index 4f343b45d5..0000000000 --- a/evm/src/arithmetic/addcy.rs +++ /dev/null @@ -1,355 +0,0 @@ -//! Support for EVM instructions ADD, SUB, LT and GT -//! -//! This crate verifies EVM instructions ADD, SUB, LT and GT (i.e. for -//! unsigned inputs). Each of these instructions can be verified using -//! the "add with carry out" equation -//! -//! X + Y = Z + CY * 2^256 -//! -//! by an appropriate assignment of "inputs" and "outputs" to the -//! variables X, Y, Z and CY. Specifically, -//! -//! ADD: X + Y, inputs X, Y, output Z, ignore CY -//! SUB: Z - X, inputs X, Z, output Y, ignore CY -//! GT: X > Z, inputs X, Z, output CY, auxiliary output Y -//! LT: Z < X, inputs Z, X, output CY, auxiliary output Y - -use ethereum_types::U256; -use itertools::Itertools; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::{Field, PrimeField64}; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; - -use crate::arithmetic::columns::*; -use crate::arithmetic::utils::u256_to_array; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; - -/// Generate row for ADD, SUB, GT and LT operations. -pub(crate) fn generate( - lv: &mut [F], - filter: usize, - left_in: U256, - right_in: U256, -) { - u256_to_array(&mut lv[INPUT_REGISTER_0], left_in); - u256_to_array(&mut lv[INPUT_REGISTER_1], right_in); - u256_to_array(&mut lv[INPUT_REGISTER_2], U256::zero()); - - match filter { - IS_ADD => { - let (result, cy) = left_in.overflowing_add(right_in); - u256_to_array(&mut lv[AUX_INPUT_REGISTER_0], U256::from(cy as u32)); - u256_to_array(&mut lv[OUTPUT_REGISTER], result); - } - IS_SUB => { - let (diff, cy) = left_in.overflowing_sub(right_in); - u256_to_array(&mut lv[AUX_INPUT_REGISTER_0], U256::from(cy as u32)); - u256_to_array(&mut lv[OUTPUT_REGISTER], diff); - } - IS_LT => { - let (diff, cy) = left_in.overflowing_sub(right_in); - u256_to_array(&mut lv[AUX_INPUT_REGISTER_0], diff); - u256_to_array(&mut lv[OUTPUT_REGISTER], U256::from(cy as u32)); - } - IS_GT => { - let (diff, cy) = right_in.overflowing_sub(left_in); - u256_to_array(&mut lv[AUX_INPUT_REGISTER_0], diff); - u256_to_array(&mut lv[OUTPUT_REGISTER], U256::from(cy as u32)); - } - _ => panic!("unexpected operation filter"), - }; -} - -/// 2^-16 mod (2^64 - 2^32 + 1) -const GOLDILOCKS_INVERSE_65536: u64 = 18446462594437939201; - -/// Constrains x + y == z + cy*2^256, assuming filter != 0. -/// -/// Set `is_two_row_op=true` to allow the code to be called from the -/// two-row `modular` code (for checking that the modular output is -/// reduced). -/// -/// NB: This function ONLY verifies that cy is 0 or 1 when -/// is_two_row_op=false; when is_two_row_op=true the caller must -/// verify for itself. -/// -/// Note that the digits of `x + y` are in `[0, 2*(2^16-1)]` -/// (i.e. they are the sums of two 16-bit numbers), whereas the digits -/// of `z` can only be in `[0, 2^16-1]`. In the function we check that: -/// -/// \sum_i (x_i + y_i) * 2^(16*i) = \sum_i z_i * 2^(16*i) + given_cy*2^256. -/// -/// If `N_LIMBS = 1`, then this amounts to verifying that either `x_0 -/// + y_0 = z_0` or `x_0 + y_0 == z_0 + cy*2^16` (this is `t` on line -/// 127ff). Ok. Now assume the constraints are valid for `N_LIMBS = -/// n-1`. Then by induction, -/// -/// \sum_{i=0}^{n-1} (x_i + y_i) * 2^(16*i) + (x_n + y_n)*2^(16*n) == -/// \sum_{i=0}^{n-1} z_i * 2^(16*i) + cy_{n-1}*2^(16*n) + z_n*2^(16*n) -/// + cy_n*2^(16*n) -/// -/// is true if `(x_n + y_n)*2^(16*n) == cy_{n-1}*2^(16*n) + -/// z_n*2^(16*n) + cy_n*2^(16*n)` (again, this is `t` on line 127ff) -/// with the last `cy_n` checked against the `given_cy` given as input. -pub(crate) fn eval_packed_generic_addcy( - yield_constr: &mut ConstraintConsumer

, - filter: P, - x: &[P], - y: &[P], - z: &[P], - given_cy: &[P], - is_two_row_op: bool, -) { - debug_assert!( - x.len() == N_LIMBS && y.len() == N_LIMBS && z.len() == N_LIMBS && given_cy.len() == N_LIMBS - ); - - let overflow = P::Scalar::from_canonical_u64(1u64 << LIMB_BITS); - let overflow_inv = P::Scalar::from_canonical_u64(GOLDILOCKS_INVERSE_65536); - debug_assert!( - overflow * overflow_inv == P::Scalar::ONE, - "only works with LIMB_BITS=16 and F=Goldilocks" - ); - - let mut cy = P::ZEROS; - for ((&xi, &yi), &zi) in x.iter().zip_eq(y).zip_eq(z) { - // Verify that (xi + yi) - zi is either 0 or 2^LIMB_BITS - let t = cy + xi + yi - zi; - if is_two_row_op { - yield_constr.constraint_transition(filter * t * (overflow - t)); - } else { - yield_constr.constraint(filter * t * (overflow - t)); - } - // cy <-- 0 or 1 - // NB: this is multiplication by a constant, so doesn't - // increase the degree of the constraint. - cy = t * overflow_inv; - } - - if is_two_row_op { - // NB: Mild hack: We don't check that given_cy[0] is 0 or 1 - // when is_two_row_op is true because that's only the case - // when this function is called from - // modular::modular_constr_poly(), in which case (1) this - // condition has already been checked and (2) it exceeds the - // degree budget because given_cy[0] is already degree 2. - yield_constr.constraint_transition(filter * (cy - given_cy[0])); - for i in 1..N_LIMBS { - yield_constr.constraint_transition(filter * given_cy[i]); - } - } else { - yield_constr.constraint(filter * given_cy[0] * (given_cy[0] - P::ONES)); - yield_constr.constraint(filter * (cy - given_cy[0])); - for i in 1..N_LIMBS { - yield_constr.constraint(filter * given_cy[i]); - } - } -} - -pub(crate) fn eval_packed_generic( - lv: &[P; NUM_ARITH_COLUMNS], - yield_constr: &mut ConstraintConsumer

, -) { - let is_add = lv[IS_ADD]; - let is_sub = lv[IS_SUB]; - let is_lt = lv[IS_LT]; - let is_gt = lv[IS_GT]; - - let in0 = &lv[INPUT_REGISTER_0]; - let in1 = &lv[INPUT_REGISTER_1]; - let out = &lv[OUTPUT_REGISTER]; - let aux = &lv[AUX_INPUT_REGISTER_0]; - - // x + y = z + w*2^256 - eval_packed_generic_addcy(yield_constr, is_add, in0, in1, out, aux, false); - eval_packed_generic_addcy(yield_constr, is_sub, in1, out, in0, aux, false); - eval_packed_generic_addcy(yield_constr, is_lt, in1, aux, in0, out, false); - eval_packed_generic_addcy(yield_constr, is_gt, in0, aux, in1, out, false); -} - -#[allow(clippy::needless_collect)] -pub(crate) fn eval_ext_circuit_addcy, const D: usize>( - builder: &mut CircuitBuilder, - yield_constr: &mut RecursiveConstraintConsumer, - filter: ExtensionTarget, - x: &[ExtensionTarget], - y: &[ExtensionTarget], - z: &[ExtensionTarget], - given_cy: &[ExtensionTarget], - is_two_row_op: bool, -) { - debug_assert!( - x.len() == N_LIMBS && y.len() == N_LIMBS && z.len() == N_LIMBS && given_cy.len() == N_LIMBS - ); - - // 2^LIMB_BITS in the base field - let overflow_base = F::from_canonical_u64(1 << LIMB_BITS); - // 2^LIMB_BITS in the extension field as an ExtensionTarget - let overflow = builder.constant_extension(F::Extension::from(overflow_base)); - // 2^-LIMB_BITS in the base field. - let overflow_inv = F::from_canonical_u64(GOLDILOCKS_INVERSE_65536); - - let mut cy = builder.zero_extension(); - for ((&xi, &yi), &zi) in x.iter().zip_eq(y).zip_eq(z) { - // t0 = cy + xi + yi - let t0 = builder.add_many_extension([cy, xi, yi]); - // t = t0 - zi - let t = builder.sub_extension(t0, zi); - // t1 = overflow - t - let t1 = builder.sub_extension(overflow, t); - // t2 = t * t1 - let t2 = builder.mul_extension(t, t1); - - let filtered_limb_constraint = builder.mul_extension(filter, t2); - if is_two_row_op { - yield_constr.constraint_transition(builder, filtered_limb_constraint); - } else { - yield_constr.constraint(builder, filtered_limb_constraint); - } - - cy = builder.mul_const_extension(overflow_inv, t); - } - - let good_cy = builder.sub_extension(cy, given_cy[0]); - let cy_filter = builder.mul_extension(filter, good_cy); - - // Check given carry is one bit - let bit_constr = builder.mul_sub_extension(given_cy[0], given_cy[0], given_cy[0]); - let bit_filter = builder.mul_extension(filter, bit_constr); - - if is_two_row_op { - yield_constr.constraint_transition(builder, cy_filter); - for i in 1..N_LIMBS { - let t = builder.mul_extension(filter, given_cy[i]); - yield_constr.constraint_transition(builder, t); - } - } else { - yield_constr.constraint(builder, bit_filter); - yield_constr.constraint(builder, cy_filter); - for i in 1..N_LIMBS { - let t = builder.mul_extension(filter, given_cy[i]); - yield_constr.constraint(builder, t); - } - } -} - -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - lv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - yield_constr: &mut RecursiveConstraintConsumer, -) { - let is_add = lv[IS_ADD]; - let is_sub = lv[IS_SUB]; - let is_lt = lv[IS_LT]; - let is_gt = lv[IS_GT]; - - let in0 = &lv[INPUT_REGISTER_0]; - let in1 = &lv[INPUT_REGISTER_1]; - let out = &lv[OUTPUT_REGISTER]; - let aux = &lv[AUX_INPUT_REGISTER_0]; - - eval_ext_circuit_addcy(builder, yield_constr, is_add, in0, in1, out, aux, false); - eval_ext_circuit_addcy(builder, yield_constr, is_sub, in1, out, in0, aux, false); - eval_ext_circuit_addcy(builder, yield_constr, is_lt, in1, aux, in0, out, false); - eval_ext_circuit_addcy(builder, yield_constr, is_gt, in0, aux, in1, out, false); -} - -#[cfg(test)] -mod tests { - use plonky2::field::goldilocks_field::GoldilocksField; - use plonky2::field::types::{Field, Sample}; - use rand::{Rng, SeedableRng}; - use rand_chacha::ChaCha8Rng; - - use super::*; - use crate::arithmetic::columns::NUM_ARITH_COLUMNS; - use crate::constraint_consumer::ConstraintConsumer; - - // TODO: Should be able to refactor this test to apply to all operations. - #[test] - fn generate_eval_consistency_not_addcy() { - type F = GoldilocksField; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - let mut lv = [F::default(); NUM_ARITH_COLUMNS].map(|_| F::sample(&mut rng)); - - // if the operation filters are all zero, then the constraints - // should be met even if all values are - // garbage. - lv[IS_ADD] = F::ZERO; - lv[IS_SUB] = F::ZERO; - lv[IS_LT] = F::ZERO; - lv[IS_GT] = F::ZERO; - - let mut constrant_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - F::ONE, - F::ONE, - F::ONE, - ); - eval_packed_generic(&lv, &mut constrant_consumer); - for &acc in &constrant_consumer.constraint_accs { - assert_eq!(acc, F::ZERO); - } - } - - #[test] - fn generate_eval_consistency_addcy() { - type F = GoldilocksField; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - const N_ITERS: usize = 1000; - - for _ in 0..N_ITERS { - for op_filter in [IS_ADD, IS_SUB, IS_LT, IS_GT] { - // set entire row to random 16-bit values - let mut lv = [F::default(); NUM_ARITH_COLUMNS] - .map(|_| F::from_canonical_u16(rng.gen::())); - - // set operation filter and ensure all constraints are - // satisfied. We have to explicitly set the other - // operation filters to zero since all are treated by - // the call. - lv[IS_ADD] = F::ZERO; - lv[IS_SUB] = F::ZERO; - lv[IS_LT] = F::ZERO; - lv[IS_GT] = F::ZERO; - lv[op_filter] = F::ONE; - - let left_in = U256::from(rng.gen::<[u8; 32]>()); - let right_in = U256::from(rng.gen::<[u8; 32]>()); - - generate(&mut lv, op_filter, left_in, right_in); - - let mut constrant_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - F::ONE, - F::ONE, - F::ONE, - ); - eval_packed_generic(&lv, &mut constrant_consumer); - for &acc in &constrant_consumer.constraint_accs { - assert_eq!(acc, F::ZERO); - } - - let expected = match op_filter { - IS_ADD => left_in.overflowing_add(right_in).0, - IS_SUB => left_in.overflowing_sub(right_in).0, - IS_LT => U256::from((left_in < right_in) as u8), - IS_GT => U256::from((left_in > right_in) as u8), - _ => panic!("unrecognised operation"), - }; - - let mut expected_limbs = [F::ZERO; N_LIMBS]; - u256_to_array(&mut expected_limbs, expected); - assert!(expected_limbs - .iter() - .zip(&lv[OUTPUT_REGISTER]) - .all(|(x, y)| x == y)); - } - } - } -} diff --git a/evm/src/arithmetic/arithmetic_stark.rs b/evm/src/arithmetic/arithmetic_stark.rs deleted file mode 100644 index dcf966ee59..0000000000 --- a/evm/src/arithmetic/arithmetic_stark.rs +++ /dev/null @@ -1,497 +0,0 @@ -use core::marker::PhantomData; -use core::ops::Range; - -use plonky2::field::extension::{Extendable, FieldExtension}; -use plonky2::field::packed::PackedField; -use plonky2::field::polynomial::PolynomialValues; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; -use plonky2::util::transpose; -use static_assertions::const_assert; - -use super::columns::{op_flags, NUM_ARITH_COLUMNS}; -use super::shift; -use crate::all_stark::Table; -use crate::arithmetic::columns::{NUM_SHARED_COLS, RANGE_COUNTER, RC_FREQUENCIES, SHARED_COLS}; -use crate::arithmetic::{addcy, byte, columns, divmod, modular, mul, Operation}; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cross_table_lookup::TableWithColumns; -use crate::evaluation_frame::{StarkEvaluationFrame, StarkFrame}; -use crate::lookup::{Column, Filter, Lookup}; -use crate::stark::Stark; - -/// Creates a vector of `Columns` to link the 16-bit columns of the arithmetic table, -/// split into groups of N_LIMBS at a time in `regs`, with the corresponding 32-bit -/// columns of the CPU table. Does this for all ops in `ops`. -/// -/// This is done by taking pairs of columns (x, y) of the arithmetic -/// table and combining them as x + y*2^16 to ensure they equal the -/// corresponding 32-bit number in the CPU table. -fn cpu_arith_data_link( - combined_ops: &[(usize, u8)], - regs: &[Range], -) -> Vec> { - let limb_base = F::from_canonical_u64(1 << columns::LIMB_BITS); - - let mut res = vec![Column::linear_combination( - combined_ops - .iter() - .map(|&(col, code)| (col, F::from_canonical_u8(code))), - )]; - - // The inner for loop below assumes N_LIMBS is even. - const_assert!(columns::N_LIMBS % 2 == 0); - - for reg_cols in regs { - // Loop below assumes we're operating on a "register" of N_LIMBS columns. - debug_assert_eq!(reg_cols.len(), columns::N_LIMBS); - - for i in 0..(columns::N_LIMBS / 2) { - let c0 = reg_cols.start + 2 * i; - let c1 = reg_cols.start + 2 * i + 1; - res.push(Column::linear_combination([(c0, F::ONE), (c1, limb_base)])); - } - } - res -} - -/// Returns the `TableWithColumns` for `ArithmeticStark` rows where one of the arithmetic operations has been called. -pub(crate) fn ctl_arithmetic_rows() -> TableWithColumns { - // We scale each filter flag with the associated opcode value. - // If an arithmetic operation is happening on the CPU side, - // the CTL will enforce that the reconstructed opcode value - // from the opcode bits matches. - // These opcodes are missing the syscall and prover_input opcodes, - // since `IS_RANGE_CHECK` can be associated to multiple opcodes. - // For `IS_RANGE_CHECK`, the opcodes are written in OPCODE_COL, - // and we use that column for scaling and the CTL checks. - // Note that we ensure in the STARK's constraints that the - // value in `OPCODE_COL` is 0 if `IS_RANGE_CHECK` = 0. - const COMBINED_OPS: [(usize, u8); 16] = [ - (columns::IS_ADD, 0x01), - (columns::IS_MUL, 0x02), - (columns::IS_SUB, 0x03), - (columns::IS_DIV, 0x04), - (columns::IS_MOD, 0x06), - (columns::IS_ADDMOD, 0x08), - (columns::IS_MULMOD, 0x09), - (columns::IS_ADDFP254, 0x0c), - (columns::IS_MULFP254, 0x0d), - (columns::IS_SUBFP254, 0x0e), - (columns::IS_SUBMOD, 0x0f), - (columns::IS_LT, 0x10), - (columns::IS_GT, 0x11), - (columns::IS_BYTE, 0x1a), - (columns::IS_SHL, 0x1b), - (columns::IS_SHR, 0x1c), - ]; - - const REGISTER_MAP: [Range; 4] = [ - columns::INPUT_REGISTER_0, - columns::INPUT_REGISTER_1, - columns::INPUT_REGISTER_2, - columns::OUTPUT_REGISTER, - ]; - - let mut filter_cols = COMBINED_OPS.to_vec(); - filter_cols.push((columns::IS_RANGE_CHECK, 0x01)); - - let filter = Some(Filter::new_simple(Column::sum( - filter_cols.iter().map(|(c, _v)| *c), - ))); - - let mut all_combined_cols = COMBINED_OPS.to_vec(); - all_combined_cols.push((columns::OPCODE_COL, 0x01)); - // Create the Arithmetic Table whose columns are those of the - // operations listed in `ops` whose inputs and outputs are given - // by `regs`, where each element of `regs` is a range of columns - // corresponding to a 256-bit input or output register (also `ops` - // is used as the operation filter). - TableWithColumns::new( - *Table::Arithmetic, - cpu_arith_data_link(&all_combined_cols, ®ISTER_MAP), - filter, - ) -} - -/// Structure representing the `Arithmetic` STARK, which carries out all the arithmetic operations. -#[derive(Copy, Clone, Default)] -pub(crate) struct ArithmeticStark { - pub f: PhantomData, -} - -pub(crate) const RANGE_MAX: usize = 1usize << 16; // Range check strict upper bound - -impl ArithmeticStark { - /// Expects input in *column*-major layout - fn generate_range_checks(&self, cols: &mut [Vec]) { - debug_assert!(cols.len() == columns::NUM_ARITH_COLUMNS); - - let n_rows = cols[0].len(); - debug_assert!(cols.iter().all(|col| col.len() == n_rows)); - - for i in 0..RANGE_MAX { - cols[columns::RANGE_COUNTER][i] = F::from_canonical_usize(i); - } - for i in RANGE_MAX..n_rows { - cols[columns::RANGE_COUNTER][i] = F::from_canonical_usize(RANGE_MAX - 1); - } - - // Generate the frequencies column. - for col in SHARED_COLS { - for i in 0..n_rows { - let x = cols[col][i].to_canonical_u64() as usize; - assert!( - x < RANGE_MAX, - "column value {} exceeds the max range value {}", - x, - RANGE_MAX - ); - cols[RC_FREQUENCIES][x] += F::ONE; - } - } - } - - pub(crate) fn generate_trace(&self, operations: Vec) -> Vec> { - // The number of rows reserved is the smallest value that's - // guaranteed to avoid a reallocation: The only ops that use - // two rows are the modular operations and DIV, so the only - // way to reach capacity is when every op is modular or DIV - // (which is obviously unlikely in normal - // circumstances). (Also need at least RANGE_MAX rows to - // accommodate range checks.) - let max_rows = std::cmp::max(2 * operations.len(), RANGE_MAX); - let mut trace_rows = Vec::with_capacity(max_rows); - - for op in operations { - let (row1, maybe_row2) = op.to_rows(); - trace_rows.push(row1); - - if let Some(row2) = maybe_row2 { - trace_rows.push(row2); - } - } - - // Pad the trace with zero rows if it doesn't have enough rows - // to accommodate the range check columns. Also make sure the - // trace length is a power of two. - let padded_len = trace_rows.len().next_power_of_two(); - for _ in trace_rows.len()..std::cmp::max(padded_len, RANGE_MAX) { - trace_rows.push(vec![F::ZERO; columns::NUM_ARITH_COLUMNS]); - } - - let mut trace_cols = transpose(&trace_rows); - self.generate_range_checks(&mut trace_cols); - - trace_cols.into_iter().map(PolynomialValues::new).collect() - } -} - -impl, const D: usize> Stark for ArithmeticStark { - type EvaluationFrame = StarkFrame - where - FE: FieldExtension, - P: PackedField; - - type EvaluationFrameTarget = StarkFrame, NUM_ARITH_COLUMNS>; - - fn eval_packed_generic( - &self, - vars: &Self::EvaluationFrame, - yield_constr: &mut ConstraintConsumer

, - ) where - FE: FieldExtension, - P: PackedField, - { - let lv: &[P; NUM_ARITH_COLUMNS] = vars.get_local_values().try_into().unwrap(); - let nv: &[P; NUM_ARITH_COLUMNS] = vars.get_next_values().try_into().unwrap(); - - // Flags must be boolean. - for flag_idx in op_flags() { - let flag = lv[flag_idx]; - yield_constr.constraint(flag * (flag - P::ONES)); - } - - // Check that `OPCODE_COL` holds 0 if the operation is not a range_check. - let opcode_constraint = (P::ONES - lv[columns::IS_RANGE_CHECK]) * lv[columns::OPCODE_COL]; - yield_constr.constraint(opcode_constraint); - - // Check the range column: First value must be 0, last row - // must be 2^16-1, and intermediate rows must increment by 0 - // or 1. - let rc1 = lv[columns::RANGE_COUNTER]; - let rc2 = nv[columns::RANGE_COUNTER]; - yield_constr.constraint_first_row(rc1); - let incr = rc2 - rc1; - yield_constr.constraint_transition(incr * incr - incr); - let range_max = P::Scalar::from_canonical_u64((RANGE_MAX - 1) as u64); - yield_constr.constraint_last_row(rc1 - range_max); - - // Evaluate constraints for the MUL operation. - mul::eval_packed_generic(lv, yield_constr); - // Evaluate constraints for ADD, SUB, LT and GT operations. - addcy::eval_packed_generic(lv, yield_constr); - // Evaluate constraints for DIV and MOD operations. - divmod::eval_packed(lv, nv, yield_constr); - // Evaluate constraints for ADDMOD, SUBMOD, MULMOD and for FP254 modular operations. - modular::eval_packed(lv, nv, yield_constr); - // Evaluate constraints for the BYTE operation. - byte::eval_packed(lv, yield_constr); - // Evaluate constraints for SHL and SHR operations. - shift::eval_packed_generic(lv, nv, yield_constr); - } - - fn eval_ext_circuit( - &self, - builder: &mut CircuitBuilder, - vars: &Self::EvaluationFrameTarget, - yield_constr: &mut RecursiveConstraintConsumer, - ) { - let lv: &[ExtensionTarget; NUM_ARITH_COLUMNS] = - vars.get_local_values().try_into().unwrap(); - let nv: &[ExtensionTarget; NUM_ARITH_COLUMNS] = - vars.get_next_values().try_into().unwrap(); - - // Flags must be boolean. - for flag_idx in op_flags() { - let flag = lv[flag_idx]; - let constraint = builder.mul_sub_extension(flag, flag, flag); - yield_constr.constraint(builder, constraint); - } - - // Check that `OPCODE_COL` holds 0 if the operation is not a range_check. - let opcode_constraint = builder.arithmetic_extension( - F::NEG_ONE, - F::ONE, - lv[columns::IS_RANGE_CHECK], - lv[columns::OPCODE_COL], - lv[columns::OPCODE_COL], - ); - yield_constr.constraint(builder, opcode_constraint); - - // Check the range column: First value must be 0, last row - // must be 2^16-1, and intermediate rows must increment by 0 - // or 1. - let rc1 = lv[columns::RANGE_COUNTER]; - let rc2 = nv[columns::RANGE_COUNTER]; - yield_constr.constraint_first_row(builder, rc1); - let incr = builder.sub_extension(rc2, rc1); - let t = builder.mul_sub_extension(incr, incr, incr); - yield_constr.constraint_transition(builder, t); - let range_max = - builder.constant_extension(F::Extension::from_canonical_usize(RANGE_MAX - 1)); - let t = builder.sub_extension(rc1, range_max); - yield_constr.constraint_last_row(builder, t); - - // Evaluate constraints for the MUL operation. - mul::eval_ext_circuit(builder, lv, yield_constr); - // Evaluate constraints for ADD, SUB, LT and GT operations. - addcy::eval_ext_circuit(builder, lv, yield_constr); - // Evaluate constraints for DIV and MOD operations. - divmod::eval_ext_circuit(builder, lv, nv, yield_constr); - // Evaluate constraints for ADDMOD, SUBMOD, MULMOD and for FP254 modular operations. - modular::eval_ext_circuit(builder, lv, nv, yield_constr); - // Evaluate constraints for the BYTE operation. - byte::eval_ext_circuit(builder, lv, yield_constr); - // Evaluate constraints for SHL and SHR operations. - shift::eval_ext_circuit(builder, lv, nv, yield_constr); - } - - fn constraint_degree(&self) -> usize { - 3 - } - - fn lookups(&self) -> Vec> { - vec![Lookup { - columns: Column::singles(SHARED_COLS).collect(), - table_column: Column::single(RANGE_COUNTER), - frequencies_column: Column::single(RC_FREQUENCIES), - filter_columns: vec![None; NUM_SHARED_COLS], - }] - } -} - -#[cfg(test)] -mod tests { - use anyhow::Result; - use ethereum_types::U256; - use plonky2::field::types::{Field, PrimeField64}; - use plonky2::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - use rand::{Rng, SeedableRng}; - use rand_chacha::ChaCha8Rng; - - use super::{columns, ArithmeticStark}; - use crate::arithmetic::columns::OUTPUT_REGISTER; - use crate::arithmetic::*; - use crate::stark_testing::{test_stark_circuit_constraints, test_stark_low_degree}; - - #[test] - fn degree() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = ArithmeticStark; - - let stark = S { - f: Default::default(), - }; - test_stark_low_degree(stark) - } - - #[test] - fn circuit() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = ArithmeticStark; - - let stark = S { - f: Default::default(), - }; - test_stark_circuit_constraints::(stark) - } - - #[test] - fn basic_trace() { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = ArithmeticStark; - - let stark = S { - f: Default::default(), - }; - - // 123 + 456 == 579 - let add = Operation::binary(BinaryOperator::Add, U256::from(123), U256::from(456)); - // (123 * 456) % 1007 == 703 - let mulmod = Operation::ternary( - TernaryOperator::MulMod, - U256::from(123), - U256::from(456), - U256::from(1007), - ); - // (1234 + 567) % 1007 == 794 - let addmod = Operation::ternary( - TernaryOperator::AddMod, - U256::from(1234), - U256::from(567), - U256::from(1007), - ); - // 123 * 456 == 56088 - let mul = Operation::binary(BinaryOperator::Mul, U256::from(123), U256::from(456)); - // 128 / 13 == 9 - let div = Operation::binary(BinaryOperator::Div, U256::from(128), U256::from(13)); - - // 128 < 13 == 0 - let lt1 = Operation::binary(BinaryOperator::Lt, U256::from(128), U256::from(13)); - // 13 < 128 == 1 - let lt2 = Operation::binary(BinaryOperator::Lt, U256::from(13), U256::from(128)); - // 128 < 128 == 0 - let lt3 = Operation::binary(BinaryOperator::Lt, U256::from(128), U256::from(128)); - - // 128 % 13 == 11 - let modop = Operation::binary(BinaryOperator::Mod, U256::from(128), U256::from(13)); - - // byte(30, 0xABCD) = 0xAB - let byte = Operation::binary(BinaryOperator::Byte, U256::from(30), U256::from(0xABCD)); - - let ops: Vec = vec![add, mulmod, addmod, mul, modop, lt1, lt2, lt3, div, byte]; - - let pols = stark.generate_trace(ops); - - // Trace should always have NUM_ARITH_COLUMNS columns and - // min(RANGE_MAX, operations.len()) rows. In this case there - // are only 6 rows, so we should have RANGE_MAX rows. - assert!( - pols.len() == columns::NUM_ARITH_COLUMNS - && pols.iter().all(|v| v.len() == super::RANGE_MAX) - ); - - // Each operation has a single word answer that we can check - let expected_output = [ - // Row (some ops take two rows), expected - (0, 579), // ADD_OUTPUT - (1, 703), - (3, 794), - (5, 56088), - (6, 11), - (8, 0), - (9, 1), - (10, 0), - (11, 9), - (13, 0xAB), - ]; - - for (row, expected) in expected_output { - // First register should match expected value... - let first = OUTPUT_REGISTER.start; - let out = pols[first].values[row].to_canonical_u64(); - assert_eq!( - out, expected, - "expected column {} on row {} to be {} but it was {}", - first, row, expected, out, - ); - // ...other registers should be zero - let rest = OUTPUT_REGISTER.start + 1..OUTPUT_REGISTER.end; - assert!(pols[rest].iter().all(|v| v.values[row] == F::ZERO)); - } - } - - #[test] - fn big_traces() { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = ArithmeticStark; - - let stark = S { - f: Default::default(), - }; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - - let ops = (0..super::RANGE_MAX) - .map(|_| { - Operation::binary( - BinaryOperator::Mul, - U256::from(rng.gen::<[u8; 32]>()), - U256::from(rng.gen::<[u8; 32]>()), - ) - }) - .collect::>(); - - let pols = stark.generate_trace(ops); - - // Trace should always have NUM_ARITH_COLUMNS columns and - // min(RANGE_MAX, operations.len()) rows. In this case there - // are RANGE_MAX operations with one row each, so RANGE_MAX. - assert!( - pols.len() == columns::NUM_ARITH_COLUMNS - && pols.iter().all(|v| v.len() == super::RANGE_MAX) - ); - - let ops = (0..super::RANGE_MAX) - .map(|_| { - Operation::ternary( - TernaryOperator::MulMod, - U256::from(rng.gen::<[u8; 32]>()), - U256::from(rng.gen::<[u8; 32]>()), - U256::from(rng.gen::<[u8; 32]>()), - ) - }) - .collect::>(); - - let pols = stark.generate_trace(ops); - - // Trace should always have NUM_ARITH_COLUMNS columns and - // min(RANGE_MAX, operations.len()) rows. In this case there - // are RANGE_MAX operations with two rows each, so 2*RANGE_MAX. - assert!( - pols.len() == columns::NUM_ARITH_COLUMNS - && pols.iter().all(|v| v.len() == 2 * super::RANGE_MAX) - ); - } -} diff --git a/evm/src/arithmetic/byte.rs b/evm/src/arithmetic/byte.rs deleted file mode 100644 index f7581efa77..0000000000 --- a/evm/src/arithmetic/byte.rs +++ /dev/null @@ -1,502 +0,0 @@ -//! Support for the EVM BYTE instruction -//! -//! This crate verifies the EVM BYTE instruction, defined as follows: -//! -//! INPUTS: 256-bit values I and X = \sum_{i=0}^31 X_i B^i, -//! where B = 2^8 and 0 <= X_i < B for all i. -//! -//! OUTPUT: X_{31-I} if 0 <= I < 32, otherwise 0. -//! -//! NB: index I=0 corresponds to byte X_31, i.e. the most significant -//! byte. This is exactly the opposite of anyone would expect; who -//! knows what the EVM designers were thinking. Anyway, if anything -//! below seems confusing, first check to ensure you're counting from -//! the wrong end of X, as the spec requires. -//! -//! Wlog consider 0 <= I < 32, so I has five bits b0,...,b4. We are -//! given X as an array of 16-bit limbs; write X := \sum_{i=0}^15 Y_i -//! 2^{16i} where 0 <= Y_i < 2^16. -//! -//! The technique (hat tip to Jacqui for the idea) is to store a tree -//! of limbs of X that are selected according to the bits in I. The -//! main observation is that each bit `bi` halves the number of -//! candidate bytes that we might return: If b4 is 0, then I < 16 and -//! the possible bytes are in the top half of X: Y_8,..,Y_15 -//! (corresponding to bytes X_16,..,X_31), and if b4 is 1 then I >= 16 -//! and the possible bytes are the bottom half of X: Y_0,..,Y_7 -//! (corresponding to bytes X_0,..,X_15). -//! -//! Let Z_0,..,Z_7 be the bytes selected in the first step. Then, in -//! the next step, if b3 is 0, we select Z_4,..,Z_7 and if it's 1 we -//! select Z_0,..,Z_3. Together, b4 and b3 divide the bytes of X into -//! 4 equal-sized chunks of 4 limbs, and the byte we're after will be -//! among the limbs 4 selected limbs. -//! -//! Repeating for b2 and b1, we reduce to a single 16-bit limb -//! L=x+y*256; the desired byte will be x if b0 is 1 and y if b0 -//! is 0. -//! -//! -*- -//! -//! To prove that the bytes x and y are in the range [0, 2^8) (rather -//! than [0, 2^16), which is all the range-checker guarantees) we do -//! the following (hat tip to Jacqui for this trick too): Instead of -//! storing x and y, we store w = 256 * x and y. Then, to verify that -//! x, y < 256 and the last limb L = x + y * 256, we check that -//! L = w / 256 + y * 256. -//! -//! The proof of why verifying that L = w / 256 + y * 256 -//! suffices is as follows: -//! -//! 1. The given L, w and y are range-checked to be less than 2^16. -//! 2. y * 256 ∈ {0, 256, 512, ..., 2^24 - 512, 2^24 - 256} -//! 3. w / 256 = L - y * 256 ∈ {-2^24 + 256, -2^24 + 257, ..., 2^16 - 2, 2^16 - 1} -//! 4. By inspection, for w < 2^16, if w / 256 < 2^16 or -//! w / 256 >= P - 2^24 + 256 (i.e. if w / 256 falls in the range -//! of point 3 above), then w = 256 * m for some 0 <= m < 256. -//! 5. Hence w / 256 ∈ {0, 1, ..., 255} -//! 6. Hence y * 256 = L - w / 256 ∈ {-255, -254, ..., 2^16 - 1} -//! 7. Taking the intersection of ranges in 2. and 6. we see that -//! y * 256 ∈ {0, 256, 512, ..., 2^16 - 256} -//! 8. Hence y ∈ {0, 1, ..., 255} - -use core::ops::Range; - -use ethereum_types::U256; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::{Field, PrimeField64}; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; -use static_assertions::const_assert; - -use crate::arithmetic::columns::*; -use crate::arithmetic::utils::u256_to_array; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; - -// Give meaningful names to the columns of AUX_INPUT_REGISTER_0 that -// we're using -const BYTE_IDX_DECOMP: Range = AUX_INPUT_REGISTER_0.start..AUX_INPUT_REGISTER_0.start + 6; -const BYTE_IDX_DECOMP_HI: usize = AUX_INPUT_REGISTER_0.start + 5; -const BYTE_LAST_LIMB_LO: usize = AUX_INPUT_REGISTER_0.start + 6; -const BYTE_LAST_LIMB_HI: usize = AUX_INPUT_REGISTER_0.start + 7; -const BYTE_IDX_IS_LARGE: usize = AUX_INPUT_REGISTER_0.start + 8; -const BYTE_IDX_HI_LIMB_SUM_INV_0: usize = AUX_INPUT_REGISTER_0.start + 9; -const BYTE_IDX_HI_LIMB_SUM_INV_1: usize = AUX_INPUT_REGISTER_0.start + 10; -const BYTE_IDX_HI_LIMB_SUM_INV_2: usize = AUX_INPUT_REGISTER_0.start + 11; -const BYTE_IDX_HI_LIMB_SUM_INV_3: usize = AUX_INPUT_REGISTER_0.start + 12; - -/// Decompose `idx` into bits and bobs and store in `idx_decomp`. -/// -/// Specifically, write -/// -/// idx = idx0_lo5 + idx0_hi * 2^5 + \sum_i idx[i] * 2^(16i), -/// -/// where `0 <= idx0_lo5 < 32` and `0 <= idx0_hi < 2^11`. Store the -/// 5 bits of `idx0_lo5` in `idx_decomp[0..5]`; we don't explicitly need -/// the higher 11 bits of the first limb, so we put them in -/// `idx_decomp[5]`. The rest of `idx_decomp` is set to 0. -fn set_idx_decomp(idx_decomp: &mut [F], idx: &U256) { - debug_assert!(idx_decomp.len() == 6); - for i in 0..5 { - idx_decomp[i] = F::from_bool(idx.bit(i)); - } - idx_decomp[5] = F::from_canonical_u16((idx.low_u64() as u16) >> 5); -} - -pub(crate) fn generate(lv: &mut [F], idx: U256, val: U256) { - u256_to_array(&mut lv[INPUT_REGISTER_0], idx); - u256_to_array(&mut lv[INPUT_REGISTER_1], val); - set_idx_decomp(&mut lv[BYTE_IDX_DECOMP], &idx); - - let idx0_hi = lv[BYTE_IDX_DECOMP_HI]; - let hi_limb_sum = lv[INPUT_REGISTER_0][1..] - .iter() - .fold(idx0_hi, |acc, &x| acc + x); - let hi_limb_sum_inv = hi_limb_sum - .try_inverse() - .unwrap_or(F::ONE) - .to_canonical_u64(); - // It's a bit silly that we have to split this value, which - // doesn't need to be range-checked, into 16-bit limbs so that it - // can be range-checked; but the rigidity of the range-checking - // mechanism means we can't optionally switch it off for some - // instructions. - lv[BYTE_IDX_HI_LIMB_SUM_INV_0] = F::from_canonical_u16(hi_limb_sum_inv as u16); - lv[BYTE_IDX_HI_LIMB_SUM_INV_1] = F::from_canonical_u16((hi_limb_sum_inv >> 16) as u16); - lv[BYTE_IDX_HI_LIMB_SUM_INV_2] = F::from_canonical_u16((hi_limb_sum_inv >> 32) as u16); - lv[BYTE_IDX_HI_LIMB_SUM_INV_3] = F::from_canonical_u16((hi_limb_sum_inv >> 48) as u16); - lv[BYTE_IDX_IS_LARGE] = F::from_bool(!hi_limb_sum.is_zero()); - - // Set the tree values according to the low 5 bits of idx, even - // when idx >= 32. - - // Use the bits of idx0 to build a multiplexor that selects - // the correct byte of val. Each level of the tree uses one - // bit to halve the set of possible bytes from the previous - // level. The tree stores limbs rather than bytes though, so - // the last value must be handled specially. - - // Morally, offset at i is 2^i * bit[i], but because of the - // reversed indexing and handling of the last element - // separately, the offset is 2^i * ( ! bit[i + 1]). (The !bit - // corresponds to calculating 31 - bits which is just bitwise NOT.) - - // `lvl_len` is the number of elements of the current level of the - // "tree". Can think of `val_limbs` as level 0, with length = - // N_LIMBS = 16. - const_assert!(N_LIMBS == 16); // Enforce assumption - - // Build the tree of limbs from the low 5 bits of idx: - let mut i = 3; // tree level, from 3 downto 0. - let mut src = INPUT_REGISTER_1.start; // val_limbs start - let mut dest = AUX_INPUT_REGISTER_1.start; // tree start - loop { - let lvl_len = 1 << i; - // pick which half of src becomes the new tree level - let offset = (!idx.bit(i + 1) as usize) * lvl_len; - src += offset; - // copy new tree level to dest - lv.copy_within(src..src + lvl_len, dest); - if i == 0 { - break; - } - // next src is this new tree level - src = dest; - // next dest is after this new tree level - dest += lvl_len; - i -= 1; - } - - // Handle the last bit; i.e. pick a byte of the final limb. - let t = lv[dest].to_canonical_u64(); - let lo = t as u8 as u64; - let hi = t >> 8; - - // Store 256 * lo rather than lo: - lv[BYTE_LAST_LIMB_LO] = F::from_canonical_u64(lo << 8); - lv[BYTE_LAST_LIMB_HI] = F::from_canonical_u64(hi); - - let tree = &mut lv[AUX_INPUT_REGISTER_1]; - let output = if idx.bit(0) { - tree[15] = F::from_canonical_u64(lo); - lo.into() - } else { - tree[15] = F::from_canonical_u64(hi); - hi.into() - }; - - u256_to_array( - &mut lv[OUTPUT_REGISTER], - if idx < 32.into() { - output - } else { - U256::zero() - }, - ); -} - -pub(crate) fn eval_packed( - lv: &[P; NUM_ARITH_COLUMNS], - yield_constr: &mut ConstraintConsumer

, -) { - let is_byte = lv[IS_BYTE]; - - let idx = &lv[INPUT_REGISTER_0]; - let val = &lv[INPUT_REGISTER_1]; - let out = &lv[OUTPUT_REGISTER]; - let idx_decomp = &lv[AUX_INPUT_REGISTER_0]; - let tree = &lv[AUX_INPUT_REGISTER_1]; - - // low 5 bits of the first limb of idx: - let mut idx0_lo5 = P::ZEROS; - for i in 0..5 { - let bit = idx_decomp[i]; - yield_constr.constraint(is_byte * (bit * bit - bit)); - idx0_lo5 += bit * P::Scalar::from_canonical_u64(1 << i); - } - // Verify that idx0_hi is the high (11) bits of the first limb of - // idx (in particular idx0_hi is at most 11 bits, since idx[0] is - // at most 16 bits). - let idx0_hi = idx_decomp[5] * P::Scalar::from_canonical_u64(32u64); - yield_constr.constraint(is_byte * (idx[0] - (idx0_lo5 + idx0_hi))); - - // Verify the layers of the tree - // NB: Each of the bit values is negated in place to account for - // the reversed indexing. - let bit = idx_decomp[4]; - for i in 0..8 { - let limb = bit * val[i] + (P::ONES - bit) * val[i + 8]; - yield_constr.constraint(is_byte * (tree[i] - limb)); - } - - let bit = idx_decomp[3]; - for i in 0..4 { - let limb = bit * tree[i] + (P::ONES - bit) * tree[i + 4]; - yield_constr.constraint(is_byte * (tree[i + 8] - limb)); - } - - let bit = idx_decomp[2]; - for i in 0..2 { - let limb = bit * tree[i + 8] + (P::ONES - bit) * tree[i + 10]; - yield_constr.constraint(is_byte * (tree[i + 12] - limb)); - } - - let bit = idx_decomp[1]; - let limb = bit * tree[12] + (P::ONES - bit) * tree[13]; - yield_constr.constraint(is_byte * (tree[14] - limb)); - - // Check byte decomposition of last limb: - - let base8 = P::Scalar::from_canonical_u64(1 << 8); - let lo_byte = lv[BYTE_LAST_LIMB_LO]; - let hi_byte = lv[BYTE_LAST_LIMB_HI]; - yield_constr.constraint(is_byte * (lo_byte + base8 * (base8 * hi_byte - limb))); - - let bit = idx_decomp[0]; - let t = bit * lo_byte + (P::ONES - bit) * base8 * hi_byte; - yield_constr.constraint(is_byte * (base8 * tree[15] - t)); - let expected_out_byte = tree[15]; - - // Sum all higher limbs; sum will be non-zero iff idx >= 32. - let hi_limb_sum = lv[BYTE_IDX_DECOMP_HI] + idx[1..].iter().copied().sum::

(); - let idx_is_large = lv[BYTE_IDX_IS_LARGE]; - - // idx_is_large is 0 or 1 - yield_constr.constraint(is_byte * (idx_is_large * idx_is_large - idx_is_large)); - - // If hi_limb_sum is nonzero, then idx_is_large must be one. - yield_constr.constraint(is_byte * hi_limb_sum * (idx_is_large - P::ONES)); - - let hi_limb_sum_inv = lv[BYTE_IDX_HI_LIMB_SUM_INV_0] - + lv[BYTE_IDX_HI_LIMB_SUM_INV_1] * P::Scalar::from_canonical_u64(1 << 16) - + lv[BYTE_IDX_HI_LIMB_SUM_INV_2] * P::Scalar::from_canonical_u64(1 << 32) - + lv[BYTE_IDX_HI_LIMB_SUM_INV_3] * P::Scalar::from_canonical_u64(1 << 48); - - // If idx_is_large is 1, then hi_limb_sum_inv must be the inverse - // of hi_limb_sum, hence hi_limb_sum is non-zero, hence idx is - // indeed "large". - // - // Otherwise, if idx_is_large is 0, then hi_limb_sum * hi_limb_sum_inv - // is zero, which is only possible if hi_limb_sum is zero, since - // hi_limb_sum_inv is non-zero. - yield_constr.constraint(is_byte * (hi_limb_sum * hi_limb_sum_inv - idx_is_large)); - - let out_byte = out[0]; - let check = out_byte - (P::ONES - idx_is_large) * expected_out_byte; - yield_constr.constraint(is_byte * check); - - // Check that the rest of the output limbs are zero - for i in 1..N_LIMBS { - yield_constr.constraint(is_byte * out[i]); - } -} - -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - lv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - yield_constr: &mut RecursiveConstraintConsumer, -) { - let is_byte = lv[IS_BYTE]; - - let idx = &lv[INPUT_REGISTER_0]; - let val = &lv[INPUT_REGISTER_1]; - let out = &lv[OUTPUT_REGISTER]; - let idx_decomp = &lv[AUX_INPUT_REGISTER_0]; - let tree = &lv[AUX_INPUT_REGISTER_1]; - - // low 5 bits of the first limb of idx: - let mut idx0_lo5 = builder.zero_extension(); - for i in 0..5 { - let bit = idx_decomp[i]; - let t = builder.mul_sub_extension(bit, bit, bit); - let t = builder.mul_extension(t, is_byte); - yield_constr.constraint(builder, t); - let scale = F::Extension::from(F::from_canonical_u64(1 << i)); - let scale = builder.constant_extension(scale); - idx0_lo5 = builder.mul_add_extension(bit, scale, idx0_lo5); - } - // Verify that idx0_hi is the high (11) bits of the first limb of - // idx (in particular idx0_hi is at most 11 bits, since idx[0] is - // at most 16 bits). - let t = F::Extension::from(F::from_canonical_u64(32)); - let t = builder.constant_extension(t); - let t = builder.mul_add_extension(idx_decomp[5], t, idx0_lo5); - let t = builder.sub_extension(idx[0], t); - let t = builder.mul_extension(is_byte, t); - yield_constr.constraint(builder, t); - - // Verify the layers of the tree - // NB: Each of the bit values is negated in place to account for - // the reversed indexing. - let one = builder.one_extension(); - let bit = idx_decomp[4]; - for i in 0..8 { - let t = builder.mul_extension(bit, val[i]); - let u = builder.sub_extension(one, bit); - let v = builder.mul_add_extension(u, val[i + 8], t); - let t = builder.sub_extension(tree[i], v); - let t = builder.mul_extension(is_byte, t); - yield_constr.constraint(builder, t); - } - - let bit = idx_decomp[3]; - for i in 0..4 { - let t = builder.mul_extension(bit, tree[i]); - let u = builder.sub_extension(one, bit); - let v = builder.mul_add_extension(u, tree[i + 4], t); - let t = builder.sub_extension(tree[i + 8], v); - let t = builder.mul_extension(is_byte, t); - yield_constr.constraint(builder, t); - } - - let bit = idx_decomp[2]; - for i in 0..2 { - let t = builder.mul_extension(bit, tree[i + 8]); - let u = builder.sub_extension(one, bit); - let v = builder.mul_add_extension(u, tree[i + 10], t); - let t = builder.sub_extension(tree[i + 12], v); - let t = builder.mul_extension(is_byte, t); - yield_constr.constraint(builder, t); - } - - let bit = idx_decomp[1]; - let t = builder.mul_extension(bit, tree[12]); - let u = builder.sub_extension(one, bit); - let limb = builder.mul_add_extension(u, tree[13], t); - let t = builder.sub_extension(tree[14], limb); - let t = builder.mul_extension(is_byte, t); - yield_constr.constraint(builder, t); - - // Check byte decomposition of last limb: - - let base8 = F::Extension::from(F::from_canonical_u64(1 << 8)); - let base8 = builder.constant_extension(base8); - let lo_byte = lv[BYTE_LAST_LIMB_LO]; - let hi_byte = lv[BYTE_LAST_LIMB_HI]; - let t = builder.mul_sub_extension(base8, hi_byte, limb); - let t = builder.mul_add_extension(base8, t, lo_byte); - let t = builder.mul_extension(is_byte, t); - yield_constr.constraint(builder, t); - - let bit = idx_decomp[0]; - let nbit = builder.sub_extension(one, bit); - let t = builder.mul_many_extension([nbit, base8, hi_byte]); - let t = builder.mul_add_extension(bit, lo_byte, t); - let t = builder.mul_sub_extension(base8, tree[15], t); - let t = builder.mul_extension(is_byte, t); - yield_constr.constraint(builder, t); - let expected_out_byte = tree[15]; - - // Sum all higher limbs; sum will be non-zero iff idx >= 32. - let mut hi_limb_sum = lv[BYTE_IDX_DECOMP_HI]; - for i in 1..N_LIMBS { - hi_limb_sum = builder.add_extension(hi_limb_sum, idx[i]); - } - // idx_is_large is 0 or 1 - let idx_is_large = lv[BYTE_IDX_IS_LARGE]; - let t = builder.mul_sub_extension(idx_is_large, idx_is_large, idx_is_large); - let t = builder.mul_extension(is_byte, t); - yield_constr.constraint(builder, t); - - // If hi_limb_sum is nonzero, then idx_is_large must be one. - let t = builder.sub_extension(idx_is_large, one); - let t = builder.mul_many_extension([is_byte, hi_limb_sum, t]); - yield_constr.constraint(builder, t); - - // If idx_is_large is 1, then hi_limb_sum_inv must be the inverse - // of hi_limb_sum, hence hi_limb_sum is non-zero, hence idx is - // indeed "large". - // - // Otherwise, if idx_is_large is 0, then hi_limb_sum * hi_limb_sum_inv - // is zero, which is only possible if hi_limb_sum is zero, since - // hi_limb_sum_inv is non-zero. - let base16 = F::from_canonical_u64(1 << 16); - let hi_limb_sum_inv = builder.mul_const_add_extension( - base16, - lv[BYTE_IDX_HI_LIMB_SUM_INV_3], - lv[BYTE_IDX_HI_LIMB_SUM_INV_2], - ); - let hi_limb_sum_inv = - builder.mul_const_add_extension(base16, hi_limb_sum_inv, lv[BYTE_IDX_HI_LIMB_SUM_INV_1]); - let hi_limb_sum_inv = - builder.mul_const_add_extension(base16, hi_limb_sum_inv, lv[BYTE_IDX_HI_LIMB_SUM_INV_0]); - let t = builder.mul_sub_extension(hi_limb_sum, hi_limb_sum_inv, idx_is_large); - let t = builder.mul_extension(is_byte, t); - yield_constr.constraint(builder, t); - - let out_byte = out[0]; - let t = builder.sub_extension(one, idx_is_large); - let t = builder.mul_extension(t, expected_out_byte); - let check = builder.sub_extension(out_byte, t); - let t = builder.mul_extension(is_byte, check); - yield_constr.constraint(builder, t); - - // Check that the rest of the output limbs are zero - for i in 1..N_LIMBS { - let t = builder.mul_extension(is_byte, out[i]); - yield_constr.constraint(builder, t); - } -} - -#[cfg(test)] -mod tests { - use plonky2::field::goldilocks_field::GoldilocksField; - use rand::{Rng, SeedableRng}; - use rand_chacha::ChaCha8Rng; - - use super::*; - use crate::arithmetic::columns::NUM_ARITH_COLUMNS; - - type F = GoldilocksField; - - fn verify_output(lv: &[F], expected_byte: u64) { - let out_byte = lv[OUTPUT_REGISTER][0].to_canonical_u64(); - assert!(out_byte == expected_byte); - for j in 1..N_LIMBS { - assert!(lv[OUTPUT_REGISTER][j] == F::ZERO); - } - } - - #[test] - fn generate_eval_consistency() { - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - const N_ITERS: usize = 1000; - - for _ in 0..N_ITERS { - // set entire row to random 16-bit values - let mut lv = - [F::default(); NUM_ARITH_COLUMNS].map(|_| F::from_canonical_u16(rng.gen::())); - - lv[IS_BYTE] = F::ONE; - - let val = U256::from(rng.gen::<[u8; 32]>()); - for i in 0..32 { - let idx = i.into(); - generate(&mut lv, idx, val); - - // Check correctness - let out_byte = val.byte(31 - i) as u64; - verify_output(&lv, out_byte); - - let mut constrant_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - F::ONE, - F::ONE, - F::ONE, - ); - eval_packed(&lv, &mut constrant_consumer); - for &acc in &constrant_consumer.constraint_accs { - assert_eq!(acc, F::ZERO); - } - } - // Check that output is zero when the index is big. - let big_indices = [32.into(), 33.into(), val, U256::max_value()]; - for idx in big_indices { - generate(&mut lv, idx, val); - verify_output(&lv, 0); - } - } - } -} diff --git a/evm/src/arithmetic/columns.rs b/evm/src/arithmetic/columns.rs deleted file mode 100644 index e4172bc073..0000000000 --- a/evm/src/arithmetic/columns.rs +++ /dev/null @@ -1,119 +0,0 @@ -//! Arithmetic unit - -use core::ops::Range; - -pub(crate) const LIMB_BITS: usize = 16; -const EVM_REGISTER_BITS: usize = 256; - -/// Return the number of LIMB_BITS limbs that are in an EVM -/// register-sized number, panicking if LIMB_BITS doesn't divide in -/// the EVM register size. -const fn n_limbs() -> usize { - if EVM_REGISTER_BITS % LIMB_BITS != 0 { - panic!("limb size must divide EVM register size"); - } - let n = EVM_REGISTER_BITS / LIMB_BITS; - if n % 2 == 1 { - panic!("number of limbs must be even"); - } - n -} - -/// Number of LIMB_BITS limbs that are in on EVM register-sized number. -pub(crate) const N_LIMBS: usize = n_limbs(); - -pub(crate) const IS_ADD: usize = 0; -pub(crate) const IS_MUL: usize = IS_ADD + 1; -pub(crate) const IS_SUB: usize = IS_MUL + 1; -pub(crate) const IS_DIV: usize = IS_SUB + 1; -pub(crate) const IS_MOD: usize = IS_DIV + 1; -pub(crate) const IS_ADDMOD: usize = IS_MOD + 1; -pub(crate) const IS_MULMOD: usize = IS_ADDMOD + 1; -pub(crate) const IS_ADDFP254: usize = IS_MULMOD + 1; -pub(crate) const IS_MULFP254: usize = IS_ADDFP254 + 1; -pub(crate) const IS_SUBFP254: usize = IS_MULFP254 + 1; -pub(crate) const IS_SUBMOD: usize = IS_SUBFP254 + 1; -pub(crate) const IS_LT: usize = IS_SUBMOD + 1; -pub(crate) const IS_GT: usize = IS_LT + 1; -pub(crate) const IS_BYTE: usize = IS_GT + 1; -pub(crate) const IS_SHL: usize = IS_BYTE + 1; -pub(crate) const IS_SHR: usize = IS_SHL + 1; -pub(crate) const IS_RANGE_CHECK: usize = IS_SHR + 1; -/// Column that stores the opcode if the operation is a range check. -pub(crate) const OPCODE_COL: usize = IS_RANGE_CHECK + 1; -pub(crate) const START_SHARED_COLS: usize = OPCODE_COL + 1; - -pub(crate) const fn op_flags() -> Range { - IS_ADD..IS_RANGE_CHECK + 1 -} - -/// Within the Arithmetic Unit, there are shared columns which can be -/// used by any arithmetic circuit, depending on which one is active -/// this cycle. -/// -/// Modular arithmetic takes 11 * N_LIMBS columns which is split across -/// two rows, the first with 6 * N_LIMBS columns and the second with -/// 5 * N_LIMBS columns. (There are hence N_LIMBS "wasted columns" in -/// the second row.) -pub(crate) const NUM_SHARED_COLS: usize = 6 * N_LIMBS; -pub(crate) const SHARED_COLS: Range = START_SHARED_COLS..START_SHARED_COLS + NUM_SHARED_COLS; - -pub(crate) const INPUT_REGISTER_0: Range = START_SHARED_COLS..START_SHARED_COLS + N_LIMBS; -pub(crate) const INPUT_REGISTER_1: Range = - INPUT_REGISTER_0.end..INPUT_REGISTER_0.end + N_LIMBS; -pub(crate) const INPUT_REGISTER_2: Range = - INPUT_REGISTER_1.end..INPUT_REGISTER_1.end + N_LIMBS; -pub(crate) const OUTPUT_REGISTER: Range = - INPUT_REGISTER_2.end..INPUT_REGISTER_2.end + N_LIMBS; - -// NB: Only one of AUX_INPUT_REGISTER_[01] or AUX_INPUT_REGISTER_DBL -// will be used for a given operation since they overlap -pub(crate) const AUX_INPUT_REGISTER_0: Range = - OUTPUT_REGISTER.end..OUTPUT_REGISTER.end + N_LIMBS; -pub(crate) const AUX_INPUT_REGISTER_1: Range = - AUX_INPUT_REGISTER_0.end..AUX_INPUT_REGISTER_0.end + N_LIMBS; -pub(crate) const AUX_INPUT_REGISTER_DBL: Range = - OUTPUT_REGISTER.end..OUTPUT_REGISTER.end + 2 * N_LIMBS; - -// The auxiliary input columns overlap the general input columns -// because they correspond to the values in the second row for modular -// operations. -const AUX_REGISTER_0: Range = START_SHARED_COLS..START_SHARED_COLS + N_LIMBS; -const AUX_REGISTER_1: Range = AUX_REGISTER_0.end..AUX_REGISTER_0.end + 2 * N_LIMBS; -const AUX_REGISTER_2: Range = AUX_REGISTER_1.end..AUX_REGISTER_1.end + 2 * N_LIMBS - 1; - -// Each element c of {MUL,MODULAR}_AUX_REGISTER is -2^20 <= c <= 2^20; -// this value is used as an offset so that everything is positive in -// the range checks. -pub(crate) const AUX_COEFF_ABS_MAX: i64 = 1 << 20; - -// MUL takes 5 * N_LIMBS = 80 columns -pub(crate) const MUL_AUX_INPUT_LO: Range = AUX_INPUT_REGISTER_0; -pub(crate) const MUL_AUX_INPUT_HI: Range = AUX_INPUT_REGISTER_1; - -// MULMOD takes 4 * N_LIMBS + 3 * 2*N_LIMBS + N_LIMBS = 176 columns -// but split over two rows of 96 columns and 80 columns. -// -// ADDMOD, SUBMOD, MOD and DIV are currently implemented in terms of -// the general modular code, so they also take 144 columns (also split -// over two rows). -pub(crate) const MODULAR_INPUT_0: Range = INPUT_REGISTER_0; -pub(crate) const MODULAR_INPUT_1: Range = INPUT_REGISTER_1; -pub(crate) const MODULAR_MODULUS: Range = INPUT_REGISTER_2; -pub(crate) const MODULAR_OUTPUT: Range = OUTPUT_REGISTER; -pub(crate) const MODULAR_QUO_INPUT: Range = AUX_INPUT_REGISTER_DBL; -pub(crate) const MODULAR_OUT_AUX_RED: Range = AUX_REGISTER_0; -// NB: Last value is not used in AUX, it is used in MOD_IS_ZERO -pub(crate) const MODULAR_MOD_IS_ZERO: usize = AUX_REGISTER_1.start; -pub(crate) const MODULAR_AUX_INPUT_LO: Range = AUX_REGISTER_1.start + 1..AUX_REGISTER_1.end; -pub(crate) const MODULAR_AUX_INPUT_HI: Range = AUX_REGISTER_2; -// Must be set to MOD_IS_ZERO for DIV and SHR operations i.e. MOD_IS_ZERO * (lv[IS_DIV] + lv[IS_SHR]). -pub(crate) const MODULAR_DIV_DENOM_IS_ZERO: usize = AUX_REGISTER_2.end; - -/// The counter column (used for the range check) starts from 0 and increments. -pub(crate) const RANGE_COUNTER: usize = START_SHARED_COLS + NUM_SHARED_COLS; -/// The frequencies column used in logUp. -pub(crate) const RC_FREQUENCIES: usize = RANGE_COUNTER + 1; - -/// Number of columns in `ArithmeticStark`. -pub(crate) const NUM_ARITH_COLUMNS: usize = START_SHARED_COLS + NUM_SHARED_COLS + 2; diff --git a/evm/src/arithmetic/divmod.rs b/evm/src/arithmetic/divmod.rs deleted file mode 100644 index a4599dc721..0000000000 --- a/evm/src/arithmetic/divmod.rs +++ /dev/null @@ -1,373 +0,0 @@ -//! Support for EVM instructions DIV and MOD. -//! -//! The logic for verifying them is detailed in the `modular` submodule. - -use core::ops::Range; - -use ethereum_types::U256; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::PrimeField64; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; - -use crate::arithmetic::columns::*; -use crate::arithmetic::modular::{ - generate_modular_op, modular_constr_poly, modular_constr_poly_ext_circuit, -}; -use crate::arithmetic::utils::*; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; - -/// Generates the output and auxiliary values for modular operations, -/// assuming the input, modular and output limbs are already set. -pub(crate) fn generate_divmod( - lv: &mut [F], - nv: &mut [F], - filter: usize, - input_limbs_range: Range, - modulus_range: Range, -) { - let input_limbs = read_value_i64_limbs::(lv, input_limbs_range); - let pol_input = pol_extend(input_limbs); - let (out, quo_input) = generate_modular_op(lv, nv, filter, pol_input, modulus_range); - - debug_assert!( - &quo_input[N_LIMBS..].iter().all(|&x| x == F::ZERO), - "expected top half of quo_input to be zero" - ); - - // Initialise whole (double) register to zero; the low half will - // be overwritten via lv[AUX_INPUT_REGISTER] below. - for i in MODULAR_QUO_INPUT { - lv[i] = F::ZERO; - } - - match filter { - IS_DIV | IS_SHR => { - debug_assert!( - lv[OUTPUT_REGISTER] - .iter() - .zip(&quo_input[..N_LIMBS]) - .all(|(x, y)| x == y), - "computed output doesn't match expected" - ); - lv[AUX_INPUT_REGISTER_0].copy_from_slice(&out); - } - IS_MOD => { - debug_assert!( - lv[OUTPUT_REGISTER].iter().zip(&out).all(|(x, y)| x == y), - "computed output doesn't match expected" - ); - lv[AUX_INPUT_REGISTER_0].copy_from_slice(&quo_input[..N_LIMBS]); - } - _ => panic!("expected filter to be IS_DIV, IS_SHR or IS_MOD but it was {filter}"), - }; -} -/// Generate the output and auxiliary values for modular operations. -pub(crate) fn generate( - lv: &mut [F], - nv: &mut [F], - filter: usize, - input0: U256, - input1: U256, - result: U256, -) { - debug_assert!(lv.len() == NUM_ARITH_COLUMNS); - - u256_to_array(&mut lv[INPUT_REGISTER_0], input0); - u256_to_array(&mut lv[INPUT_REGISTER_1], input1); - u256_to_array(&mut lv[OUTPUT_REGISTER], result); - - generate_divmod(lv, nv, filter, INPUT_REGISTER_0, INPUT_REGISTER_1); -} - -/// Verify that num = quo * den + rem and 0 <= rem < den. -pub(crate) fn eval_packed_divmod_helper( - lv: &[P; NUM_ARITH_COLUMNS], - nv: &[P; NUM_ARITH_COLUMNS], - yield_constr: &mut ConstraintConsumer

, - filter: P, - num_range: Range, - den_range: Range, - quo_range: Range, - rem_range: Range, -) { - debug_assert!(quo_range.len() == N_LIMBS); - debug_assert!(rem_range.len() == N_LIMBS); - - yield_constr.constraint_last_row(filter); - - let num = &lv[num_range]; - let den = read_value(lv, den_range); - let quo = { - let mut quo = [P::ZEROS; 2 * N_LIMBS]; - quo[..N_LIMBS].copy_from_slice(&lv[quo_range]); - quo - }; - let rem = read_value(lv, rem_range); - - let mut constr_poly = modular_constr_poly(lv, nv, yield_constr, filter, rem, den, quo); - - let input = num; - pol_sub_assign(&mut constr_poly, input); - - for &c in constr_poly.iter() { - yield_constr.constraint_transition(filter * c); - } -} - -pub(crate) fn eval_packed( - lv: &[P; NUM_ARITH_COLUMNS], - nv: &[P; NUM_ARITH_COLUMNS], - yield_constr: &mut ConstraintConsumer

, -) { - eval_packed_divmod_helper( - lv, - nv, - yield_constr, - lv[IS_DIV], - INPUT_REGISTER_0, - INPUT_REGISTER_1, - OUTPUT_REGISTER, - AUX_INPUT_REGISTER_0, - ); - eval_packed_divmod_helper( - lv, - nv, - yield_constr, - lv[IS_MOD], - INPUT_REGISTER_0, - INPUT_REGISTER_1, - AUX_INPUT_REGISTER_0, - OUTPUT_REGISTER, - ); -} - -pub(crate) fn eval_ext_circuit_divmod_helper, const D: usize>( - builder: &mut CircuitBuilder, - lv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - nv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - yield_constr: &mut RecursiveConstraintConsumer, - filter: ExtensionTarget, - num_range: Range, - den_range: Range, - quo_range: Range, - rem_range: Range, -) { - yield_constr.constraint_last_row(builder, filter); - - let num = &lv[num_range]; - let den = read_value(lv, den_range); - let quo = { - let zero = builder.zero_extension(); - let mut quo = [zero; 2 * N_LIMBS]; - quo[..N_LIMBS].copy_from_slice(&lv[quo_range]); - quo - }; - let rem = read_value(lv, rem_range); - - let mut constr_poly = - modular_constr_poly_ext_circuit(lv, nv, builder, yield_constr, filter, rem, den, quo); - - let input = num; - pol_sub_assign_ext_circuit(builder, &mut constr_poly, input); - - for &c in constr_poly.iter() { - let t = builder.mul_extension(filter, c); - yield_constr.constraint_transition(builder, t); - } -} - -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - lv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - nv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - yield_constr: &mut RecursiveConstraintConsumer, -) { - eval_ext_circuit_divmod_helper( - builder, - lv, - nv, - yield_constr, - lv[IS_DIV], - INPUT_REGISTER_0, - INPUT_REGISTER_1, - OUTPUT_REGISTER, - AUX_INPUT_REGISTER_0, - ); - eval_ext_circuit_divmod_helper( - builder, - lv, - nv, - yield_constr, - lv[IS_MOD], - INPUT_REGISTER_0, - INPUT_REGISTER_1, - AUX_INPUT_REGISTER_0, - OUTPUT_REGISTER, - ); -} - -#[cfg(test)] -mod tests { - use plonky2::field::goldilocks_field::GoldilocksField; - use plonky2::field::types::{Field, Sample}; - use rand::{Rng, SeedableRng}; - use rand_chacha::ChaCha8Rng; - - use super::*; - use crate::arithmetic::columns::NUM_ARITH_COLUMNS; - use crate::constraint_consumer::ConstraintConsumer; - - const N_RND_TESTS: usize = 1000; - const MODULAR_OPS: [usize; 2] = [IS_MOD, IS_DIV]; - - // TODO: Should be able to refactor this test to apply to all operations. - #[test] - fn generate_eval_consistency_not_modular() { - type F = GoldilocksField; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - let mut lv = [F::default(); NUM_ARITH_COLUMNS].map(|_| F::sample(&mut rng)); - let nv = [F::default(); NUM_ARITH_COLUMNS].map(|_| F::sample(&mut rng)); - - // if `IS_MOD == 0`, then the constraints should be met even - // if all values are garbage (and similarly for the other operations). - for op in MODULAR_OPS { - lv[op] = F::ZERO; - } - // Since SHR uses the logic for DIV, `IS_SHR` should also be set to 0 here. - lv[IS_SHR] = F::ZERO; - - let mut constraint_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - GoldilocksField::ONE, - GoldilocksField::ONE, - GoldilocksField::ONE, - ); - eval_packed(&lv, &nv, &mut constraint_consumer); - for &acc in &constraint_consumer.constraint_accs { - assert_eq!(acc, GoldilocksField::ZERO); - } - } - - #[test] - fn generate_eval_consistency() { - type F = GoldilocksField; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - - for op_filter in MODULAR_OPS { - for i in 0..N_RND_TESTS { - // set inputs to random values - let mut lv = [F::default(); NUM_ARITH_COLUMNS] - .map(|_| F::from_canonical_u16(rng.gen::())); - let mut nv = [F::default(); NUM_ARITH_COLUMNS] - .map(|_| F::from_canonical_u16(rng.gen::())); - - // Reset operation columns, then select one - for op in MODULAR_OPS { - lv[op] = F::ZERO; - } - // Since SHR uses the logic for DIV, `IS_SHR` should also be set to 0 here. - lv[IS_SHR] = F::ZERO; - lv[op_filter] = F::ONE; - - let input0 = U256::from(rng.gen::<[u8; 32]>()); - let input1 = { - let mut modulus_limbs = [0u8; 32]; - // For the second half of the tests, set the top - // 16-start digits of the "modulus" to zero so it is - // much smaller than the inputs. - if i > N_RND_TESTS / 2 { - // 1 <= start < N_LIMBS - let start = (rng.gen::() % (modulus_limbs.len() - 1)) + 1; - for mi in modulus_limbs.iter_mut().skip(start) { - *mi = 0u8; - } - } - U256::from(modulus_limbs) - }; - - let result = if input1 == U256::zero() { - U256::zero() - } else if op_filter == IS_DIV { - input0 / input1 - } else { - input0 % input1 - }; - generate(&mut lv, &mut nv, op_filter, input0, input1, result); - - let mut constraint_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - GoldilocksField::ONE, - GoldilocksField::ZERO, - GoldilocksField::ZERO, - ); - eval_packed(&lv, &nv, &mut constraint_consumer); - for &acc in &constraint_consumer.constraint_accs { - assert_eq!(acc, GoldilocksField::ZERO); - } - } - } - } - - #[test] - fn zero_modulus() { - type F = GoldilocksField; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - - for op_filter in MODULAR_OPS { - for _i in 0..N_RND_TESTS { - // set inputs to random values and the modulus to zero; - // the output is defined to be zero when modulus is zero. - let mut lv = [F::default(); NUM_ARITH_COLUMNS] - .map(|_| F::from_canonical_u16(rng.gen::())); - let mut nv = [F::default(); NUM_ARITH_COLUMNS] - .map(|_| F::from_canonical_u16(rng.gen::())); - - // Reset operation columns, then select one - for op in MODULAR_OPS { - lv[op] = F::ZERO; - } - // Since SHR uses the logic for DIV, `IS_SHR` should also be set to 0 here. - lv[IS_SHR] = F::ZERO; - lv[op_filter] = F::ONE; - - let input0 = U256::from(rng.gen::<[u8; 32]>()); - let input1 = U256::zero(); - - generate(&mut lv, &mut nv, op_filter, input0, input1, U256::zero()); - - // check that the correct output was generated - assert!(lv[OUTPUT_REGISTER].iter().all(|&c| c == F::ZERO)); - - let mut constraint_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - GoldilocksField::ONE, - GoldilocksField::ZERO, - GoldilocksField::ZERO, - ); - eval_packed(&lv, &nv, &mut constraint_consumer); - assert!(constraint_consumer - .constraint_accs - .iter() - .all(|&acc| acc == F::ZERO)); - - // Corrupt one output limb by setting it to a non-zero value - let random_oi = OUTPUT_REGISTER.start + rng.gen::() % N_LIMBS; - lv[random_oi] = F::from_canonical_u16(rng.gen_range(1..u16::MAX)); - - eval_packed(&lv, &nv, &mut constraint_consumer); - - // Check that at least one of the constraints was non-zero - assert!(constraint_consumer - .constraint_accs - .iter() - .any(|&acc| acc != F::ZERO)); - } - } - } -} diff --git a/evm/src/arithmetic/mod.rs b/evm/src/arithmetic/mod.rs deleted file mode 100644 index f9a816c1f8..0000000000 --- a/evm/src/arithmetic/mod.rs +++ /dev/null @@ -1,350 +0,0 @@ -use ethereum_types::U256; -use plonky2::field::types::PrimeField64; - -use self::columns::{ - INPUT_REGISTER_0, INPUT_REGISTER_1, INPUT_REGISTER_2, OPCODE_COL, OUTPUT_REGISTER, -}; -use self::utils::u256_to_array; -use crate::arithmetic::columns::IS_RANGE_CHECK; -use crate::extension_tower::BN_BASE; -use crate::util::{addmod, mulmod, submod}; - -mod addcy; -mod byte; -mod divmod; -mod modular; -mod mul; -mod shift; -mod utils; - -pub mod arithmetic_stark; -pub(crate) mod columns; - -/// An enum representing different binary operations. -/// -/// `Shl` and `Shr` are handled differently, by leveraging `Mul` and `Div` respectively. -#[derive(Clone, Copy, Debug, Eq, PartialEq)] -pub(crate) enum BinaryOperator { - Add, - Mul, - Sub, - Div, - Mod, - Lt, - Gt, - AddFp254, - MulFp254, - SubFp254, - Byte, - Shl, // simulated with MUL - Shr, // simulated with DIV -} - -impl BinaryOperator { - /// Computes the result of a binary arithmetic operation given two inputs. - pub(crate) fn result(&self, input0: U256, input1: U256) -> U256 { - match self { - BinaryOperator::Add => input0.overflowing_add(input1).0, - BinaryOperator::Mul => input0.overflowing_mul(input1).0, - BinaryOperator::Shl => { - if input0 < U256::from(256usize) { - input1 << input0 - } else { - U256::zero() - } - } - BinaryOperator::Sub => input0.overflowing_sub(input1).0, - BinaryOperator::Div => { - if input1.is_zero() { - U256::zero() - } else { - input0 / input1 - } - } - BinaryOperator::Shr => { - if input0 < U256::from(256usize) { - input1 >> input0 - } else { - U256::zero() - } - } - BinaryOperator::Mod => { - if input1.is_zero() { - U256::zero() - } else { - input0 % input1 - } - } - BinaryOperator::Lt => U256::from((input0 < input1) as u8), - BinaryOperator::Gt => U256::from((input0 > input1) as u8), - BinaryOperator::AddFp254 => addmod(input0, input1, BN_BASE), - BinaryOperator::MulFp254 => mulmod(input0, input1, BN_BASE), - BinaryOperator::SubFp254 => submod(input0, input1, BN_BASE), - BinaryOperator::Byte => { - if input0 >= 32.into() { - U256::zero() - } else { - input1.byte(31 - input0.as_usize()).into() - } - } - } - } - - /// Maps a binary arithmetic operation to its associated flag column in the trace. - pub(crate) const fn row_filter(&self) -> usize { - match self { - BinaryOperator::Add => columns::IS_ADD, - BinaryOperator::Mul => columns::IS_MUL, - BinaryOperator::Sub => columns::IS_SUB, - BinaryOperator::Div => columns::IS_DIV, - BinaryOperator::Mod => columns::IS_MOD, - BinaryOperator::Lt => columns::IS_LT, - BinaryOperator::Gt => columns::IS_GT, - BinaryOperator::AddFp254 => columns::IS_ADDFP254, - BinaryOperator::MulFp254 => columns::IS_MULFP254, - BinaryOperator::SubFp254 => columns::IS_SUBFP254, - BinaryOperator::Byte => columns::IS_BYTE, - BinaryOperator::Shl => columns::IS_SHL, - BinaryOperator::Shr => columns::IS_SHR, - } - } -} - -/// An enum representing different ternary operations. -#[allow(clippy::enum_variant_names)] -#[derive(Clone, Copy, Debug, Eq, PartialEq)] -pub(crate) enum TernaryOperator { - AddMod, - MulMod, - SubMod, -} - -impl TernaryOperator { - /// Computes the result of a ternary arithmetic operation given three inputs. - pub(crate) fn result(&self, input0: U256, input1: U256, input2: U256) -> U256 { - match self { - TernaryOperator::AddMod => addmod(input0, input1, input2), - TernaryOperator::MulMod => mulmod(input0, input1, input2), - TernaryOperator::SubMod => submod(input0, input1, input2), - } - } - - /// Maps a ternary arithmetic operation to its associated flag column in the trace. - pub(crate) const fn row_filter(&self) -> usize { - match self { - TernaryOperator::AddMod => columns::IS_ADDMOD, - TernaryOperator::MulMod => columns::IS_MULMOD, - TernaryOperator::SubMod => columns::IS_SUBMOD, - } - } -} - -/// An enum representing arithmetic operations that can be either binary or ternary. -#[allow(clippy::enum_variant_names)] -#[derive(Debug)] -pub(crate) enum Operation { - BinaryOperation { - operator: BinaryOperator, - input0: U256, - input1: U256, - result: U256, - }, - TernaryOperation { - operator: TernaryOperator, - input0: U256, - input1: U256, - input2: U256, - result: U256, - }, - RangeCheckOperation { - input0: U256, - input1: U256, - input2: U256, - opcode: U256, - result: U256, - }, -} - -impl Operation { - /// Creates a binary operator with given inputs. - /// - /// NB: This works as you would expect, EXCEPT for SHL and SHR, - /// whose inputs need a small amount of preprocessing. Specifically, - /// to create `SHL(shift, value)`, call (note the reversal of - /// argument order): - /// - /// `Operation::binary(BinaryOperator::Shl, value, 1 << shift)` - /// - /// Similarly, to create `SHR(shift, value)`, call - /// - /// `Operation::binary(BinaryOperator::Shr, value, 1 << shift)` - /// - /// See witness/operation.rs::append_shift() for an example (indeed - /// the only call site for such inputs). - pub(crate) fn binary(operator: BinaryOperator, input0: U256, input1: U256) -> Self { - let result = operator.result(input0, input1); - Self::BinaryOperation { - operator, - input0, - input1, - result, - } - } - - /// Creates a ternary operator with given inputs. - pub(crate) fn ternary( - operator: TernaryOperator, - input0: U256, - input1: U256, - input2: U256, - ) -> Self { - let result = operator.result(input0, input1, input2); - Self::TernaryOperation { - operator, - input0, - input1, - input2, - result, - } - } - - pub(crate) const fn range_check( - input0: U256, - input1: U256, - input2: U256, - opcode: U256, - result: U256, - ) -> Self { - Self::RangeCheckOperation { - input0, - input1, - input2, - opcode, - result, - } - } - - /// Gets the result of an arithmetic operation. - pub(crate) fn result(&self) -> U256 { - match self { - Operation::BinaryOperation { result, .. } => *result, - Operation::TernaryOperation { result, .. } => *result, - _ => panic!("This function should not be called for range checks."), - } - } - - /// Convert operation into one or two rows of the trace. - /// - /// Morally these types should be [F; NUM_ARITH_COLUMNS], but we - /// use vectors because that's what utils::transpose (who consumes - /// the result of this function as part of the range check code) - /// expects. - /// - /// The `is_simulated` bool indicates whether we use a native arithmetic - /// operation or simulate one with another. This is used to distinguish - /// SHL and SHR operations that are simulated through MUL and DIV respectively. - fn to_rows(&self) -> (Vec, Option>) { - match *self { - Operation::BinaryOperation { - operator, - input0, - input1, - result, - } => binary_op_to_rows(operator, input0, input1, result), - Operation::TernaryOperation { - operator, - input0, - input1, - input2, - result, - } => ternary_op_to_rows(operator.row_filter(), input0, input1, input2, result), - Operation::RangeCheckOperation { - input0, - input1, - input2, - opcode, - result, - } => range_check_to_rows(input0, input1, input2, opcode, result), - } - } -} - -/// Converts a ternary arithmetic operation to one or two rows of the `ArithmeticStark` table. -fn ternary_op_to_rows( - row_filter: usize, - input0: U256, - input1: U256, - input2: U256, - _result: U256, -) -> (Vec, Option>) { - let mut row1 = vec![F::ZERO; columns::NUM_ARITH_COLUMNS]; - let mut row2 = vec![F::ZERO; columns::NUM_ARITH_COLUMNS]; - - row1[row_filter] = F::ONE; - - modular::generate(&mut row1, &mut row2, row_filter, input0, input1, input2); - - (row1, Some(row2)) -} - -/// Converts a binary arithmetic operation to one or two rows of the `ArithmeticStark` table. -fn binary_op_to_rows( - op: BinaryOperator, - input0: U256, - input1: U256, - result: U256, -) -> (Vec, Option>) { - let mut row = vec![F::ZERO; columns::NUM_ARITH_COLUMNS]; - row[op.row_filter()] = F::ONE; - - match op { - BinaryOperator::Add | BinaryOperator::Sub | BinaryOperator::Lt | BinaryOperator::Gt => { - addcy::generate(&mut row, op.row_filter(), input0, input1); - (row, None) - } - BinaryOperator::Mul => { - mul::generate(&mut row, input0, input1); - (row, None) - } - BinaryOperator::Shl => { - let mut nv = vec![F::ZERO; columns::NUM_ARITH_COLUMNS]; - shift::generate(&mut row, &mut nv, true, input0, input1, result); - (row, None) - } - BinaryOperator::Div | BinaryOperator::Mod => { - let mut nv = vec![F::ZERO; columns::NUM_ARITH_COLUMNS]; - divmod::generate(&mut row, &mut nv, op.row_filter(), input0, input1, result); - (row, Some(nv)) - } - BinaryOperator::Shr => { - let mut nv = vec![F::ZERO; columns::NUM_ARITH_COLUMNS]; - shift::generate(&mut row, &mut nv, false, input0, input1, result); - (row, Some(nv)) - } - BinaryOperator::AddFp254 | BinaryOperator::MulFp254 | BinaryOperator::SubFp254 => { - ternary_op_to_rows::(op.row_filter(), input0, input1, BN_BASE, result) - } - BinaryOperator::Byte => { - byte::generate(&mut row, input0, input1); - (row, None) - } - } -} - -fn range_check_to_rows( - input0: U256, - input1: U256, - input2: U256, - opcode: U256, - result: U256, -) -> (Vec, Option>) { - let mut row = vec![F::ZERO; columns::NUM_ARITH_COLUMNS]; - row[IS_RANGE_CHECK] = F::ONE; - row[OPCODE_COL] = F::from_canonical_u64(opcode.as_u64()); - u256_to_array(&mut row[INPUT_REGISTER_0], input0); - u256_to_array(&mut row[INPUT_REGISTER_1], input1); - u256_to_array(&mut row[INPUT_REGISTER_2], input2); - u256_to_array(&mut row[OUTPUT_REGISTER], result); - - (row, None) -} diff --git a/evm/src/arithmetic/modular.rs b/evm/src/arithmetic/modular.rs deleted file mode 100644 index 5a1df5c733..0000000000 --- a/evm/src/arithmetic/modular.rs +++ /dev/null @@ -1,999 +0,0 @@ -//! Support for the EVM modular instructions ADDMOD, SUBMOD, MULMOD and MOD, -//! as well as DIV and FP254 related modular instructions. -//! -//! This crate verifies an EVM modular instruction, which takes three -//! 256-bit inputs A, B and M, and produces a 256-bit output C satisfying -//! -//! C = operation(A, B) (mod M). -//! -//! where operation can be addition, multiplication, or just return -//! the first argument (for MOD). Inputs A, B and M, and output C, -//! are given as arrays of 16-bit limbs. For example, if the limbs of -//! A are a[0]...a[15], then -//! -//! A = \sum_{i=0}^15 a[i] β^i, -//! -//! where β = 2^16 = 2^LIMB_BITS. To verify that A, B, M and C satisfy -//! the equation we proceed as follows. Define -//! -//! a(x) = \sum_{i=0}^15 a[i] x^i -//! -//! (so A = a(β)) and similarly for b(x), m(x) and c(x). Then -//! operation(A,B) = C (mod M) if and only if there exists q such that -//! the polynomial -//! -//! operation(a(x), b(x)) - c(x) - m(x) * q(x) -//! -//! is zero when evaluated at x = β, i.e. it is divisible by (x - β); -//! equivalently, there exists a polynomial s such that -//! -//! operation(a(x), b(x)) - c(x) - m(x) * q(x) - (x - β) * s(x) == 0 -//! -//! if and only if operation(A,B) = C (mod M). In the code below, this -//! "constraint polynomial" is constructed in the variable -//! `constr_poly`. It must be identically zero for the modular -//! operation to be verified, or, equivalently, each of its -//! coefficients must be zero. The variable names of the constituent -//! polynomials are (writing N for N_LIMBS=16): -//! -//! a(x) = \sum_{i=0}^{N-1} input0[i] * x^i -//! b(x) = \sum_{i=0}^{N-1} input1[i] * x^i -//! c(x) = \sum_{i=0}^{N-1} output[i] * x^i -//! m(x) = \sum_{i=0}^{N-1} modulus[i] * x^i -//! q(x) = \sum_{i=0}^{2N-1} quot[i] * x^i -//! s(x) = \sum_i^{2N-2} aux[i] * x^i -//! -//! Because A, B, M and C are 256-bit numbers, the degrees of a, b, m -//! and c are (at most) N-1 = 15. If m = 1, then Q would be A*B which -//! can be up to 2^512 - ε, so deg(q) can be up to 2*N-1 = 31. Note -//! that, although for arbitrary m and q we might have deg(m*q) = 3*N-2, -//! because the magnitude of M*Q must match that of operation(A,B), we -//! always have deg(m*q) <= 2*N-1. Finally, in order for all the degrees -//! to match, we have deg(s) <= 2*N-2 = 30. -//! -//! -*- -//! -//! To verify that the output is reduced, that is, output < modulus, -//! the prover supplies the value `out_aux_red` which must satisfy -//! -//! output - modulus = out_aux_red + 2^256 -//! -//! and these values are passed to the "less than" operation. -//! -//! -*- -//! -//! The EVM defines division by zero as zero. We handle this as -//! follows: -//! -//! The prover supplies a binary value `mod_is_zero` which is one if -//! the modulus is zero and zero otherwise. This is verified, then -//! added to the modulus (this can't overflow, as modulus[0] was -//! range-checked and mod_is_zero is 0 or 1). The rest of the -//! calculation proceeds as if modulus was actually 1; this correctly -//! verifies that the output is zero, as required by the standard. -//! To summarise: -//! -//! - mod_is_zero is 0 or 1 -//! - if mod_is_zero is 1, then -//! - given modulus is 0 -//! - updated modulus is 1, which forces the correct output of 0 -//! - if mod_is_zero is 0, then -//! - given modulus can be 0 or non-zero -//! - updated modulus is same as given -//! - if modulus is non-zero, correct output is obtained -//! - if modulus is 0, then the test output < modulus, checking that -//! the output is reduced, will fail, because output is non-negative. -//! -//! In the case of DIV, we do something similar, except that we "replace" -//! the modulus with "2^256" to force the quotient to be zero. -//! -//! -*- -//! -//! NB: The implementation uses 9 * N_LIMBS = 144 columns because of -//! the requirements of the general purpose MULMOD; since ADDMOD, -//! SUBMOD, MOD and DIV are currently implemented in terms of the -//! general modular code, they also take 144 columns. Possible -//! improvements: -//! -//! - We could reduce the number of columns to 112 for ADDMOD, SUBMOD, -//! etc. if they were implemented separately, so they don't pay the -//! full cost of the general MULMOD. -//! -//! - All these operations could have alternative forms where the -//! output was not guaranteed to be reduced, which is often sufficient -//! in practice, and which would save a further 16 columns. -//! -//! - If the modulus is known in advance (such as for elliptic curve -//! arithmetic), specialised handling of MULMOD in that case would -//! only require 96 columns, or 80 if the output doesn't need to be -//! reduced. - -use core::ops::Range; - -use ethereum_types::U256; -use num::bigint::Sign; -use num::{BigInt, One, Zero}; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::{Field, PrimeField64}; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; -use static_assertions::const_assert; - -use super::columns; -use crate::arithmetic::addcy::{eval_ext_circuit_addcy, eval_packed_generic_addcy}; -use crate::arithmetic::columns::*; -use crate::arithmetic::utils::*; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::extension_tower::BN_BASE; - -const fn bn254_modulus_limbs() -> [u16; N_LIMBS] { - const_assert!(N_LIMBS == 16); // Assumed below - let mut limbs = [0u16; N_LIMBS]; - let mut i = 0; - while i < N_LIMBS / 4 { - let x = BN_BASE.0[i]; - limbs[4 * i] = x as u16; - limbs[4 * i + 1] = (x >> 16) as u16; - limbs[4 * i + 2] = (x >> 32) as u16; - limbs[4 * i + 3] = (x >> 48) as u16; - i += 1; - } - limbs -} - -/// Convert the base-2^16 representation of a number into a BigInt. -/// -/// Given `N` signed (16 + ε)-bit values in `limbs`, return the BigInt -/// -/// \sum_{i=0}^{N-1} limbs[i] * β^i. -/// -/// This is basically "evaluate the given polynomial at β". Although -/// the input type is i64, the values must always be in (-2^16 - ε, -/// 2^16 + ε) because of the caller's range check on the inputs (the ε -/// allows us to convert calculated output, which can be bigger than -/// 2^16). -fn columns_to_bigint(limbs: &[i64; N]) -> BigInt { - const BASE: i64 = 1i64 << LIMB_BITS; - - let mut pos_limbs_u32 = Vec::with_capacity(N / 2 + 1); - let mut neg_limbs_u32 = Vec::with_capacity(N / 2 + 1); - let mut cy = 0i64; // cy is necessary to handle ε > 0 - for i in 0..(N / 2) { - let t = cy + limbs[2 * i] + BASE * limbs[2 * i + 1]; - pos_limbs_u32.push(if t > 0 { t as u32 } else { 0u32 }); - neg_limbs_u32.push(if t < 0 { -t as u32 } else { 0u32 }); - cy = t / (1i64 << 32); - } - if N & 1 != 0 { - // If N is odd we need to add the last limb on its own - let t = cy + limbs[N - 1]; - pos_limbs_u32.push(if t > 0 { t as u32 } else { 0u32 }); - neg_limbs_u32.push(if t < 0 { -t as u32 } else { 0u32 }); - cy = t / (1i64 << 32); - } - pos_limbs_u32.push(if cy > 0 { cy as u32 } else { 0u32 }); - neg_limbs_u32.push(if cy < 0 { -cy as u32 } else { 0u32 }); - - let pos = BigInt::from_slice(Sign::Plus, &pos_limbs_u32); - let neg = BigInt::from_slice(Sign::Plus, &neg_limbs_u32); - pos - neg -} - -/// Convert a BigInt into a base-2^16 representation. -/// -/// Given a BigInt `num`, return an array of `N` signed 16-bit -/// values, say `limbs`, such that -/// -/// num = \sum_{i=0}^{N-1} limbs[i] * β^i. -/// -/// Note that `N` must be at least ceil(log2(num)/16) in order to be -/// big enough to hold `num`. -fn bigint_to_columns(num: &BigInt) -> [i64; N] { - assert!(num.bits() <= 16 * N as u64); - let mut output = [0i64; N]; - for (i, limb) in num.iter_u32_digits().enumerate() { - output[2 * i] = limb as u16 as i64; - output[2 * i + 1] = (limb >> LIMB_BITS) as i64; - } - if num.sign() == Sign::Minus { - for c in output.iter_mut() { - *c = -*c; - } - } - output -} - -/// Generate the output and auxiliary values for given `operation`. -/// -/// NB: `operation` can set the higher order elements in its result to -/// zero if they are not used. -pub(crate) fn generate_modular_op( - lv: &[F], - nv: &mut [F], - filter: usize, - pol_input: [i64; 2 * N_LIMBS - 1], - modulus_range: Range, -) -> ([F; N_LIMBS], [F; 2 * N_LIMBS]) { - assert!(modulus_range.len() == N_LIMBS); - let mut modulus_limbs = read_value_i64_limbs(lv, modulus_range); - - // BigInts are just used to avoid having to implement modular - // reduction. - let mut modulus = columns_to_bigint(&modulus_limbs); - - // constr_poly is initialised to the input calculation as - // polynomials, and is used as such for the BigInt reduction; - // later, other values are added/subtracted, which is where its - // meaning as the "constraint polynomial" comes in. - let mut constr_poly = [0i64; 2 * N_LIMBS]; - constr_poly[..2 * N_LIMBS - 1].copy_from_slice(&pol_input); - - // two_exp_256 == 2^256 - let two_exp_256 = { - let mut t = BigInt::zero(); - t.set_bit(256, true); - t - }; - - let mut mod_is_zero = F::ZERO; - if modulus.is_zero() { - if filter == columns::IS_DIV || filter == columns::IS_SHR { - // set modulus = 2^256; the condition above means we know - // it's zero at this point, so we can just set bit 256. - modulus.set_bit(256, true); - // modulus_limbs don't play a role below - } else { - // set modulus = 1 - modulus = BigInt::one(); - modulus_limbs[0] = 1i64; - } - mod_is_zero = F::ONE; - } - - let input = columns_to_bigint(&constr_poly); - - // modulus != 0 here, because, if the given modulus was zero, then - // it was set to 1 or 2^256 above - let mut output = &input % &modulus; - // output will be -ve (but > -modulus) if input was -ve, so we can - // add modulus to obtain a "canonical" +ve output. - if output.sign() == Sign::Minus { - output += &modulus; - } - let output_limbs = bigint_to_columns::(&output); - // exact division; can be -ve for SUB* operations. - let quot = (&input - &output) / &modulus; - if quot.sign() == Sign::Minus { - debug_assert!(filter == IS_SUBMOD || filter == IS_SUBFP254); - } - let mut quot_limbs = bigint_to_columns::<{ 2 * N_LIMBS }>("); - - // output < modulus here; the proof requires (output - modulus) % 2^256: - let out_aux_red = bigint_to_columns::(&(two_exp_256 - modulus + output)); - - // constr_poly is the array of coefficients of the polynomial - // - // operation(a(x), b(x)) - c(x) - s(x)*m(x). - // - pol_sub_assign(&mut constr_poly, &output_limbs); - let prod = pol_mul_wide2(quot_limbs, modulus_limbs); - pol_sub_assign(&mut constr_poly, &prod[0..2 * N_LIMBS]); - - // Higher order terms of the product must be zero for valid quot and modulus: - debug_assert!(&prod[2 * N_LIMBS..].iter().all(|&x| x == 0i64)); - - // constr_poly must be zero when evaluated at x = β := - // 2^LIMB_BITS, hence it's divisible by (x - β). `aux_limbs` is - // the result of removing that root. - let mut aux_limbs = pol_remove_root_2exp::(constr_poly); - - for c in aux_limbs.iter_mut() { - // we store the unsigned offset value c + 2^20. - *c += AUX_COEFF_ABS_MAX; - } - debug_assert!(aux_limbs.iter().all(|&c| c.abs() <= 2 * AUX_COEFF_ABS_MAX)); - - for (i, &c) in MODULAR_AUX_INPUT_LO.zip(&aux_limbs[..2 * N_LIMBS - 1]) { - nv[i] = F::from_canonical_u16(c as u16); - } - for (i, &c) in MODULAR_AUX_INPUT_HI.zip(&aux_limbs[..2 * N_LIMBS - 1]) { - nv[i] = F::from_canonical_u16((c >> 16) as u16); - } - - // quo_input can be negative for SUB* operations, so we offset it - // to ensure it's positive. - if [columns::IS_SUBMOD, columns::IS_SUBFP254].contains(&filter) { - let (lo, hi) = quot_limbs.split_at_mut(N_LIMBS); - - // Verify that the elements are in the expected range. - debug_assert!(lo.iter().all(|&c| c <= u16::max_value() as i64)); - - // Top half of quot_limbs should be zero. - debug_assert!(hi.iter().all(|&d| d.is_zero())); - - if quot.sign() == Sign::Minus { - // quot is negative, so each c should be negative, i.e. in - // the range [-(2^16 - 1), 0]; so we add 2^16 - 1 to c so - // it's in the range [0, 2^16 - 1] which will correctly - // range-check. - for c in lo { - *c += u16::max_value() as i64; - } - // Store the sign of the quotient after the quotient. - hi[0] = 1; - } else { - hi[0] = 0; - }; - } - - nv[MODULAR_MOD_IS_ZERO] = mod_is_zero; - nv[MODULAR_OUT_AUX_RED].copy_from_slice(&out_aux_red.map(F::from_canonical_i64)); - nv[MODULAR_DIV_DENOM_IS_ZERO] = mod_is_zero * (lv[IS_DIV] + lv[IS_SHR]); - - ( - output_limbs.map(F::from_canonical_i64), - quot_limbs.map(F::from_noncanonical_i64), - ) -} - -/// Generate the output and auxiliary values for modular operations. -/// -/// `filter` must be one of `columns::IS_{ADD,MUL,SUB}{MOD,FP254}`. -pub(crate) fn generate( - lv: &mut [F], - nv: &mut [F], - filter: usize, - input0: U256, - input1: U256, - modulus: U256, -) { - debug_assert!(lv.len() == NUM_ARITH_COLUMNS && nv.len() == NUM_ARITH_COLUMNS); - - u256_to_array(&mut lv[MODULAR_INPUT_0], input0); - u256_to_array(&mut lv[MODULAR_INPUT_1], input1); - u256_to_array(&mut lv[MODULAR_MODULUS], modulus); - - if [ - columns::IS_ADDFP254, - columns::IS_SUBFP254, - columns::IS_MULFP254, - ] - .contains(&filter) - { - debug_assert!(modulus == BN_BASE); - } - - // Inputs are all in [0, 2^16), so the "as i64" conversion is safe. - let input0_limbs = read_value_i64_limbs(lv, MODULAR_INPUT_0); - let input1_limbs = read_value_i64_limbs(lv, MODULAR_INPUT_1); - - let pol_input = match filter { - columns::IS_ADDMOD | columns::IS_ADDFP254 => pol_add(input0_limbs, input1_limbs), - columns::IS_SUBMOD | columns::IS_SUBFP254 => pol_sub(input0_limbs, input1_limbs), - columns::IS_MULMOD | columns::IS_MULFP254 => pol_mul_wide(input0_limbs, input1_limbs), - _ => panic!("generate modular operation called with unknown opcode"), - }; - let (out, quo_input) = generate_modular_op(lv, nv, filter, pol_input, MODULAR_MODULUS); - lv[MODULAR_OUTPUT].copy_from_slice(&out); - lv[MODULAR_QUO_INPUT].copy_from_slice(&quo_input); -} - -pub(crate) fn check_reduced( - lv: &[P; NUM_ARITH_COLUMNS], - nv: &[P; NUM_ARITH_COLUMNS], - yield_constr: &mut ConstraintConsumer

, - filter: P, - output: [P; N_LIMBS], - modulus: [P; N_LIMBS], - mod_is_zero: P, -) { - // Verify that the output is reduced, i.e. output < modulus. - let out_aux_red = &nv[MODULAR_OUT_AUX_RED]; - // This sets is_less_than to 1 unless we get mod_is_zero when - // doing a DIV or SHR; in that case, we need is_less_than=0, since - // eval_packed_generic_addcy checks - // - // modulus + out_aux_red == output + is_less_than*2^256 - // - // and we are given output = out_aux_red when modulus is zero. - let mut is_less_than = [P::ZEROS; N_LIMBS]; - is_less_than[0] = P::ONES - mod_is_zero * (lv[IS_DIV] + lv[IS_SHR]); - // NB: output and modulus in lv while out_aux_red and - // is_less_than (via mod_is_zero) depend on nv, hence the - // 'is_two_row_op' argument is set to 'true'. - eval_packed_generic_addcy( - yield_constr, - filter, - &modulus, - out_aux_red, - &output, - &is_less_than, - true, - ); -} - -/// Build the part of the constraint polynomial that applies to the -/// DIV, MOD, ADDMOD, MULMOD operations (and the FP254 variants), and -/// perform the common verifications. -/// -/// Specifically, with the notation above, build the polynomial -/// -/// c(x) + q(x) * m(x) + (x - β) * s(x) -/// -/// and check consistency when m = 0, and that c is reduced. Note that -/// q(x) CANNOT be negative here, but, in contrast to -/// addsubmod_constr_poly above, it is twice as long. -pub(crate) fn modular_constr_poly( - lv: &[P; NUM_ARITH_COLUMNS], - nv: &[P; NUM_ARITH_COLUMNS], - yield_constr: &mut ConstraintConsumer

, - filter: P, - mut output: [P; N_LIMBS], - mut modulus: [P; N_LIMBS], - quot: [P; 2 * N_LIMBS], -) -> [P; 2 * N_LIMBS] { - let mod_is_zero = nv[MODULAR_MOD_IS_ZERO]; - - // Check that mod_is_zero is zero or one - yield_constr.constraint_transition(filter * (mod_is_zero * mod_is_zero - mod_is_zero)); - - // Check that mod_is_zero is zero if modulus is not zero (they - // could both be zero) - let limb_sum = modulus.into_iter().sum::

(); - yield_constr.constraint_transition(filter * limb_sum * mod_is_zero); - - // See the file documentation for why this suffices to handle - // modulus = 0. - modulus[0] += mod_is_zero; - - // Is 1 iff the operation is DIV or SHR and the denominator is zero. - let div_denom_is_zero = nv[MODULAR_DIV_DENOM_IS_ZERO]; - yield_constr.constraint_transition( - filter * (mod_is_zero * (lv[IS_DIV] + lv[IS_SHR]) - div_denom_is_zero), - ); - - // Needed to compensate for adding mod_is_zero to modulus above, - // since the call eval_packed_generic_addcy() below subtracts modulus - // to verify in the case of a DIV or SHR. - output[0] += div_denom_is_zero; - - check_reduced(lv, nv, yield_constr, filter, output, modulus, mod_is_zero); - - // restore output[0] - output[0] -= div_denom_is_zero; - - // prod = q(x) * m(x) - let prod = pol_mul_wide2(quot, modulus); - // higher order terms must be zero - for &x in prod[2 * N_LIMBS..].iter() { - yield_constr.constraint_transition(filter * x); - } - - // constr_poly = c(x) + q(x) * m(x) - let mut constr_poly: [_; 2 * N_LIMBS] = prod[0..2 * N_LIMBS].try_into().unwrap(); - pol_add_assign(&mut constr_poly, &output); - - let base = P::Scalar::from_canonical_u64(1 << LIMB_BITS); - let offset = P::Scalar::from_canonical_u64(AUX_COEFF_ABS_MAX as u64); - - // constr_poly = c(x) + q(x) * m(x) + (x - β) * s(x)c - let mut aux = [P::ZEROS; 2 * N_LIMBS]; - for (c, i) in aux.iter_mut().zip(MODULAR_AUX_INPUT_LO) { - // MODULAR_AUX_INPUT elements were offset by 2^20 in - // generation, so we undo that here. - *c = nv[i] - offset; - } - // add high 16-bits of aux input - for (c, j) in aux.iter_mut().zip(MODULAR_AUX_INPUT_HI) { - *c += base * nv[j]; - } - - pol_add_assign(&mut constr_poly, &pol_adjoin_root(aux, base)); - - constr_poly -} - -/// Build the part of the constraint polynomial that's common to the -/// SUBMOD and SUBFP254 operations, and perform the common -/// verifications. -/// -/// Specifically, with the notation above, build the polynomial -/// -/// c(x) + q(x) * m(x) + (x - β) * s(x) -/// -/// and check consistency when m = 0, and that c is reduced. Note that -/// q(x) can be negative here, so it needs to be reconstructed from -/// its hi and lo halves in MODULAR_QUO_INPUT and then to be -/// "de-biassed" from the range [0, 2^32) to the correct range -/// (-2^16,2^16). -pub(crate) fn submod_constr_poly( - lv: &[P; NUM_ARITH_COLUMNS], - nv: &[P; NUM_ARITH_COLUMNS], - yield_constr: &mut ConstraintConsumer

, - filter: P, - output: [P; N_LIMBS], - modulus: [P; N_LIMBS], - mut quot: [P; 2 * N_LIMBS], -) -> [P; 2 * N_LIMBS] { - // quot was offset by 2^16 - 1 if it was negative; we undo that - // offset here: - let (lo, hi) = quot.split_at_mut(N_LIMBS); - let sign = hi[0]; - // sign must be 1 (negative) or 0 (positive) - yield_constr.constraint(filter * sign * (sign - P::ONES)); - let offset = P::Scalar::from_canonical_u16(u16::max_value()); - for c in lo { - *c -= offset * sign; - } - hi[0] = P::ZEROS; - for d in hi { - // All higher limbs must be zero - yield_constr.constraint(filter * *d); - } - - modular_constr_poly(lv, nv, yield_constr, filter, output, modulus, quot) -} - -/// Add constraints for modular operations. -pub(crate) fn eval_packed( - lv: &[P; NUM_ARITH_COLUMNS], - nv: &[P; NUM_ARITH_COLUMNS], - yield_constr: &mut ConstraintConsumer

, -) { - // NB: The CTL code guarantees that filter is 0 or 1, i.e. that - // only one of the operations below is "live". - let bn254_filter = - lv[columns::IS_ADDFP254] + lv[columns::IS_MULFP254] + lv[columns::IS_SUBFP254]; - let filter = - lv[columns::IS_ADDMOD] + lv[columns::IS_SUBMOD] + lv[columns::IS_MULMOD] + bn254_filter; - - // Ensure that this operation is not the last row of the table; - // needed because we access the next row of the table in nv. - yield_constr.constraint_last_row(filter); - - // Verify that the modulus is the BN254 modulus for the - // {ADD,MUL,SUB}FP254 operations. - let modulus = read_value::(lv, MODULAR_MODULUS); - for (&mi, bi) in modulus.iter().zip(bn254_modulus_limbs()) { - yield_constr.constraint_transition(bn254_filter * (mi - P::Scalar::from_canonical_u16(bi))); - } - - let output = read_value::(lv, MODULAR_OUTPUT); - let quo_input = read_value::<{ 2 * N_LIMBS }, _>(lv, MODULAR_QUO_INPUT); - - let add_filter = lv[columns::IS_ADDMOD] + lv[columns::IS_ADDFP254]; - let sub_filter = lv[columns::IS_SUBMOD] + lv[columns::IS_SUBFP254]; - let mul_filter = lv[columns::IS_MULMOD] + lv[columns::IS_MULFP254]; - let addmul_filter = add_filter + mul_filter; - - // constr_poly has 2*N_LIMBS limbs - let submod_constr_poly = - submod_constr_poly(lv, nv, yield_constr, sub_filter, output, modulus, quo_input); - let modular_constr_poly = modular_constr_poly( - lv, - nv, - yield_constr, - addmul_filter, - output, - modulus, - quo_input, - ); - - let input0 = read_value(lv, MODULAR_INPUT_0); - let input1 = read_value(lv, MODULAR_INPUT_1); - - let add_input = pol_add(input0, input1); - let sub_input = pol_sub(input0, input1); - let mul_input = pol_mul_wide(input0, input1); - - for (input, &filter, constr_poly) in [ - (&add_input, &add_filter, modular_constr_poly), - (&sub_input, &sub_filter, submod_constr_poly), - (&mul_input, &mul_filter, modular_constr_poly), - ] { - // Need constr_poly_copy to be the first argument to - // pol_sub_assign, since it is the longer of the two - // arguments. - let mut constr_poly_copy = constr_poly; - pol_sub_assign(&mut constr_poly_copy, input); - - // At this point constr_poly_copy holds the coefficients of - // the polynomial - // - // operation(a(x), b(x)) - c(x) - q(x) * m(x) - (x - β) * s(x) - // - // where operation is add, mul or |a,b|->a. The modular - // operation is valid if and only if all of those coefficients - // are zero. - for &c in constr_poly_copy.iter() { - yield_constr.constraint_transition(filter * c); - } - } -} - -pub(crate) fn modular_constr_poly_ext_circuit, const D: usize>( - lv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - nv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - builder: &mut CircuitBuilder, - yield_constr: &mut RecursiveConstraintConsumer, - filter: ExtensionTarget, - mut output: [ExtensionTarget; N_LIMBS], - mut modulus: [ExtensionTarget; N_LIMBS], - quot: [ExtensionTarget; 2 * N_LIMBS], -) -> [ExtensionTarget; 2 * N_LIMBS] { - let mod_is_zero = nv[MODULAR_MOD_IS_ZERO]; - - // Check that mod_is_zero is zero or one - let t = builder.mul_sub_extension(mod_is_zero, mod_is_zero, mod_is_zero); - let t = builder.mul_extension(filter, t); - yield_constr.constraint_transition(builder, t); - - // Check that mod_is_zero is zero if modulus is not zero (they - // could both be zero) - let limb_sum = builder.add_many_extension(modulus); - let t = builder.mul_extension(limb_sum, mod_is_zero); - let t = builder.mul_extension(filter, t); - yield_constr.constraint_transition(builder, t); - - modulus[0] = builder.add_extension(modulus[0], mod_is_zero); - - // Is 1 iff the operation is DIV or SHR and the denominator is zero. - let div_denom_is_zero = nv[MODULAR_DIV_DENOM_IS_ZERO]; - let div_shr_filter = builder.add_extension(lv[IS_DIV], lv[IS_SHR]); - let t = builder.mul_sub_extension(mod_is_zero, div_shr_filter, div_denom_is_zero); - let t = builder.mul_extension(filter, t); - yield_constr.constraint_transition(builder, t); - - // Needed to compensate for adding mod_is_zero to modulus above, - // since the call eval_packed_generic_addcy() below subtracts modulus - // to verify in the case of a DIV or SHR. - output[0] = builder.add_extension(output[0], div_denom_is_zero); - - // Verify that the output is reduced, i.e. output < modulus. - let out_aux_red = &nv[MODULAR_OUT_AUX_RED]; - let one = builder.one_extension(); - let zero = builder.zero_extension(); - let mut is_less_than = [zero; N_LIMBS]; - is_less_than[0] = - builder.arithmetic_extension(F::NEG_ONE, F::ONE, mod_is_zero, div_shr_filter, one); - - eval_ext_circuit_addcy( - builder, - yield_constr, - filter, - &modulus, - out_aux_red, - &output, - &is_less_than, - true, - ); - // restore output[0] - output[0] = builder.sub_extension(output[0], div_denom_is_zero); - - // prod = q(x) * m(x) - let prod = pol_mul_wide2_ext_circuit(builder, quot, modulus); - // higher order terms must be zero - for &x in prod[2 * N_LIMBS..].iter() { - let t = builder.mul_extension(filter, x); - yield_constr.constraint_transition(builder, t); - } - - // constr_poly = c(x) + q(x) * m(x) - let mut constr_poly: [_; 2 * N_LIMBS] = prod[0..2 * N_LIMBS].try_into().unwrap(); - pol_add_assign_ext_circuit(builder, &mut constr_poly, &output); - - let offset = - builder.constant_extension(F::Extension::from_canonical_u64(AUX_COEFF_ABS_MAX as u64)); - let zero = builder.zero_extension(); - - // constr_poly = c(x) + q(x) * m(x) - let mut aux = [zero; 2 * N_LIMBS]; - for (c, i) in aux.iter_mut().zip(MODULAR_AUX_INPUT_LO) { - *c = builder.sub_extension(nv[i], offset); - } - // add high 16-bits of aux input - let base = F::from_canonical_u64(1u64 << LIMB_BITS); - for (c, j) in aux.iter_mut().zip(MODULAR_AUX_INPUT_HI) { - *c = builder.mul_const_add_extension(base, nv[j], *c); - } - - let base = builder.constant_extension(base.into()); - let t = pol_adjoin_root_ext_circuit(builder, aux, base); - pol_add_assign_ext_circuit(builder, &mut constr_poly, &t); - - constr_poly -} - -pub(crate) fn submod_constr_poly_ext_circuit, const D: usize>( - lv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - nv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - builder: &mut CircuitBuilder, - yield_constr: &mut RecursiveConstraintConsumer, - filter: ExtensionTarget, - output: [ExtensionTarget; N_LIMBS], - modulus: [ExtensionTarget; N_LIMBS], - mut quot: [ExtensionTarget; 2 * N_LIMBS], -) -> [ExtensionTarget; 2 * N_LIMBS] { - // quot was offset by 2^16 - 1 if it was negative; we undo that - // offset here: - let (lo, hi) = quot.split_at_mut(N_LIMBS); - let sign = hi[0]; - let t = builder.mul_sub_extension(sign, sign, sign); - let t = builder.mul_extension(filter, t); - // sign must be 1 (negative) or 0 (positive) - yield_constr.constraint(builder, t); - let offset = F::from_canonical_u16(u16::max_value()); - for c in lo { - let t = builder.mul_const_extension(offset, sign); - *c = builder.sub_extension(*c, t); - } - hi[0] = builder.zero_extension(); - for d in hi { - // All higher limbs must be zero - let t = builder.mul_extension(filter, *d); - yield_constr.constraint(builder, t); - } - - modular_constr_poly_ext_circuit(lv, nv, builder, yield_constr, filter, output, modulus, quot) -} - -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - lv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - nv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - yield_constr: &mut RecursiveConstraintConsumer, -) { - let bn254_filter = builder.add_many_extension([ - lv[columns::IS_ADDFP254], - lv[columns::IS_MULFP254], - lv[columns::IS_SUBFP254], - ]); - let filter = builder.add_many_extension([ - lv[columns::IS_ADDMOD], - lv[columns::IS_SUBMOD], - lv[columns::IS_MULMOD], - bn254_filter, - ]); - - // Ensure that this operation is not the last row of the table; - // needed because we access the next row of the table in nv. - yield_constr.constraint_last_row(builder, filter); - - // Verify that the modulus is the BN254 modulus for the - // {ADD,MUL,SUB}FP254 operations. - let modulus = read_value::(lv, MODULAR_MODULUS); - for (&mi, bi) in modulus.iter().zip(bn254_modulus_limbs()) { - // bn254_filter * (mi - bi) - let t = builder.arithmetic_extension( - F::ONE, - -F::from_canonical_u16(bi), - mi, - bn254_filter, - bn254_filter, - ); - yield_constr.constraint_transition(builder, t); - } - - let output = read_value::(lv, MODULAR_OUTPUT); - let quo_input = read_value::<{ 2 * N_LIMBS }, _>(lv, MODULAR_QUO_INPUT); - - let add_filter = builder.add_extension(lv[columns::IS_ADDMOD], lv[columns::IS_ADDFP254]); - let sub_filter = builder.add_extension(lv[columns::IS_SUBMOD], lv[columns::IS_SUBFP254]); - let mul_filter = builder.add_extension(lv[columns::IS_MULMOD], lv[columns::IS_MULFP254]); - let addmul_filter = builder.add_extension(add_filter, mul_filter); - - // constr_poly has 2*N_LIMBS limbs - let submod_constr_poly = submod_constr_poly_ext_circuit( - lv, - nv, - builder, - yield_constr, - sub_filter, - output, - modulus, - quo_input, - ); - let modular_constr_poly = modular_constr_poly_ext_circuit( - lv, - nv, - builder, - yield_constr, - addmul_filter, - output, - modulus, - quo_input, - ); - let input0 = read_value(lv, MODULAR_INPUT_0); - let input1 = read_value(lv, MODULAR_INPUT_1); - - let add_input = pol_add_ext_circuit(builder, input0, input1); - let sub_input = pol_sub_ext_circuit(builder, input0, input1); - let mul_input = pol_mul_wide_ext_circuit(builder, input0, input1); - - for (input, &filter, constr_poly) in [ - (&add_input, &add_filter, modular_constr_poly), - (&sub_input, &sub_filter, submod_constr_poly), - (&mul_input, &mul_filter, modular_constr_poly), - ] { - let mut constr_poly_copy = constr_poly; - pol_sub_assign_ext_circuit(builder, &mut constr_poly_copy, input); - for &c in constr_poly_copy.iter() { - let t = builder.mul_extension(filter, c); - yield_constr.constraint_transition(builder, t); - } - } -} - -#[cfg(test)] -mod tests { - use plonky2::field::goldilocks_field::GoldilocksField; - use plonky2::field::types::{Field, Sample}; - use rand::{Rng, SeedableRng}; - use rand_chacha::ChaCha8Rng; - - use super::*; - use crate::arithmetic::columns::NUM_ARITH_COLUMNS; - use crate::constraint_consumer::ConstraintConsumer; - use crate::extension_tower::BN_BASE; - - const N_RND_TESTS: usize = 1000; - const MODULAR_OPS: [usize; 6] = [ - IS_ADDMOD, - IS_SUBMOD, - IS_MULMOD, - IS_ADDFP254, - IS_SUBFP254, - IS_MULFP254, - ]; - - // TODO: Should be able to refactor this test to apply to all operations. - #[test] - fn generate_eval_consistency_not_modular() { - type F = GoldilocksField; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - let mut lv = [F::default(); NUM_ARITH_COLUMNS].map(|_| F::sample(&mut rng)); - let nv = [F::default(); NUM_ARITH_COLUMNS].map(|_| F::sample(&mut rng)); - - // if `IS_ADDMOD == 0`, then the constraints should be met even - // if all values are garbage (and similarly for the other operations). - for op in MODULAR_OPS { - lv[op] = F::ZERO; - } - lv[IS_SHR] = F::ZERO; - lv[IS_DIV] = F::ZERO; - lv[IS_MOD] = F::ZERO; - - let mut constraint_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - GoldilocksField::ONE, - GoldilocksField::ONE, - GoldilocksField::ONE, - ); - eval_packed(&lv, &nv, &mut constraint_consumer); - for &acc in &constraint_consumer.constraint_accs { - assert_eq!(acc, GoldilocksField::ZERO); - } - } - - #[test] - fn generate_eval_consistency() { - type F = GoldilocksField; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - - for op_filter in MODULAR_OPS { - for i in 0..N_RND_TESTS { - // set inputs to random values - let mut lv = [F::default(); NUM_ARITH_COLUMNS] - .map(|_| F::from_canonical_u16(rng.gen::())); - let mut nv = [F::default(); NUM_ARITH_COLUMNS] - .map(|_| F::from_canonical_u16(rng.gen::())); - - // Reset operation columns, then select one - for op in MODULAR_OPS { - lv[op] = F::ZERO; - } - lv[IS_SHR] = F::ZERO; - lv[IS_DIV] = F::ZERO; - lv[IS_MOD] = F::ZERO; - lv[op_filter] = F::ONE; - - let input0 = U256::from(rng.gen::<[u8; 32]>()); - let input1 = U256::from(rng.gen::<[u8; 32]>()); - - let modulus = if [IS_ADDFP254, IS_MULFP254, IS_SUBFP254].contains(&op_filter) { - BN_BASE - } else { - let mut modulus_limbs = [0u8; 32]; - // For the second half of the tests, set the top - // 16-start digits of the modulus to zero so it is - // much smaller than the inputs. - if i > N_RND_TESTS / 2 { - // 1 <= start < N_LIMBS - let start = (rng.gen::() % (modulus_limbs.len() - 1)) + 1; - for mi in modulus_limbs.iter_mut().skip(start) { - *mi = 0u8; - } - } - U256::from(modulus_limbs) - }; - - generate(&mut lv, &mut nv, op_filter, input0, input1, modulus); - - let mut constraint_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - GoldilocksField::ONE, - GoldilocksField::ZERO, - GoldilocksField::ZERO, - ); - eval_packed(&lv, &nv, &mut constraint_consumer); - for &acc in &constraint_consumer.constraint_accs { - assert_eq!(acc, GoldilocksField::ZERO); - } - } - } - } - - #[test] - fn zero_modulus() { - type F = GoldilocksField; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - - for op_filter in [IS_ADDMOD, IS_SUBMOD, IS_MULMOD] { - for _i in 0..N_RND_TESTS { - // set inputs to random values and the modulus to zero; - // the output is defined to be zero when modulus is zero. - let mut lv = [F::default(); NUM_ARITH_COLUMNS] - .map(|_| F::from_canonical_u16(rng.gen::())); - let mut nv = [F::default(); NUM_ARITH_COLUMNS] - .map(|_| F::from_canonical_u16(rng.gen::())); - - // Reset operation columns, then select one - for op in MODULAR_OPS { - lv[op] = F::ZERO; - } - lv[IS_SHR] = F::ZERO; - lv[IS_DIV] = F::ZERO; - lv[IS_MOD] = F::ZERO; - lv[op_filter] = F::ONE; - - let input0 = U256::from(rng.gen::<[u8; 32]>()); - let input1 = U256::from(rng.gen::<[u8; 32]>()); - let modulus = U256::zero(); - - generate(&mut lv, &mut nv, op_filter, input0, input1, modulus); - - // check that the correct output was generated - assert!(lv[MODULAR_OUTPUT].iter().all(|&c| c == F::ZERO)); - - let mut constraint_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - GoldilocksField::ONE, - GoldilocksField::ZERO, - GoldilocksField::ZERO, - ); - eval_packed(&lv, &nv, &mut constraint_consumer); - assert!(constraint_consumer - .constraint_accs - .iter() - .all(|&acc| acc == F::ZERO)); - - // Corrupt one output limb by setting it to a non-zero value - let random_oi = MODULAR_OUTPUT.start + rng.gen::() % N_LIMBS; - lv[random_oi] = F::from_canonical_u16(rng.gen_range(1..u16::MAX)); - - eval_packed(&lv, &nv, &mut constraint_consumer); - - // Check that at least one of the constraints was non-zero - assert!(constraint_consumer - .constraint_accs - .iter() - .any(|&acc| acc != F::ZERO)); - } - } - } -} diff --git a/evm/src/arithmetic/mul.rs b/evm/src/arithmetic/mul.rs deleted file mode 100644 index 01c9d5c1c0..0000000000 --- a/evm/src/arithmetic/mul.rs +++ /dev/null @@ -1,320 +0,0 @@ -//! Support for the EVM MUL instruction. -//! -//! This crate verifies an EVM MUL instruction, which takes two -//! 256-bit inputs A and B, and produces a 256-bit output C satisfying -//! -//! C = A*B (mod 2^256), -//! -//! i.e. C is the lower half of the usual long multiplication -//! A*B. Inputs A and B, and output C, are given as arrays of 16-bit -//! limbs. For example, if the limbs of A are a[0]...a[15], then -//! -//! A = \sum_{i=0}^15 a[i] β^i, -//! -//! where β = 2^16 = 2^LIMB_BITS. To verify that A, B and C satisfy -//! the equation we proceed as follows. Define -//! -//! a(x) = \sum_{i=0}^15 a[i] x^i -//! -//! (so A = a(β)) and similarly for b(x) and c(x). Then A*B = C (mod -//! 2^256) if and only if there exists q such that the polynomial -//! -//! a(x) * b(x) - c(x) - x^16 * q(x) -//! -//! is zero when evaluated at x = β, i.e. it is divisible by (x - β); -//! equivalently, there exists a polynomial s (representing the -//! carries from the long multiplication) such that -//! -//! a(x) * b(x) - c(x) - x^16 * q(x) - (x - β) * s(x) == 0 -//! -//! As we only need the lower half of the product, we can omit q(x) -//! since it is multiplied by the modulus β^16 = 2^256. Thus we only -//! need to verify -//! -//! a(x) * b(x) - c(x) - (x - β) * s(x) == 0 -//! -//! In the code below, this "constraint polynomial" is constructed in -//! the variable `constr_poly`. It must be identically zero for the -//! multiplication operation to be verified, or, equivalently, each of -//! its coefficients must be zero. The variable names of the -//! constituent polynomials are (writing N for N_LIMBS=16): -//! -//! a(x) = \sum_{i=0}^{N-1} input0[i] * x^i -//! b(x) = \sum_{i=0}^{N-1} input1[i] * x^i -//! c(x) = \sum_{i=0}^{N-1} output[i] * x^i -//! s(x) = \sum_i^{2N-3} aux[i] * x^i -//! -//! Because A, B and C are 256-bit numbers, the degrees of a, b and c -//! are (at most) 15. Thus deg(a*b) <= 30 and deg(s) <= 29; however, -//! as we're only verifying the lower half of A*B, we only need to -//! know s(x) up to degree 14 (so that (x - β)*s(x) has degree 15). On -//! the other hand, the coefficients of s(x) can be as large as -//! 16*(β-2) or 20 bits. -//! -//! Note that, unlike for the general modular multiplication (see the -//! file `modular.rs`), we don't need to check that output is reduced, -//! since any value of output is less than β^16 and is hence reduced. - -use ethereum_types::U256; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::{Field, PrimeField64}; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; - -use crate::arithmetic::columns::*; -use crate::arithmetic::utils::*; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; - -/// Given the two limbs of `left_in` and `right_in`, computes `left_in * right_in`. -pub(crate) fn generate_mul(lv: &mut [F], left_in: [i64; 16], right_in: [i64; 16]) { - const MASK: i64 = (1i64 << LIMB_BITS) - 1i64; - - // Input and output have 16-bit limbs - let mut output_limbs = [0i64; N_LIMBS]; - - // Column-wise pen-and-paper long multiplication on 16-bit limbs. - // First calculate the coefficients of a(x)*b(x) (in unreduced_prod), - // then do carry propagation to obtain C = c(β) = a(β)*b(β). - let mut cy = 0i64; - let mut unreduced_prod = pol_mul_lo(left_in, right_in); - for col in 0..N_LIMBS { - let t = unreduced_prod[col] + cy; - cy = t >> LIMB_BITS; - output_limbs[col] = t & MASK; - } - // In principle, the last cy could be dropped because this is - // multiplication modulo 2^256. However, we need it below for - // aux_limbs to handle the fact that unreduced_prod will - // inevitably contain one digit's worth that is > 2^256. - - lv[OUTPUT_REGISTER].copy_from_slice(&output_limbs.map(|c| F::from_canonical_i64(c))); - pol_sub_assign(&mut unreduced_prod, &output_limbs); - - let mut aux_limbs = pol_remove_root_2exp::(unreduced_prod); - aux_limbs[N_LIMBS - 1] = -cy; - - for c in aux_limbs.iter_mut() { - // we store the unsigned offset value c + 2^20 - *c += AUX_COEFF_ABS_MAX; - } - - debug_assert!(aux_limbs.iter().all(|&c| c.abs() <= 2 * AUX_COEFF_ABS_MAX)); - - lv[MUL_AUX_INPUT_LO].copy_from_slice(&aux_limbs.map(|c| F::from_canonical_u16(c as u16))); - lv[MUL_AUX_INPUT_HI] - .copy_from_slice(&aux_limbs.map(|c| F::from_canonical_u16((c >> 16) as u16))); -} - -pub(crate) fn generate(lv: &mut [F], left_in: U256, right_in: U256) { - // TODO: It would probably be clearer/cleaner to read the U256 - // into an [i64;N] and then copy that to the lv table. - u256_to_array(&mut lv[INPUT_REGISTER_0], left_in); - u256_to_array(&mut lv[INPUT_REGISTER_1], right_in); - u256_to_array(&mut lv[INPUT_REGISTER_2], U256::zero()); - - let input0 = read_value_i64_limbs(lv, INPUT_REGISTER_0); - let input1 = read_value_i64_limbs(lv, INPUT_REGISTER_1); - - generate_mul(lv, input0, input1); -} - -pub(crate) fn eval_packed_generic_mul( - lv: &[P; NUM_ARITH_COLUMNS], - filter: P, - left_in_limbs: [P; 16], - right_in_limbs: [P; 16], - yield_constr: &mut ConstraintConsumer

, -) { - let output_limbs = read_value::(lv, OUTPUT_REGISTER); - - let base = P::Scalar::from_canonical_u64(1 << LIMB_BITS); - - let aux_limbs = { - // MUL_AUX_INPUT was offset by 2^20 in generation, so we undo - // that here - let offset = P::Scalar::from_canonical_u64(AUX_COEFF_ABS_MAX as u64); - let mut aux_limbs = read_value::(lv, MUL_AUX_INPUT_LO); - let aux_limbs_hi = &lv[MUL_AUX_INPUT_HI]; - for (lo, &hi) in aux_limbs.iter_mut().zip(aux_limbs_hi) { - *lo += hi * base - offset; - } - aux_limbs - }; - - // Constraint poly holds the coefficients of the polynomial that - // must be identically zero for this multiplication to be - // verified. - // - // These two lines set constr_poly to the polynomial a(x)b(x) - c(x), - // where a, b and c are the polynomials - // - // a(x) = \sum_i input0_limbs[i] * x^i - // b(x) = \sum_i input1_limbs[i] * x^i - // c(x) = \sum_i output_limbs[i] * x^i - // - // This polynomial should equal (x - β)*s(x) where s is - // - // s(x) = \sum_i aux_limbs[i] * x^i - // - let mut constr_poly = pol_mul_lo(left_in_limbs, right_in_limbs); - pol_sub_assign(&mut constr_poly, &output_limbs); - - // This subtracts (x - β) * s(x) from constr_poly. - pol_sub_assign(&mut constr_poly, &pol_adjoin_root(aux_limbs, base)); - - // At this point constr_poly holds the coefficients of the - // polynomial a(x)b(x) - c(x) - (x - β)*s(x). The - // multiplication is valid if and only if all of those - // coefficients are zero. - for &c in &constr_poly { - yield_constr.constraint(filter * c); - } -} - -pub(crate) fn eval_packed_generic( - lv: &[P; NUM_ARITH_COLUMNS], - yield_constr: &mut ConstraintConsumer

, -) { - let is_mul = lv[IS_MUL]; - let input0_limbs = read_value::(lv, INPUT_REGISTER_0); - let input1_limbs = read_value::(lv, INPUT_REGISTER_1); - - eval_packed_generic_mul(lv, is_mul, input0_limbs, input1_limbs, yield_constr); -} - -pub(crate) fn eval_ext_mul_circuit, const D: usize>( - builder: &mut CircuitBuilder, - lv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - filter: ExtensionTarget, - left_in_limbs: [ExtensionTarget; 16], - right_in_limbs: [ExtensionTarget; 16], - yield_constr: &mut RecursiveConstraintConsumer, -) { - let output_limbs = read_value::(lv, OUTPUT_REGISTER); - - let aux_limbs = { - // MUL_AUX_INPUT was offset by 2^20 in generation, so we undo - // that here - let base = builder.constant_extension(F::Extension::from_canonical_u64(1 << LIMB_BITS)); - let offset = - builder.constant_extension(F::Extension::from_canonical_u64(AUX_COEFF_ABS_MAX as u64)); - let mut aux_limbs = read_value::(lv, MUL_AUX_INPUT_LO); - let aux_limbs_hi = &lv[MUL_AUX_INPUT_HI]; - for (lo, &hi) in aux_limbs.iter_mut().zip(aux_limbs_hi) { - //*lo = lo + hi * base - offset; - let t = builder.mul_sub_extension(hi, base, offset); - *lo = builder.add_extension(*lo, t); - } - aux_limbs - }; - - let mut constr_poly = pol_mul_lo_ext_circuit(builder, left_in_limbs, right_in_limbs); - pol_sub_assign_ext_circuit(builder, &mut constr_poly, &output_limbs); - - // This subtracts (x - β) * s(x) from constr_poly. - let base = builder.constant_extension(F::Extension::from_canonical_u64(1 << LIMB_BITS)); - let rhs = pol_adjoin_root_ext_circuit(builder, aux_limbs, base); - pol_sub_assign_ext_circuit(builder, &mut constr_poly, &rhs); - - // At this point constr_poly holds the coefficients of the - // polynomial a(x)b(x) - c(x) - (x - β)*s(x). The - // multiplication is valid if and only if all of those - // coefficients are zero. - for &c in &constr_poly { - let filter = builder.mul_extension(filter, c); - yield_constr.constraint(builder, filter); - } -} - -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - lv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - yield_constr: &mut RecursiveConstraintConsumer, -) { - let is_mul = lv[IS_MUL]; - let input0_limbs = read_value::(lv, INPUT_REGISTER_0); - let input1_limbs = read_value::(lv, INPUT_REGISTER_1); - - eval_ext_mul_circuit( - builder, - lv, - is_mul, - input0_limbs, - input1_limbs, - yield_constr, - ); -} - -#[cfg(test)] -mod tests { - use plonky2::field::goldilocks_field::GoldilocksField; - use plonky2::field::types::{Field, Sample}; - use rand::{Rng, SeedableRng}; - use rand_chacha::ChaCha8Rng; - - use super::*; - use crate::arithmetic::columns::NUM_ARITH_COLUMNS; - use crate::constraint_consumer::ConstraintConsumer; - - const N_RND_TESTS: usize = 1000; - - // TODO: Should be able to refactor this test to apply to all operations. - #[test] - fn generate_eval_consistency_not_mul() { - type F = GoldilocksField; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - let mut lv = [F::default(); NUM_ARITH_COLUMNS].map(|_| F::sample(&mut rng)); - - // if `IS_MUL == 0`, then the constraints should be met even - // if all values are garbage. - lv[IS_MUL] = F::ZERO; - - let mut constraint_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - GoldilocksField::ONE, - GoldilocksField::ONE, - GoldilocksField::ONE, - ); - eval_packed_generic(&lv, &mut constraint_consumer); - for &acc in &constraint_consumer.constraint_accs { - assert_eq!(acc, GoldilocksField::ZERO); - } - } - - #[test] - fn generate_eval_consistency_mul() { - type F = GoldilocksField; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - let mut lv = [F::default(); NUM_ARITH_COLUMNS].map(|_| F::sample(&mut rng)); - - // set `IS_MUL == 1` and ensure all constraints are satisfied. - lv[IS_MUL] = F::ONE; - - for _i in 0..N_RND_TESTS { - // set inputs to random values - for (ai, bi) in INPUT_REGISTER_0.zip(INPUT_REGISTER_1) { - lv[ai] = F::from_canonical_u16(rng.gen()); - lv[bi] = F::from_canonical_u16(rng.gen()); - } - - let left_in = U256::from(rng.gen::<[u8; 32]>()); - let right_in = U256::from(rng.gen::<[u8; 32]>()); - generate(&mut lv, left_in, right_in); - - let mut constraint_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - GoldilocksField::ONE, - GoldilocksField::ONE, - GoldilocksField::ONE, - ); - eval_packed_generic(&lv, &mut constraint_consumer); - for &acc in &constraint_consumer.constraint_accs { - assert_eq!(acc, GoldilocksField::ZERO); - } - } - } -} diff --git a/evm/src/arithmetic/shift.rs b/evm/src/arithmetic/shift.rs deleted file mode 100644 index bb83798495..0000000000 --- a/evm/src/arithmetic/shift.rs +++ /dev/null @@ -1,338 +0,0 @@ -//! Support for the EVM SHL and SHR instructions. -//! -//! This crate verifies an EVM shift instruction, which takes two -//! 256-bit inputs S and A, and produces a 256-bit output C satisfying -//! -//! C = A << S (mod 2^256) for SHL or -//! C = A >> S (mod 2^256) for SHR. -//! -//! The way this computation is carried is by providing a third input -//! B = 1 << S (mod 2^256) -//! and then computing: -//! C = A * B (mod 2^256) for SHL or -//! C = A / B (mod 2^256) for SHR -//! -//! Inputs A, S, and B, and output C, are given as arrays of 16-bit -//! limbs. For example, if the limbs of A are a[0]...a[15], then -//! -//! A = \sum_{i=0}^15 a[i] β^i, -//! -//! where β = 2^16 = 2^LIMB_BITS. To verify that A, S, B and C satisfy -//! the equations, we proceed similarly to MUL for SHL and to DIV for SHR. - -use ethereum_types::U256; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::PrimeField64; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; - -use super::{divmod, mul}; -use crate::arithmetic::columns::*; -use crate::arithmetic::utils::*; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; - -/// Generates a shift operation (either SHL or SHR). -/// The inputs are stored in the form `(shift, input, 1 << shift)`. -/// NB: if `shift >= 256`, then the third register holds 0. -/// We leverage the functions in mul.rs and divmod.rs to carry out -/// the computation. -pub(crate) fn generate( - lv: &mut [F], - nv: &mut [F], - is_shl: bool, - shift: U256, - input: U256, - result: U256, -) { - // We use the multiplication logic to generate SHL - // TODO: It would probably be clearer/cleaner to read the U256 - // into an [i64;N] and then copy that to the lv table. - // The first input is the shift we need to apply. - u256_to_array(&mut lv[INPUT_REGISTER_0], shift); - // The second register holds the input which needs shifting. - u256_to_array(&mut lv[INPUT_REGISTER_1], input); - u256_to_array(&mut lv[OUTPUT_REGISTER], result); - // If `shift >= 256`, the shifted displacement is set to 0. - // Compute 1 << shift and store it in the third input register. - let shifted_displacement = if shift > U256::from(255u64) { - U256::zero() - } else { - U256::one() << shift - }; - - u256_to_array(&mut lv[INPUT_REGISTER_2], shifted_displacement); - - let input0 = read_value_i64_limbs(lv, INPUT_REGISTER_1); // input - let input1 = read_value_i64_limbs(lv, INPUT_REGISTER_2); // 1 << shift - - if is_shl { - // We generate the multiplication input0 * input1 using mul.rs. - mul::generate_mul(lv, input0, input1); - } else { - // If the operation is SHR, we compute: `input / shifted_displacement` if `shifted_displacement == 0` - // otherwise, the output is 0. We use the logic in divmod.rs to achieve that. - divmod::generate_divmod(lv, nv, IS_SHR, INPUT_REGISTER_1, INPUT_REGISTER_2); - } -} - -/// Evaluates the constraints for an SHL opcode. -/// The logic is the same as the one for MUL. The only difference is that -/// the inputs are in `INPUT_REGISTER_1` and `INPUT_REGISTER_2` instead of -/// `INPUT_REGISTER_0` and `INPUT_REGISTER_1`. -fn eval_packed_shl( - lv: &[P; NUM_ARITH_COLUMNS], - yield_constr: &mut ConstraintConsumer

, -) { - let is_shl = lv[IS_SHL]; - let input0_limbs = read_value::(lv, INPUT_REGISTER_1); - let shifted_limbs = read_value::(lv, INPUT_REGISTER_2); - - mul::eval_packed_generic_mul(lv, is_shl, input0_limbs, shifted_limbs, yield_constr); -} - -/// Evaluates the constraints for an SHR opcode. -/// The logic is tha same as the one for DIV. The only difference is that -/// the inputs are in `INPUT_REGISTER_1` and `INPUT_REGISTER_2` instead of -/// `INPUT_REGISTER_0` and `INPUT_REGISTER_1`. -fn eval_packed_shr( - lv: &[P; NUM_ARITH_COLUMNS], - nv: &[P; NUM_ARITH_COLUMNS], - yield_constr: &mut ConstraintConsumer

, -) { - let quo_range = OUTPUT_REGISTER; - let rem_range = AUX_INPUT_REGISTER_0; - let filter = lv[IS_SHR]; - - divmod::eval_packed_divmod_helper( - lv, - nv, - yield_constr, - filter, - INPUT_REGISTER_1, - INPUT_REGISTER_2, - quo_range, - rem_range, - ); -} - -pub(crate) fn eval_packed_generic( - lv: &[P; NUM_ARITH_COLUMNS], - nv: &[P; NUM_ARITH_COLUMNS], - yield_constr: &mut ConstraintConsumer

, -) { - eval_packed_shl(lv, yield_constr); - eval_packed_shr(lv, nv, yield_constr); -} - -fn eval_ext_circuit_shl, const D: usize>( - builder: &mut CircuitBuilder, - lv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - yield_constr: &mut RecursiveConstraintConsumer, -) { - let is_shl = lv[IS_SHL]; - let input0_limbs = read_value::(lv, INPUT_REGISTER_1); - let shifted_limbs = read_value::(lv, INPUT_REGISTER_2); - - mul::eval_ext_mul_circuit( - builder, - lv, - is_shl, - input0_limbs, - shifted_limbs, - yield_constr, - ); -} - -fn eval_ext_circuit_shr, const D: usize>( - builder: &mut CircuitBuilder, - lv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - nv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - yield_constr: &mut RecursiveConstraintConsumer, -) { - let filter = lv[IS_SHR]; - let quo_range = OUTPUT_REGISTER; - let rem_range = AUX_INPUT_REGISTER_0; - - divmod::eval_ext_circuit_divmod_helper( - builder, - lv, - nv, - yield_constr, - filter, - INPUT_REGISTER_1, - INPUT_REGISTER_2, - quo_range, - rem_range, - ); -} - -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - lv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - nv: &[ExtensionTarget; NUM_ARITH_COLUMNS], - yield_constr: &mut RecursiveConstraintConsumer, -) { - eval_ext_circuit_shl(builder, lv, yield_constr); - eval_ext_circuit_shr(builder, lv, nv, yield_constr); -} - -#[cfg(test)] -mod tests { - use plonky2::field::goldilocks_field::GoldilocksField; - use plonky2::field::types::{Field, Sample}; - use rand::{Rng, SeedableRng}; - use rand_chacha::ChaCha8Rng; - - use super::*; - use crate::arithmetic::columns::NUM_ARITH_COLUMNS; - use crate::constraint_consumer::ConstraintConsumer; - - const N_RND_TESTS: usize = 1000; - - // TODO: Should be able to refactor this test to apply to all operations. - #[test] - fn generate_eval_consistency_not_shift() { - type F = GoldilocksField; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - let mut lv = [F::default(); NUM_ARITH_COLUMNS].map(|_| F::sample(&mut rng)); - let nv = [F::default(); NUM_ARITH_COLUMNS].map(|_| F::sample(&mut rng)); - - // if `IS_SHL == 0` and `IS_SHR == 0`, then the constraints should be met even - // if all values are garbage. - lv[IS_SHL] = F::ZERO; - lv[IS_SHR] = F::ZERO; - - let mut constraint_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - GoldilocksField::ONE, - GoldilocksField::ONE, - GoldilocksField::ONE, - ); - eval_packed_generic(&lv, &nv, &mut constraint_consumer); - for &acc in &constraint_consumer.constraint_accs { - assert_eq!(acc, GoldilocksField::ZERO); - } - } - - fn generate_eval_consistency_shift(is_shl: bool) { - type F = GoldilocksField; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - let mut lv = [F::default(); NUM_ARITH_COLUMNS].map(|_| F::sample(&mut rng)); - let mut nv = [F::default(); NUM_ARITH_COLUMNS].map(|_| F::sample(&mut rng)); - - // set `IS_SHL == 1` or `IS_SHR == 1` and ensure all constraints are satisfied. - if is_shl { - lv[IS_SHL] = F::ONE; - lv[IS_SHR] = F::ZERO; - } else { - // Set `IS_DIV` to 0 in this case, since we're using the logic of DIV for SHR. - lv[IS_DIV] = F::ZERO; - lv[IS_SHL] = F::ZERO; - lv[IS_SHR] = F::ONE; - } - - for _i in 0..N_RND_TESTS { - let shift = U256::from(rng.gen::()); - - let mut full_input = U256::from(0); - // set inputs to random values - for ai in INPUT_REGISTER_1 { - lv[ai] = F::from_canonical_u16(rng.gen()); - full_input = - U256::from(lv[ai].to_canonical_u64()) + full_input * U256::from(1 << 16); - } - - let output = if is_shl { - full_input << shift - } else { - full_input >> shift - }; - - generate(&mut lv, &mut nv, is_shl, shift, full_input, output); - - let mut constraint_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - GoldilocksField::ONE, - GoldilocksField::ONE, - GoldilocksField::ZERO, - ); - eval_packed_generic(&lv, &nv, &mut constraint_consumer); - for &acc in &constraint_consumer.constraint_accs { - assert_eq!(acc, GoldilocksField::ZERO); - } - } - } - - #[test] - fn generate_eval_consistency_shl() { - generate_eval_consistency_shift(true); - } - - #[test] - fn generate_eval_consistency_shr() { - generate_eval_consistency_shift(false); - } - - fn generate_eval_consistency_shift_over_256(is_shl: bool) { - type F = GoldilocksField; - - let mut rng = ChaCha8Rng::seed_from_u64(0x6feb51b7ec230f25); - let mut lv = [F::default(); NUM_ARITH_COLUMNS].map(|_| F::sample(&mut rng)); - let mut nv = [F::default(); NUM_ARITH_COLUMNS].map(|_| F::sample(&mut rng)); - - // set `IS_SHL == 1` or `IS_SHR == 1` and ensure all constraints are satisfied. - if is_shl { - lv[IS_SHL] = F::ONE; - lv[IS_SHR] = F::ZERO; - } else { - // Set `IS_DIV` to 0 in this case, since we're using the logic of DIV for SHR. - lv[IS_DIV] = F::ZERO; - lv[IS_SHL] = F::ZERO; - lv[IS_SHR] = F::ONE; - } - - for _i in 0..N_RND_TESTS { - let mut shift = U256::from(rng.gen::()); - while shift > U256::MAX - 256 { - shift = U256::from(rng.gen::()); - } - shift += U256::from(256); - - let mut full_input = U256::from(0); - // set inputs to random values - for ai in INPUT_REGISTER_1 { - lv[ai] = F::from_canonical_u16(rng.gen()); - full_input = - U256::from(lv[ai].to_canonical_u64()) + full_input * U256::from(1 << 16); - } - - let output = 0.into(); - generate(&mut lv, &mut nv, is_shl, shift, full_input, output); - - let mut constraint_consumer = ConstraintConsumer::new( - vec![GoldilocksField(2), GoldilocksField(3), GoldilocksField(5)], - GoldilocksField::ONE, - GoldilocksField::ONE, - GoldilocksField::ZERO, - ); - eval_packed_generic(&lv, &nv, &mut constraint_consumer); - for &acc in &constraint_consumer.constraint_accs { - assert_eq!(acc, GoldilocksField::ZERO); - } - } - } - - #[test] - fn generate_eval_consistency_shl_over_256() { - generate_eval_consistency_shift_over_256(true); - } - - #[test] - fn generate_eval_consistency_shr_over_256() { - generate_eval_consistency_shift_over_256(false); - } -} diff --git a/evm/src/arithmetic/utils.rs b/evm/src/arithmetic/utils.rs deleted file mode 100644 index 7350dd3263..0000000000 --- a/evm/src/arithmetic/utils.rs +++ /dev/null @@ -1,343 +0,0 @@ -use core::ops::{Add, AddAssign, Mul, Neg, Range, Shr, Sub, SubAssign}; - -use ethereum_types::U256; -use plonky2::field::extension::Extendable; -use plonky2::field::types::{Field, PrimeField64}; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; -use static_assertions::const_assert; - -use crate::arithmetic::columns::{LIMB_BITS, N_LIMBS}; - -/// Return an array of `N` zeros of type T. -pub(crate) fn pol_zero() -> [T; N] -where - T: Copy + Default, -{ - // TODO: This should really be T::zero() from num::Zero, because - // default() doesn't guarantee to initialise to zero (though in - // our case it always does). However I couldn't work out how to do - // that without touching half of the entire crate because it - // involves replacing Field::is_zero() with num::Zero::is_zero() - // which is used everywhere. Hence Default::default() it is. - [T::default(); N] -} - -/// a(x) += b(x), but must have deg(a) >= deg(b). -pub(crate) fn pol_add_assign(a: &mut [T], b: &[T]) -where - T: AddAssign + Copy + Default, -{ - debug_assert!(a.len() >= b.len(), "expected {} >= {}", a.len(), b.len()); - for (a_item, b_item) in a.iter_mut().zip(b) { - *a_item += *b_item; - } -} - -pub(crate) fn pol_add_assign_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - a: &mut [ExtensionTarget], - b: &[ExtensionTarget], -) { - debug_assert!(a.len() >= b.len(), "expected {} >= {}", a.len(), b.len()); - for (a_item, b_item) in a.iter_mut().zip(b) { - *a_item = builder.add_extension(*a_item, *b_item); - } -} - -/// Return a(x) + b(x); returned array is bigger than necessary to -/// make the interface consistent with `pol_mul_wide`. -pub(crate) fn pol_add(a: [T; N_LIMBS], b: [T; N_LIMBS]) -> [T; 2 * N_LIMBS - 1] -where - T: Add + Copy + Default, -{ - let mut sum = pol_zero(); - for i in 0..N_LIMBS { - sum[i] = a[i] + b[i]; - } - sum -} - -pub(crate) fn pol_add_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - a: [ExtensionTarget; N_LIMBS], - b: [ExtensionTarget; N_LIMBS], -) -> [ExtensionTarget; 2 * N_LIMBS - 1] { - let zero = builder.zero_extension(); - let mut sum = [zero; 2 * N_LIMBS - 1]; - for i in 0..N_LIMBS { - sum[i] = builder.add_extension(a[i], b[i]); - } - sum -} - -/// Return a(x) - b(x); returned array is bigger than necessary to -/// make the interface consistent with `pol_mul_wide`. -pub(crate) fn pol_sub(a: [T; N_LIMBS], b: [T; N_LIMBS]) -> [T; 2 * N_LIMBS - 1] -where - T: Sub + Copy + Default, -{ - let mut diff = pol_zero(); - for i in 0..N_LIMBS { - diff[i] = a[i] - b[i]; - } - diff -} - -pub(crate) fn pol_sub_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - a: [ExtensionTarget; N_LIMBS], - b: [ExtensionTarget; N_LIMBS], -) -> [ExtensionTarget; 2 * N_LIMBS - 1] { - let zero = builder.zero_extension(); - let mut diff = [zero; 2 * N_LIMBS - 1]; - for i in 0..N_LIMBS { - diff[i] = builder.sub_extension(a[i], b[i]); - } - diff -} - -/// a(x) -= b(x), but must have deg(a) >= deg(b). -pub(crate) fn pol_sub_assign(a: &mut [T], b: &[T]) -where - T: SubAssign + Copy, -{ - debug_assert!(a.len() >= b.len(), "expected {} >= {}", a.len(), b.len()); - for (a_item, b_item) in a.iter_mut().zip(b) { - *a_item -= *b_item; - } -} - -pub(crate) fn pol_sub_assign_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - a: &mut [ExtensionTarget], - b: &[ExtensionTarget], -) { - debug_assert!(a.len() >= b.len(), "expected {} >= {}", a.len(), b.len()); - for (a_item, b_item) in a.iter_mut().zip(b) { - *a_item = builder.sub_extension(*a_item, *b_item); - } -} - -/// Given polynomials a(x) and b(x), return a(x)*b(x). -/// -/// NB: The caller is responsible for ensuring that no undesired -/// overflow occurs during the calculation of the coefficients of the -/// product. -pub(crate) fn pol_mul_wide(a: [T; N_LIMBS], b: [T; N_LIMBS]) -> [T; 2 * N_LIMBS - 1] -where - T: AddAssign + Copy + Mul + Default, -{ - let mut res = [T::default(); 2 * N_LIMBS - 1]; - for (i, &ai) in a.iter().enumerate() { - for (j, &bj) in b.iter().enumerate() { - res[i + j] += ai * bj; - } - } - res -} - -pub(crate) fn pol_mul_wide_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - a: [ExtensionTarget; N_LIMBS], - b: [ExtensionTarget; N_LIMBS], -) -> [ExtensionTarget; 2 * N_LIMBS - 1] { - let zero = builder.zero_extension(); - let mut res = [zero; 2 * N_LIMBS - 1]; - for (i, &ai) in a.iter().enumerate() { - for (j, &bj) in b.iter().enumerate() { - res[i + j] = builder.mul_add_extension(ai, bj, res[i + j]); - } - } - res -} - -/// As for `pol_mul_wide` but the first argument has 2N elements and -/// hence the result has 3N-1. -pub(crate) fn pol_mul_wide2(a: [T; 2 * N_LIMBS], b: [T; N_LIMBS]) -> [T; 3 * N_LIMBS - 1] -where - T: AddAssign + Copy + Mul + Default, -{ - let mut res = [T::default(); 3 * N_LIMBS - 1]; - for (i, &ai) in a.iter().enumerate() { - for (j, &bj) in b.iter().enumerate() { - res[i + j] += ai * bj; - } - } - res -} - -pub(crate) fn pol_mul_wide2_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - a: [ExtensionTarget; 2 * N_LIMBS], - b: [ExtensionTarget; N_LIMBS], -) -> [ExtensionTarget; 3 * N_LIMBS - 1] { - let zero = builder.zero_extension(); - let mut res = [zero; 3 * N_LIMBS - 1]; - for (i, &ai) in a.iter().enumerate() { - for (j, &bj) in b.iter().enumerate() { - res[i + j] = builder.mul_add_extension(ai, bj, res[i + j]); - } - } - res -} - -/// Given a(x) and b(x), return a(x)*b(x) mod 2^256. -pub(crate) fn pol_mul_lo(a: [T; N], b: [T; N]) -> [T; N] -where - T: AddAssign + Copy + Default + Mul, -{ - let mut res = pol_zero(); - for deg in 0..N { - // Invariant: i + j = deg - for i in 0..=deg { - let j = deg - i; - res[deg] += a[i] * b[j]; - } - } - res -} - -pub(crate) fn pol_mul_lo_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - a: [ExtensionTarget; N_LIMBS], - b: [ExtensionTarget; N_LIMBS], -) -> [ExtensionTarget; N_LIMBS] { - let zero = builder.zero_extension(); - let mut res = [zero; N_LIMBS]; - for deg in 0..N_LIMBS { - for i in 0..=deg { - let j = deg - i; - res[deg] = builder.mul_add_extension(a[i], b[j], res[deg]); - } - } - res -} - -/// Adjoin M - N zeros to a, returning [a[0], a[1], ..., a[N-1], 0, 0, ..., 0]. -pub(crate) fn pol_extend(a: [T; N]) -> [T; M] -where - T: Copy + Default, -{ - assert_eq!(M, 2 * N - 1); - - let mut zero_extend = pol_zero(); - zero_extend[..N].copy_from_slice(&a); - zero_extend -} - -/// Given polynomial a(x) = \sum_{i=0}^{N-2} a[i] x^i and an element -/// `root`, return b = (x - root) * a(x). -pub(crate) fn pol_adjoin_root(a: [T; N], root: U) -> [T; N] -where - T: Add + Copy + Default + Mul + Sub, - U: Copy + Mul + Neg, -{ - // \sum_i res[i] x^i = (x - root) \sum_i a[i] x^i. Comparing - // coefficients, res[0] = -root*a[0] and - // res[i] = a[i-1] - root * a[i] - - let mut res = [T::default(); N]; - res[0] = -root * a[0]; - for deg in 1..N { - res[deg] = a[deg - 1] - (root * a[deg]); - } - res -} - -pub(crate) fn pol_adjoin_root_ext_circuit< - F: RichField + Extendable, - const D: usize, - const N: usize, ->( - builder: &mut CircuitBuilder, - a: [ExtensionTarget; N], - root: ExtensionTarget, -) -> [ExtensionTarget; N] { - let zero = builder.zero_extension(); - let mut res = [zero; N]; - // res[0] = NEG_ONE * root * a[0] + ZERO * zero - res[0] = builder.mul_extension_with_const(F::NEG_ONE, root, a[0]); - for deg in 1..N { - // res[deg] = NEG_ONE * root * a[deg] + ONE * a[deg - 1] - res[deg] = builder.arithmetic_extension(F::NEG_ONE, F::ONE, root, a[deg], a[deg - 1]); - } - res -} - -/// Given polynomial a(x) = \sum_{i=0}^{N-1} a[i] x^i and a root of `a` -/// of the form 2^EXP, return q(x) satisfying a(x) = (x - root) * q(x). -/// -/// NB: We do not verify that a(2^EXP) = 0; if this doesn't hold the -/// result is basically junk. -/// -/// NB: The result could be returned in N-1 elements, but we return -/// N and set the last element to zero since the calling code -/// happens to require a result zero-extended to N elements. -pub(crate) fn pol_remove_root_2exp(a: [T; N]) -> [T; N] -where - T: Copy + Default + Neg + Shr + Sub, -{ - // By assumption β := 2^EXP is a root of `a`, i.e. (x - β) divides - // `a`; if we write - // - // a(x) = \sum_{i=0}^{N-1} a[i] x^i - // = (x - β) \sum_{i=0}^{N-2} q[i] x^i - // - // then by comparing coefficients it is easy to see that - // - // q[0] = -a[0] / β and q[i] = (q[i-1] - a[i]) / β - // - // for 0 < i <= N-1 (and the divisions are exact). - - let mut q = [T::default(); N]; - q[0] = -(a[0] >> EXP); - - // NB: Last element of q is deliberately left equal to zero. - for deg in 1..N - 1 { - q[deg] = (q[deg - 1] - a[deg]) >> EXP; - } - q -} - -/// Read the range `value_idxs` of values from `lv` into an array of -/// length `N`. Panics if the length of the range is not `N`. -pub(crate) fn read_value(lv: &[T], value_idxs: Range) -> [T; N] { - lv[value_idxs].try_into().unwrap() -} - -/// Read the range `value_idxs` of values from `lv` into an array of -/// length `N`, interpreting the values as `i64`s. Panics if the -/// length of the range is not `N`. -pub(crate) fn read_value_i64_limbs( - lv: &[F], - value_idxs: Range, -) -> [i64; N] { - let limbs: [_; N] = lv[value_idxs].try_into().unwrap(); - limbs.map(|c| c.to_canonical_u64() as i64) -} - -#[inline] -/// Turn a 64-bit integer into 4 16-bit limbs and convert them to field elements. -fn u64_to_array(out: &mut [F], x: u64) { - const_assert!(LIMB_BITS == 16); - debug_assert!(out.len() == 4); - - out[0] = F::from_canonical_u16(x as u16); - out[1] = F::from_canonical_u16((x >> 16) as u16); - out[2] = F::from_canonical_u16((x >> 32) as u16); - out[3] = F::from_canonical_u16((x >> 48) as u16); -} - -/// Turn a 256-bit integer into 16 16-bit limbs and convert them to field elements. -// TODO: Refactor/replace u256_limbs in evm/src/util.rs -pub(crate) fn u256_to_array(out: &mut [F], x: U256) { - const_assert!(N_LIMBS == 16); - debug_assert!(out.len() == N_LIMBS); - - u64_to_array(&mut out[0..4], x.0[0]); - u64_to_array(&mut out[4..8], x.0[1]); - u64_to_array(&mut out[8..12], x.0[2]); - u64_to_array(&mut out[12..16], x.0[3]); -} diff --git a/evm/src/bin/assemble.rs b/evm/src/bin/assemble.rs deleted file mode 100644 index 2afd54d7e7..0000000000 --- a/evm/src/bin/assemble.rs +++ /dev/null @@ -1,12 +0,0 @@ -use std::{env, fs}; - -use hex::encode; -use plonky2_evm::cpu::kernel::assemble_to_bytes; - -fn main() { - let mut args = env::args(); - args.next(); - let file_contents: Vec<_> = args.map(|path| fs::read_to_string(path).unwrap()).collect(); - let assembled = assemble_to_bytes(&file_contents[..]); - println!("{}", encode(assembled)); -} diff --git a/evm/src/byte_packing/byte_packing_stark.rs b/evm/src/byte_packing/byte_packing_stark.rs deleted file mode 100644 index ff7a18c06d..0000000000 --- a/evm/src/byte_packing/byte_packing_stark.rs +++ /dev/null @@ -1,435 +0,0 @@ -//! This crate enforces the correctness of reading and writing sequences -//! of bytes in Big-Endian ordering from and to the memory. -//! -//! The trace layout consists in one row for an `N` byte sequence (where 32 ≥ `N` > 0). -//! -//! At each row the `i`-th byte flag will be activated to indicate a sequence of -//! length i+1. -//! -//! The length of a sequence can be retrieved for CTLs as: -//! -//! sequence_length = \sum_{i=0}^31 b[i] * (i + 1) -//! -//! where b[i] is the `i`-th byte flag. -//! -//! Because of the discrepancy in endianness between the different tables, the byte sequences -//! are actually written in the trace in reverse order from the order they are provided. -//! We only store the virtual address `virt` of the first byte, and the virtual address for byte `i` -//! can be recovered as: -//! virt_i = virt + sequence_length - 1 - i -//! -//! Note that, when writing a sequence of bytes to memory, both the `U256` value and the -//! corresponding sequence length are being read from the stack. Because of the endianness -//! discrepancy mentioned above, we first convert the value to a byte sequence in Little-Endian, -//! then resize the sequence to prune unneeded zeros before reverting the sequence order. -//! This means that the higher-order bytes will be thrown away during the process, if the value -//! is greater than 256^length, and as a result a different value will be stored in memory. - -use core::marker::PhantomData; - -use itertools::Itertools; -use plonky2::field::extension::{Extendable, FieldExtension}; -use plonky2::field::packed::PackedField; -use plonky2::field::polynomial::PolynomialValues; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::timed; -use plonky2::util::timing::TimingTree; -use plonky2::util::transpose; - -use super::NUM_BYTES; -use crate::byte_packing::columns::{ - index_len, value_bytes, ADDR_CONTEXT, ADDR_SEGMENT, ADDR_VIRTUAL, IS_READ, LEN_INDICES_COLS, - NUM_COLUMNS, RANGE_COUNTER, RC_FREQUENCIES, TIMESTAMP, -}; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::evaluation_frame::{StarkEvaluationFrame, StarkFrame}; -use crate::lookup::{Column, Filter, Lookup}; -use crate::stark::Stark; -use crate::witness::memory::MemoryAddress; - -/// Strict upper bound for the individual bytes range-check. -const BYTE_RANGE_MAX: usize = 1usize << 8; - -/// Creates the vector of `Columns` for `BytePackingStark` corresponding to the final packed limbs being read/written. -/// `CpuStark` will look into these columns, as the CPU needs the output of byte packing. -pub(crate) fn ctl_looked_data() -> Vec> { - // Reconstruct the u32 limbs composing the final `U256` word - // being read/written from the underlying byte values. For each, - // we pack 4 consecutive bytes and shift them accordingly to - // obtain the corresponding limb. - let outputs: Vec> = (0..8) - .map(|i| { - let range = value_bytes(i * 4)..value_bytes(i * 4) + 4; - Column::linear_combination( - range - .enumerate() - .map(|(j, c)| (c, F::from_canonical_u64(1 << (8 * j)))), - ) - }) - .collect(); - - let sequence_len: Column = Column::linear_combination( - (0..NUM_BYTES).map(|i| (index_len(i), F::from_canonical_usize(i + 1))), - ); - - Column::singles([IS_READ, ADDR_CONTEXT, ADDR_SEGMENT, ADDR_VIRTUAL]) - .chain([sequence_len]) - .chain(Column::singles(&[TIMESTAMP])) - .chain(outputs) - .collect() -} - -/// CTL filter for the `BytePackingStark` looked table. -pub(crate) fn ctl_looked_filter() -> Filter { - // The CPU table is only interested in our sequence end rows, - // since those contain the final limbs of our packed int. - Filter::new_simple(Column::sum((0..NUM_BYTES).map(index_len))) -} - -/// Column linear combination for the `BytePackingStark` table reading/writing the `i`th byte sequence from `MemoryStark`. -pub(crate) fn ctl_looking_memory(i: usize) -> Vec> { - let mut res = Column::singles([IS_READ, ADDR_CONTEXT, ADDR_SEGMENT]).collect_vec(); - - // Compute the virtual address: `ADDR_VIRTUAL` + `sequence_len` - 1 - i. - let sequence_len_minus_one = (0..NUM_BYTES) - .map(|j| (index_len(j), F::from_canonical_usize(j))) - .collect::>(); - let mut addr_virt_cols = vec![(ADDR_VIRTUAL, F::ONE)]; - addr_virt_cols.extend(sequence_len_minus_one); - let addr_virt = Column::linear_combination_with_constant( - addr_virt_cols, - F::NEG_ONE * F::from_canonical_usize(i), - ); - - res.push(addr_virt); - - // The i'th input byte being read/written. - res.push(Column::single(value_bytes(i))); - - // Since we're reading a single byte, the higher limbs must be zero. - res.extend((1..8).map(|_| Column::zero())); - - res.push(Column::single(TIMESTAMP)); - - res -} - -/// CTL filter for reading/writing the `i`th byte of the byte sequence from/to memory. -pub(crate) fn ctl_looking_memory_filter(i: usize) -> Filter { - Filter::new_simple(Column::sum((i..NUM_BYTES).map(index_len))) -} - -/// Information about a byte packing operation needed for witness generation. -#[derive(Clone, Debug)] -pub(crate) struct BytePackingOp { - /// Whether this is a read (packing) or write (unpacking) operation. - pub(crate) is_read: bool, - - /// The base address at which inputs are read/written. - pub(crate) base_address: MemoryAddress, - - /// The timestamp at which inputs are read/written. - pub(crate) timestamp: usize, - - /// The byte sequence that was read/written. - /// Its length is required to be at most 32. - pub(crate) bytes: Vec, -} - -#[derive(Copy, Clone, Default)] -pub(crate) struct BytePackingStark { - pub(crate) f: PhantomData, -} - -impl, const D: usize> BytePackingStark { - pub(crate) fn generate_trace( - &self, - ops: Vec, - min_rows: usize, - timing: &mut TimingTree, - ) -> Vec> { - // Generate most of the trace in row-major form. - let trace_rows = timed!( - timing, - "generate trace rows", - self.generate_trace_rows(ops, min_rows) - ); - let trace_row_vecs: Vec<_> = trace_rows.into_iter().map(|row| row.to_vec()).collect(); - - let mut trace_cols = transpose(&trace_row_vecs); - self.generate_range_checks(&mut trace_cols); - - trace_cols.into_iter().map(PolynomialValues::new).collect() - } - - fn generate_trace_rows( - &self, - ops: Vec, - min_rows: usize, - ) -> Vec<[F; NUM_COLUMNS]> { - let base_len: usize = ops.iter().map(|op| usize::from(!op.bytes.is_empty())).sum(); - let num_rows = core::cmp::max(base_len.max(BYTE_RANGE_MAX), min_rows).next_power_of_two(); - let mut rows = Vec::with_capacity(num_rows); - - for op in ops { - if !op.bytes.is_empty() { - rows.push(self.generate_row_for_op(op)); - } - } - - for _ in rows.len()..num_rows { - rows.push(self.generate_padding_row()); - } - - rows - } - - fn generate_row_for_op(&self, op: BytePackingOp) -> [F; NUM_COLUMNS] { - let BytePackingOp { - is_read, - base_address, - timestamp, - bytes, - } = op; - - let MemoryAddress { - context, - segment, - virt, - } = base_address; - - let mut row = [F::ZERO; NUM_COLUMNS]; - row[IS_READ] = F::from_bool(is_read); - - row[ADDR_CONTEXT] = F::from_canonical_usize(context); - row[ADDR_SEGMENT] = F::from_canonical_usize(segment); - // We store the initial virtual segment. But the CTLs, - // we start with virt + sequence_len - 1. - row[ADDR_VIRTUAL] = F::from_canonical_usize(virt); - - row[TIMESTAMP] = F::from_canonical_usize(timestamp); - - row[index_len(bytes.len() - 1)] = F::ONE; - - for (i, &byte) in bytes.iter().rev().enumerate() { - row[value_bytes(i)] = F::from_canonical_u8(byte); - } - - row - } - - const fn generate_padding_row(&self) -> [F; NUM_COLUMNS] { - [F::ZERO; NUM_COLUMNS] - } - - /// Expects input in *column*-major layout - fn generate_range_checks(&self, cols: &mut [Vec]) { - debug_assert!(cols.len() == NUM_COLUMNS); - - let n_rows = cols[0].len(); - debug_assert!(cols.iter().all(|col| col.len() == n_rows)); - - for i in 0..BYTE_RANGE_MAX { - cols[RANGE_COUNTER][i] = F::from_canonical_usize(i); - } - for i in BYTE_RANGE_MAX..n_rows { - cols[RANGE_COUNTER][i] = F::from_canonical_usize(BYTE_RANGE_MAX - 1); - } - - // For each column c in cols, generate the range-check - // permutations and put them in the corresponding range-check - // columns rc_c and rc_c+1. - for col in 0..NUM_BYTES { - for i in 0..n_rows { - let c = value_bytes(col); - let x = cols[c][i].to_canonical_u64() as usize; - assert!( - x < BYTE_RANGE_MAX, - "column value {} exceeds the max range value {}", - x, - BYTE_RANGE_MAX - ); - cols[RC_FREQUENCIES][x] += F::ONE; - } - } - } -} - -impl, const D: usize> Stark for BytePackingStark { - type EvaluationFrame = StarkFrame - where - FE: FieldExtension, - P: PackedField; - - type EvaluationFrameTarget = StarkFrame, NUM_COLUMNS>; - - fn eval_packed_generic( - &self, - vars: &Self::EvaluationFrame, - yield_constr: &mut ConstraintConsumer

, - ) where - FE: FieldExtension, - P: PackedField, - { - let local_values: &[P; NUM_COLUMNS] = vars.get_local_values().try_into().unwrap(); - let next_values: &[P; NUM_COLUMNS] = vars.get_next_values().try_into().unwrap(); - - // Check the range column: First value must be 0, last row - // must be 255, and intermediate rows must increment by 0 - // or 1. - let rc1 = local_values[RANGE_COUNTER]; - let rc2 = next_values[RANGE_COUNTER]; - yield_constr.constraint_first_row(rc1); - let incr = rc2 - rc1; - yield_constr.constraint_transition(incr * incr - incr); - let range_max = P::Scalar::from_canonical_u64((BYTE_RANGE_MAX - 1) as u64); - yield_constr.constraint_last_row(rc1 - range_max); - - let one = P::ONES; - - // We filter active columns by summing all the byte indices. - // Constraining each of them to be boolean is done later on below. - let current_filter = local_values[LEN_INDICES_COLS].iter().copied().sum::

(); - yield_constr.constraint(current_filter * (current_filter - one)); - - // The filter column must start by one. - yield_constr.constraint_first_row(current_filter - one); - - // The is_read flag must be boolean. - let current_is_read = local_values[IS_READ]; - yield_constr.constraint(current_is_read * (current_is_read - one)); - - // Each byte index must be boolean. - for i in 0..NUM_BYTES { - let idx_i = local_values[index_len(i)]; - yield_constr.constraint(idx_i * (idx_i - one)); - } - - // Only padding rows have their filter turned off. - let next_filter = next_values[LEN_INDICES_COLS].iter().copied().sum::

(); - yield_constr.constraint_transition(next_filter * (next_filter - current_filter)); - - // Check that all limbs after final length are 0. - for i in 0..NUM_BYTES - 1 { - // If the length is i+1, then value_bytes(i+1),...,value_bytes(NUM_BYTES-1) must be 0. - for j in i + 1..NUM_BYTES { - yield_constr.constraint(local_values[index_len(i)] * local_values[value_bytes(j)]); - } - } - } - - fn eval_ext_circuit( - &self, - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - vars: &Self::EvaluationFrameTarget, - yield_constr: &mut RecursiveConstraintConsumer, - ) { - let local_values: &[ExtensionTarget; NUM_COLUMNS] = - vars.get_local_values().try_into().unwrap(); - let next_values: &[ExtensionTarget; NUM_COLUMNS] = - vars.get_next_values().try_into().unwrap(); - - // Check the range column: First value must be 0, last row - // must be 255, and intermediate rows must increment by 0 - // or 1. - let rc1 = local_values[RANGE_COUNTER]; - let rc2 = next_values[RANGE_COUNTER]; - yield_constr.constraint_first_row(builder, rc1); - let incr = builder.sub_extension(rc2, rc1); - let t = builder.mul_sub_extension(incr, incr, incr); - yield_constr.constraint_transition(builder, t); - let range_max = - builder.constant_extension(F::Extension::from_canonical_usize(BYTE_RANGE_MAX - 1)); - let t = builder.sub_extension(rc1, range_max); - yield_constr.constraint_last_row(builder, t); - - // We filter active columns by summing all the byte indices. - // Constraining each of them to be boolean is done later on below. - let current_filter = builder.add_many_extension(&local_values[LEN_INDICES_COLS]); - let constraint = builder.mul_sub_extension(current_filter, current_filter, current_filter); - yield_constr.constraint(builder, constraint); - - // The filter column must start by one. - let constraint = builder.add_const_extension(current_filter, F::NEG_ONE); - yield_constr.constraint_first_row(builder, constraint); - - // The is_read flag must be boolean. - let current_is_read = local_values[IS_READ]; - let constraint = - builder.mul_sub_extension(current_is_read, current_is_read, current_is_read); - yield_constr.constraint(builder, constraint); - - // Each byte index must be boolean. - for i in 0..NUM_BYTES { - let idx_i = local_values[index_len(i)]; - let constraint = builder.mul_sub_extension(idx_i, idx_i, idx_i); - yield_constr.constraint(builder, constraint); - } - - // Only padding rows have their filter turned off. - let next_filter = builder.add_many_extension(&next_values[LEN_INDICES_COLS]); - let constraint = builder.sub_extension(next_filter, current_filter); - let constraint = builder.mul_extension(next_filter, constraint); - yield_constr.constraint_transition(builder, constraint); - - // Check that all limbs after final length are 0. - for i in 0..NUM_BYTES - 1 { - // If the length is i+1, then value_bytes(i+1),...,value_bytes(NUM_BYTES-1) must be 0. - for j in i + 1..NUM_BYTES { - let constr = - builder.mul_extension(local_values[index_len(i)], local_values[value_bytes(j)]); - yield_constr.constraint(builder, constr); - } - } - } - - fn constraint_degree(&self) -> usize { - 3 - } - - fn lookups(&self) -> Vec> { - vec![Lookup { - columns: Column::singles(value_bytes(0)..value_bytes(0) + NUM_BYTES).collect(), - table_column: Column::single(RANGE_COUNTER), - frequencies_column: Column::single(RC_FREQUENCIES), - filter_columns: vec![None; NUM_BYTES], - }] - } -} - -#[cfg(test)] -pub(crate) mod tests { - use anyhow::Result; - use plonky2::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - - use crate::byte_packing::byte_packing_stark::BytePackingStark; - use crate::stark_testing::{test_stark_circuit_constraints, test_stark_low_degree}; - - #[test] - fn test_stark_degree() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = BytePackingStark; - - let stark = S { - f: Default::default(), - }; - test_stark_low_degree(stark) - } - - #[test] - fn test_stark_circuit() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = BytePackingStark; - - let stark = S { - f: Default::default(), - }; - test_stark_circuit_constraints::(stark) - } -} diff --git a/evm/src/byte_packing/columns.rs b/evm/src/byte_packing/columns.rs deleted file mode 100644 index cbed53de1d..0000000000 --- a/evm/src/byte_packing/columns.rs +++ /dev/null @@ -1,42 +0,0 @@ -//! Byte packing registers. - -use core::ops::Range; - -use crate::byte_packing::NUM_BYTES; - -/// 1 if this is a READ operation, and 0 if this is a WRITE operation. -pub(crate) const IS_READ: usize = 0; - -pub(super) const LEN_INDICES_START: usize = IS_READ + 1; -// There are `NUM_BYTES` columns used to represent the length of -// the input byte sequence for a (un)packing operation. -// index_len(i) is 1 iff the length is i+1. -pub(crate) const fn index_len(i: usize) -> usize { - debug_assert!(i < NUM_BYTES); - LEN_INDICES_START + i -} - -// Note: Those are used to obtain the length of a sequence of bytes being processed. -pub(crate) const LEN_INDICES_COLS: Range = LEN_INDICES_START..LEN_INDICES_START + NUM_BYTES; - -pub(crate) const ADDR_CONTEXT: usize = LEN_INDICES_START + NUM_BYTES; -pub(crate) const ADDR_SEGMENT: usize = ADDR_CONTEXT + 1; -pub(crate) const ADDR_VIRTUAL: usize = ADDR_SEGMENT + 1; -pub(crate) const TIMESTAMP: usize = ADDR_VIRTUAL + 1; - -// 32 byte limbs hold a total of 256 bits. -const BYTES_VALUES_START: usize = TIMESTAMP + 1; -// There are `NUM_BYTES` columns used to store the values of the bytes -// that are being read/written for an (un)packing operation. -pub(crate) const fn value_bytes(i: usize) -> usize { - debug_assert!(i < NUM_BYTES); - BYTES_VALUES_START + i -} - -/// The counter column (used for the range check) starts from 0 and increments. -pub(crate) const RANGE_COUNTER: usize = BYTES_VALUES_START + NUM_BYTES; -/// The frequencies column used in logUp. -pub(crate) const RC_FREQUENCIES: usize = RANGE_COUNTER + 1; - -/// Number of columns in `BytePackingStark`. -pub(crate) const NUM_COLUMNS: usize = RANGE_COUNTER + 2; diff --git a/evm/src/byte_packing/mod.rs b/evm/src/byte_packing/mod.rs deleted file mode 100644 index 3767b21ed6..0000000000 --- a/evm/src/byte_packing/mod.rs +++ /dev/null @@ -1,10 +0,0 @@ -//! Byte packing / unpacking unit for the EVM. -//! -//! This module handles reading / writing to memory byte sequences of -//! length at most 32 in Big-Endian ordering. - -pub mod byte_packing_stark; -pub mod columns; - -/// Maximum number of bytes being processed by a byte (un)packing operation. -pub(crate) const NUM_BYTES: usize = 32; diff --git a/evm/src/config.rs b/evm/src/config.rs deleted file mode 100644 index 3f88d99f5d..0000000000 --- a/evm/src/config.rs +++ /dev/null @@ -1,43 +0,0 @@ -use plonky2::fri::reduction_strategies::FriReductionStrategy; -use plonky2::fri::{FriConfig, FriParams}; - -/// A configuration containing the different parameters to be used by the STARK prover. -pub struct StarkConfig { - /// The targeted security level for the proofs generated with this configuration. - pub security_bits: usize, - - /// The number of challenge points to generate, for IOPs that have soundness errors of (roughly) - /// `degree / |F|`. - pub num_challenges: usize, - - /// The configuration of the FRI sub-protocol. - pub fri_config: FriConfig, -} - -impl Default for StarkConfig { - fn default() -> Self { - Self::standard_fast_config() - } -} - -impl StarkConfig { - /// A typical configuration with a rate of 2, resulting in fast but large proofs. - /// Targets ~100 bit conjectured security. - pub const fn standard_fast_config() -> Self { - Self { - security_bits: 100, - num_challenges: 2, - fri_config: FriConfig { - rate_bits: 1, - cap_height: 4, - proof_of_work_bits: 16, - reduction_strategy: FriReductionStrategy::ConstantArityBits(4, 5), - num_query_rounds: 84, - }, - } - } - - pub(crate) fn fri_params(&self, degree_bits: usize) -> FriParams { - self.fri_config.fri_params(degree_bits, false) - } -} diff --git a/evm/src/constraint_consumer.rs b/evm/src/constraint_consumer.rs deleted file mode 100644 index 919b51638a..0000000000 --- a/evm/src/constraint_consumer.rs +++ /dev/null @@ -1,162 +0,0 @@ -use core::marker::PhantomData; - -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::iop::target::Target; -use plonky2::plonk::circuit_builder::CircuitBuilder; - -pub struct ConstraintConsumer { - /// Random values used to combine multiple constraints into one. - pub alphas: Vec, - - /// Running sums of constraints that have been emitted so far, scaled by powers of alpha. - // TODO(JN): This is pub so it can be used in a test. Once we have an API for accessing this - // result, it should be made private. - pub constraint_accs: Vec

, - - /// The evaluation of `X - g^(n-1)`. - z_last: P, - - /// The evaluation of the Lagrange basis polynomial which is nonzero at the point associated - /// with the first trace row, and zero at other points in the subgroup. - lagrange_basis_first: P, - - /// The evaluation of the Lagrange basis polynomial which is nonzero at the point associated - /// with the last trace row, and zero at other points in the subgroup. - lagrange_basis_last: P, -} - -impl ConstraintConsumer

{ - pub(crate) fn new( - alphas: Vec, - z_last: P, - lagrange_basis_first: P, - lagrange_basis_last: P, - ) -> Self { - Self { - constraint_accs: vec![P::ZEROS; alphas.len()], - alphas, - z_last, - lagrange_basis_first, - lagrange_basis_last, - } - } - - pub(crate) fn accumulators(self) -> Vec

{ - self.constraint_accs - } - - /// Add one constraint valid on all rows except the last. - pub(crate) fn constraint_transition(&mut self, constraint: P) { - self.constraint(constraint * self.z_last); - } - - /// Add one constraint on all rows. - pub(crate) fn constraint(&mut self, constraint: P) { - for (&alpha, acc) in self.alphas.iter().zip(&mut self.constraint_accs) { - *acc *= alpha; - *acc += constraint; - } - } - - /// Add one constraint, but first multiply it by a filter such that it will only apply to the - /// first row of the trace. - pub(crate) fn constraint_first_row(&mut self, constraint: P) { - self.constraint(constraint * self.lagrange_basis_first); - } - - /// Add one constraint, but first multiply it by a filter such that it will only apply to the - /// last row of the trace. - pub(crate) fn constraint_last_row(&mut self, constraint: P) { - self.constraint(constraint * self.lagrange_basis_last); - } -} - -pub struct RecursiveConstraintConsumer, const D: usize> { - /// A random value used to combine multiple constraints into one. - alphas: Vec, - - /// A running sum of constraints that have been emitted so far, scaled by powers of alpha. - constraint_accs: Vec>, - - /// The evaluation of `X - g^(n-1)`. - z_last: ExtensionTarget, - - /// The evaluation of the Lagrange basis polynomial which is nonzero at the point associated - /// with the first trace row, and zero at other points in the subgroup. - lagrange_basis_first: ExtensionTarget, - - /// The evaluation of the Lagrange basis polynomial which is nonzero at the point associated - /// with the last trace row, and zero at other points in the subgroup. - lagrange_basis_last: ExtensionTarget, - - _phantom: PhantomData, -} - -impl, const D: usize> RecursiveConstraintConsumer { - pub(crate) fn new( - zero: ExtensionTarget, - alphas: Vec, - z_last: ExtensionTarget, - lagrange_basis_first: ExtensionTarget, - lagrange_basis_last: ExtensionTarget, - ) -> Self { - Self { - constraint_accs: vec![zero; alphas.len()], - alphas, - z_last, - lagrange_basis_first, - lagrange_basis_last, - _phantom: Default::default(), - } - } - - pub(crate) fn accumulators(self) -> Vec> { - self.constraint_accs - } - - /// Add one constraint valid on all rows except the last. - pub(crate) fn constraint_transition( - &mut self, - builder: &mut CircuitBuilder, - constraint: ExtensionTarget, - ) { - let filtered_constraint = builder.mul_extension(constraint, self.z_last); - self.constraint(builder, filtered_constraint); - } - - /// Add one constraint valid on all rows. - pub(crate) fn constraint( - &mut self, - builder: &mut CircuitBuilder, - constraint: ExtensionTarget, - ) { - for (&alpha, acc) in self.alphas.iter().zip(&mut self.constraint_accs) { - *acc = builder.scalar_mul_add_extension(alpha, *acc, constraint); - } - } - - /// Add one constraint, but first multiply it by a filter such that it will only apply to the - /// first row of the trace. - pub(crate) fn constraint_first_row( - &mut self, - builder: &mut CircuitBuilder, - constraint: ExtensionTarget, - ) { - let filtered_constraint = builder.mul_extension(constraint, self.lagrange_basis_first); - self.constraint(builder, filtered_constraint); - } - - /// Add one constraint, but first multiply it by a filter such that it will only apply to the - /// last row of the trace. - pub(crate) fn constraint_last_row( - &mut self, - builder: &mut CircuitBuilder, - constraint: ExtensionTarget, - ) { - let filtered_constraint = builder.mul_extension(constraint, self.lagrange_basis_last); - self.constraint(builder, filtered_constraint); - } -} diff --git a/evm/src/cpu/byte_unpacking.rs b/evm/src/cpu/byte_unpacking.rs deleted file mode 100644 index 39053141d6..0000000000 --- a/evm/src/cpu/byte_unpacking.rs +++ /dev/null @@ -1,94 +0,0 @@ -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; - -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - // The MSTORE_32BYTES opcodes are differentiated from MLOAD_32BYTES - // by the 5th bit set to 0. - let filter = lv.op.m_op_32bytes * (lv.opcode_bits[5] - P::ONES); - - // The address to write to is stored in the first memory channel. - // It contains virt, segment, ctx in its first 3 limbs, and 0 otherwise. - // The new address is identical, except for its `virtual` limb that is increased by the corresponding `len` offset. - let new_addr = nv.mem_channels[0].value; - let written_addr = lv.mem_channels[0].value; - - // Read len from opcode bits and constrain the pushed new offset. - let len_bits: P = lv.opcode_bits[..5] - .iter() - .enumerate() - .map(|(i, &bit)| bit * P::Scalar::from_canonical_u64(1 << i)) - .sum(); - let len = len_bits + P::ONES; - - // Check that `virt` is increased properly. - yield_constr.constraint(filter * (new_addr[0] - written_addr[0] - len)); - - // Check that `segment` and `ctx` do not change. - yield_constr.constraint(filter * (new_addr[1] - written_addr[1])); - yield_constr.constraint(filter * (new_addr[2] - written_addr[2])); - - // Check that the rest of the returned address is null. - for &limb in &new_addr[3..] { - yield_constr.constraint(filter * limb); - } -} - -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - // The MSTORE_32BYTES opcodes are differentiated from MLOAD_32BYTES - // by the 5th bit set to 0. - let filter = - builder.mul_sub_extension(lv.op.m_op_32bytes, lv.opcode_bits[5], lv.op.m_op_32bytes); - - // The address to write to is stored in the first memory channel. - // It contains virt, segment, ctx in its first 3 limbs, and 0 otherwise. - // The new address is identical, except for its `virtual` limb that is increased by the corresponding `len` offset. - let new_addr = nv.mem_channels[0].value; - let written_addr = lv.mem_channels[0].value; - - // Read len from opcode bits and constrain the pushed new offset. - let len_bits = lv.opcode_bits[..5].iter().enumerate().fold( - builder.zero_extension(), - |cumul, (i, &bit)| { - builder.mul_const_add_extension(F::from_canonical_u64(1 << i), bit, cumul) - }, - ); - - // Check that `virt` is increased properly. - let diff = builder.sub_extension(new_addr[0], written_addr[0]); - let diff = builder.sub_extension(diff, len_bits); - let constr = builder.mul_sub_extension(filter, diff, filter); - yield_constr.constraint(builder, constr); - - // Check that `segment` and `ctx` do not change. - { - let diff = builder.sub_extension(new_addr[1], written_addr[1]); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - - let diff = builder.sub_extension(new_addr[2], written_addr[2]); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - - // Check that the rest of the returned address is null. - for &limb in &new_addr[3..] { - let constr = builder.mul_extension(filter, limb); - yield_constr.constraint(builder, constr); - } -} diff --git a/evm/src/cpu/clock.rs b/evm/src/cpu/clock.rs deleted file mode 100644 index cd7b17d8ed..0000000000 --- a/evm/src/cpu/clock.rs +++ /dev/null @@ -1,37 +0,0 @@ -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; - -/// Check the correct updating of `clock`. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - // The clock is 0 at the beginning. - yield_constr.constraint_first_row(lv.clock); - // The clock is incremented by 1 at each row. - yield_constr.constraint_transition(nv.clock - lv.clock - P::ONES); -} - -/// Circuit version of `eval_packed`. -/// Check the correct updating of `clock`. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - // The clock is 0 at the beginning. - yield_constr.constraint_first_row(builder, lv.clock); - // The clock is incremented by 1 at each row. - { - let new_clock = builder.add_const_extension(lv.clock, F::ONE); - let constr = builder.sub_extension(nv.clock, new_clock); - yield_constr.constraint_transition(builder, constr); - } -} diff --git a/evm/src/cpu/columns/general.rs b/evm/src/cpu/columns/general.rs deleted file mode 100644 index f565acc625..0000000000 --- a/evm/src/cpu/columns/general.rs +++ /dev/null @@ -1,157 +0,0 @@ -use core::borrow::{Borrow, BorrowMut}; -use core::fmt::{Debug, Formatter}; -use core::mem::{size_of, transmute}; - -/// General purpose columns, which can have different meanings depending on what CTL or other -/// operation is occurring at this row. -#[derive(Clone, Copy)] -pub(crate) union CpuGeneralColumnsView { - exception: CpuExceptionView, - logic: CpuLogicView, - jumps: CpuJumpsView, - shift: CpuShiftView, - stack: CpuStackView, -} - -impl CpuGeneralColumnsView { - /// View of the columns used for exceptions: they are the exception code bits. - /// SAFETY: Each view is a valid interpretation of the underlying array. - pub(crate) fn exception(&self) -> &CpuExceptionView { - unsafe { &self.exception } - } - - /// Mutable view of the column required for exceptions: they are the exception code bits. - /// SAFETY: Each view is a valid interpretation of the underlying array. - pub(crate) fn exception_mut(&mut self) -> &mut CpuExceptionView { - unsafe { &mut self.exception } - } - - /// View of the columns required for logic operations. - /// SAFETY: Each view is a valid interpretation of the underlying array. - pub(crate) fn logic(&self) -> &CpuLogicView { - unsafe { &self.logic } - } - - /// Mutable view of the columns required for logic operations. - /// SAFETY: Each view is a valid interpretation of the underlying array. - pub(crate) fn logic_mut(&mut self) -> &mut CpuLogicView { - unsafe { &mut self.logic } - } - - /// View of the columns required for jump operations. - /// SAFETY: Each view is a valid interpretation of the underlying array. - pub(crate) fn jumps(&self) -> &CpuJumpsView { - unsafe { &self.jumps } - } - - /// Mutable view of the columns required for jump operations. - /// SAFETY: Each view is a valid interpretation of the underlying array. - pub(crate) fn jumps_mut(&mut self) -> &mut CpuJumpsView { - unsafe { &mut self.jumps } - } - - /// View of the columns required for shift operations. - /// SAFETY: Each view is a valid interpretation of the underlying array. - pub(crate) fn shift(&self) -> &CpuShiftView { - unsafe { &self.shift } - } - - /// Mutable view of the columns required for shift operations. - /// SAFETY: Each view is a valid interpretation of the underlying array. - pub(crate) fn shift_mut(&mut self) -> &mut CpuShiftView { - unsafe { &mut self.shift } - } - - /// View of the columns required for the stack top. - /// SAFETY: Each view is a valid interpretation of the underlying array. - pub(crate) fn stack(&self) -> &CpuStackView { - unsafe { &self.stack } - } - - /// Mutable view of the columns required for the stack top. - /// SAFETY: Each view is a valid interpretation of the underlying array. - pub(crate) fn stack_mut(&mut self) -> &mut CpuStackView { - unsafe { &mut self.stack } - } -} - -impl PartialEq for CpuGeneralColumnsView { - #[allow(clippy::unconditional_recursion)] // false positive - fn eq(&self, other: &Self) -> bool { - let self_arr: &[T; NUM_SHARED_COLUMNS] = self.borrow(); - let other_arr: &[T; NUM_SHARED_COLUMNS] = other.borrow(); - self_arr == other_arr - } -} - -impl Eq for CpuGeneralColumnsView {} - -impl Debug for CpuGeneralColumnsView { - fn fmt(&self, f: &mut Formatter<'_>) -> std::fmt::Result { - let self_arr: &[T; NUM_SHARED_COLUMNS] = self.borrow(); - Debug::fmt(self_arr, f) - } -} - -impl Borrow<[T; NUM_SHARED_COLUMNS]> for CpuGeneralColumnsView { - fn borrow(&self) -> &[T; NUM_SHARED_COLUMNS] { - unsafe { transmute(self) } - } -} - -impl BorrowMut<[T; NUM_SHARED_COLUMNS]> for CpuGeneralColumnsView { - fn borrow_mut(&mut self) -> &mut [T; NUM_SHARED_COLUMNS] { - unsafe { transmute(self) } - } -} - -/// View of the first three `CpuGeneralColumns` containing exception code bits. -#[derive(Copy, Clone)] -pub(crate) struct CpuExceptionView { - /// Exception code as little-endian bits. - pub(crate) exc_code_bits: [T; 3], -} - -/// View of the `CpuGeneralColumns` storing pseudo-inverses used to prove logic operations. -#[derive(Copy, Clone)] -pub(crate) struct CpuLogicView { - /// Pseudoinverse of `(input0 - input1)`. Used prove that they are unequal. Assumes 32-bit limbs. - pub(crate) diff_pinv: [T; 8], -} - -/// View of the first two `CpuGeneralColumns` storing a flag and a pseudoinverse used to prove jumps. -#[derive(Copy, Clone)] -pub(crate) struct CpuJumpsView { - /// A flag indicating whether a jump should occur. - pub(crate) should_jump: T, - /// Pseudoinverse of `cond.iter().sum()`. Used to check `should_jump`. - pub(crate) cond_sum_pinv: T, -} - -/// View of the first `CpuGeneralColumns` storing a pseudoinverse used to prove shift operations. -#[derive(Copy, Clone)] -pub(crate) struct CpuShiftView { - /// For a shift amount of displacement: [T], this is the inverse of - /// sum(displacement[1..]) or zero if the sum is zero. - pub(crate) high_limb_sum_inv: T, -} - -/// View of the last four `CpuGeneralColumns` storing stack-related variables. The first three are used -/// for conditionally enabling and disabling channels when reading the next `stack_top`, and the fourth one -/// is used to check for stack overflow. -#[derive(Copy, Clone)] -pub(crate) struct CpuStackView { - _unused: [T; 4], - /// Pseudoinverse of `stack_len - num_pops`. - pub(crate) stack_inv: T, - /// stack_inv * stack_len. - pub(crate) stack_inv_aux: T, - /// Used to reduce the degree of stack constraints when needed. - pub(crate) stack_inv_aux_2: T, - /// Pseudoinverse of `nv.stack_len - (MAX_USER_STACK_SIZE + 1)` to check for stack overflow. - pub(crate) stack_len_bounds_aux: T, -} - -/// Number of columns shared by all the views of `CpuGeneralColumnsView`. -/// `u8` is guaranteed to have a `size_of` of 1. -pub(crate) const NUM_SHARED_COLUMNS: usize = size_of::>(); diff --git a/evm/src/cpu/columns/mod.rs b/evm/src/cpu/columns/mod.rs deleted file mode 100644 index 92da4e9979..0000000000 --- a/evm/src/cpu/columns/mod.rs +++ /dev/null @@ -1,168 +0,0 @@ -use core::borrow::{Borrow, BorrowMut}; -use core::fmt::Debug; -use core::mem::{size_of, transmute}; -use core::ops::{Index, IndexMut}; - -use plonky2::field::types::Field; - -use crate::cpu::columns::general::CpuGeneralColumnsView; -use crate::cpu::columns::ops::OpsColumnsView; -use crate::cpu::membus::NUM_GP_CHANNELS; -use crate::memory; -use crate::util::{indices_arr, transmute_no_compile_time_size_checks}; - -mod general; -/// Cpu operation flags. -pub(crate) mod ops; - -/// 32-bit limbs of the value stored in the current memory channel. -pub type MemValue = [T; memory::VALUE_LIMBS]; - -/// View of the columns required for one memory channel. -#[repr(C)] -#[derive(Clone, Copy, Debug, Eq, PartialEq)] -pub(crate) struct MemoryChannelView { - /// 1 if this row includes a memory operation in the `i`th channel of the memory bus, otherwise - /// 0. - pub used: T, - /// 1 if a read is performed on the `i`th channel of the memory bus, otherwise 0. - pub is_read: T, - /// Context of the memory operation in the `i`th channel of the memory bus. - pub addr_context: T, - /// Segment of the memory operation in the `ith` channel of the memory bus. - pub addr_segment: T, - /// Virtual address of the memory operation in the `ith` channel of the memory bus. - pub addr_virtual: T, - /// Value, subdivided into 32-bit limbs, stored in the `ith` channel of the memory bus. - pub value: MemValue, -} - -/// View of all the columns in `CpuStark`. -#[repr(C)] -#[derive(Clone, Copy, Debug, Eq, PartialEq)] -// A more lightweight channel, sharing values with the 0-th memory channel -// (which contains the top of the stack). -pub(crate) struct PartialMemoryChannelView { - pub used: T, - pub is_read: T, - pub addr_context: T, - pub addr_segment: T, - pub addr_virtual: T, -} - -#[repr(C)] -#[derive(Clone, Copy, Eq, PartialEq, Debug)] -pub(crate) struct CpuColumnsView { - /// If CPU cycle: Current context. - pub context: T, - - /// If CPU cycle: Context for code memory channel. - pub code_context: T, - - /// If CPU cycle: The program counter for the current instruction. - pub program_counter: T, - - /// If CPU cycle: The stack length. - pub stack_len: T, - - /// If CPU cycle: We're in kernel (privileged) mode. - pub is_kernel_mode: T, - - /// If CPU cycle: Gas counter. - pub gas: T, - - /// If CPU cycle: flags for EVM instructions (a few cannot be shared; see the comments in - /// `OpsColumnsView`). - pub op: OpsColumnsView, - - /// If CPU cycle: the opcode, broken up into bits in little-endian order. - pub opcode_bits: [T; 8], - - /// Columns shared by various operations. - pub(crate) general: CpuGeneralColumnsView, - - /// CPU clock. - pub(crate) clock: T, - - /// Memory bus channels in the CPU. - /// Full channels are comprised of 13 columns. - pub mem_channels: [MemoryChannelView; NUM_GP_CHANNELS], - /// Partial channel is only comprised of 5 columns. - pub(crate) partial_channel: PartialMemoryChannelView, -} - -/// Total number of columns in `CpuStark`. -/// `u8` is guaranteed to have a `size_of` of 1. -pub(crate) const NUM_CPU_COLUMNS: usize = size_of::>(); - -impl Default for CpuColumnsView { - fn default() -> Self { - Self::from([F::ZERO; NUM_CPU_COLUMNS]) - } -} - -impl From<[T; NUM_CPU_COLUMNS]> for CpuColumnsView { - fn from(value: [T; NUM_CPU_COLUMNS]) -> Self { - unsafe { transmute_no_compile_time_size_checks(value) } - } -} - -impl From> for [T; NUM_CPU_COLUMNS] { - fn from(value: CpuColumnsView) -> Self { - unsafe { transmute_no_compile_time_size_checks(value) } - } -} - -impl Borrow> for [T; NUM_CPU_COLUMNS] { - fn borrow(&self) -> &CpuColumnsView { - unsafe { transmute(self) } - } -} - -impl BorrowMut> for [T; NUM_CPU_COLUMNS] { - fn borrow_mut(&mut self) -> &mut CpuColumnsView { - unsafe { transmute(self) } - } -} - -impl Borrow<[T; NUM_CPU_COLUMNS]> for CpuColumnsView { - fn borrow(&self) -> &[T; NUM_CPU_COLUMNS] { - unsafe { transmute(self) } - } -} - -impl BorrowMut<[T; NUM_CPU_COLUMNS]> for CpuColumnsView { - fn borrow_mut(&mut self) -> &mut [T; NUM_CPU_COLUMNS] { - unsafe { transmute(self) } - } -} - -impl Index for CpuColumnsView -where - [T]: Index, -{ - type Output = <[T] as Index>::Output; - - fn index(&self, index: I) -> &Self::Output { - let arr: &[T; NUM_CPU_COLUMNS] = self.borrow(); - <[T] as Index>::index(arr, index) - } -} - -impl IndexMut for CpuColumnsView -where - [T]: IndexMut, -{ - fn index_mut(&mut self, index: I) -> &mut Self::Output { - let arr: &mut [T; NUM_CPU_COLUMNS] = self.borrow_mut(); - <[T] as IndexMut>::index_mut(arr, index) - } -} - -const fn make_col_map() -> CpuColumnsView { - let indices_arr = indices_arr::(); - unsafe { transmute::<[usize; NUM_CPU_COLUMNS], CpuColumnsView>(indices_arr) } -} - -/// Mapping between [0..NUM_CPU_COLUMNS-1] and the CPU columns. -pub(crate) const COL_MAP: CpuColumnsView = make_col_map(); diff --git a/evm/src/cpu/columns/ops.rs b/evm/src/cpu/columns/ops.rs deleted file mode 100644 index c15d657229..0000000000 --- a/evm/src/cpu/columns/ops.rs +++ /dev/null @@ -1,89 +0,0 @@ -use core::borrow::{Borrow, BorrowMut}; -use core::mem::{size_of, transmute}; -use core::ops::{Deref, DerefMut}; - -use crate::util::transmute_no_compile_time_size_checks; - -/// Structure representing the flags for the various opcodes. -#[repr(C)] -#[derive(Clone, Copy, Eq, PartialEq, Debug)] -pub(crate) struct OpsColumnsView { - /// Combines ADD, MUL, SUB, DIV, MOD, LT, GT and BYTE flags. - pub binary_op: T, - /// Combines ADDMOD, MULMOD and SUBMOD flags. - pub ternary_op: T, - /// Combines ADD_FP254, MUL_FP254 and SUB_FP254 flags. - pub fp254_op: T, - /// Combines EQ and ISZERO flags. - pub eq_iszero: T, - /// Combines AND, OR and XOR flags. - pub logic_op: T, - /// Combines NOT and POP flags. - pub not_pop: T, - /// Combines SHL and SHR flags. - pub shift: T, - /// Combines JUMPDEST and KECCAK_GENERAL flags. - pub jumpdest_keccak_general: T, - /// Combines JUMP and JUMPI flags. - pub jumps: T, - /// Combines PUSH and PROVER_INPUT flags. - pub push_prover_input: T, - /// Combines DUP and SWAP flags. - pub dup_swap: T, - /// Combines GET_CONTEXT and SET_CONTEXT flags. - pub context_op: T, - /// Combines MSTORE_32BYTES and MLOAD_32BYTES. - pub m_op_32bytes: T, - /// Flag for EXIT_KERNEL. - pub exit_kernel: T, - /// Combines MSTORE_GENERAL and MLOAD_GENERAL flags. - pub m_op_general: T, - /// Combines PC and PUSH0 - pub pc_push0: T, - - /// Flag for syscalls. - pub syscall: T, - /// Flag for exceptions. - pub exception: T, -} - -/// Number of columns in Cpu Stark. -/// `u8` is guaranteed to have a `size_of` of 1. -pub(crate) const NUM_OPS_COLUMNS: usize = size_of::>(); - -impl From<[T; NUM_OPS_COLUMNS]> for OpsColumnsView { - fn from(value: [T; NUM_OPS_COLUMNS]) -> Self { - unsafe { transmute_no_compile_time_size_checks(value) } - } -} - -impl From> for [T; NUM_OPS_COLUMNS] { - fn from(value: OpsColumnsView) -> Self { - unsafe { transmute_no_compile_time_size_checks(value) } - } -} - -impl Borrow> for [T; NUM_OPS_COLUMNS] { - fn borrow(&self) -> &OpsColumnsView { - unsafe { transmute(self) } - } -} - -impl BorrowMut> for [T; NUM_OPS_COLUMNS] { - fn borrow_mut(&mut self) -> &mut OpsColumnsView { - unsafe { transmute(self) } - } -} - -impl Deref for OpsColumnsView { - type Target = [T; NUM_OPS_COLUMNS]; - fn deref(&self) -> &Self::Target { - unsafe { transmute(self) } - } -} - -impl DerefMut for OpsColumnsView { - fn deref_mut(&mut self) -> &mut Self::Target { - unsafe { transmute(self) } - } -} diff --git a/evm/src/cpu/contextops.rs b/evm/src/cpu/contextops.rs deleted file mode 100644 index ec4e5e5e6e..0000000000 --- a/evm/src/cpu/contextops.rs +++ /dev/null @@ -1,344 +0,0 @@ -use itertools::izip; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; - -use super::columns::ops::OpsColumnsView; -use super::cpu_stark::{disable_unused_channels, disable_unused_channels_circuit}; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; -use crate::memory::segments::Segment; - -// If true, the instruction will keep the current context for the next row. -// If false, next row's context is handled manually. -const KEEPS_CONTEXT: OpsColumnsView = OpsColumnsView { - binary_op: true, - ternary_op: true, - fp254_op: true, - eq_iszero: true, - logic_op: true, - not_pop: true, - shift: true, - jumpdest_keccak_general: true, - push_prover_input: true, - jumps: true, - pc_push0: true, - dup_swap: true, - context_op: false, - m_op_32bytes: true, - exit_kernel: true, - m_op_general: true, - syscall: true, - exception: true, -}; - -fn eval_packed_keep( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - for (op, keeps_context) in izip!(lv.op.into_iter(), KEEPS_CONTEXT.into_iter()) { - if keeps_context { - yield_constr.constraint_transition(op * (nv.context - lv.context)); - } - } - - // context_op is hybrid; we evaluate it separately. - let is_get_context = lv.op.context_op * (lv.opcode_bits[0] - P::ONES); - yield_constr.constraint_transition(is_get_context * (nv.context - lv.context)); -} - -fn eval_ext_circuit_keep, const D: usize>( - builder: &mut CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - for (op, keeps_context) in izip!(lv.op.into_iter(), KEEPS_CONTEXT.into_iter()) { - if keeps_context { - let diff = builder.sub_extension(nv.context, lv.context); - let constr = builder.mul_extension(op, diff); - yield_constr.constraint_transition(builder, constr); - } - } - - // context_op is hybrid; we evaluate it separately. - let is_get_context = - builder.mul_sub_extension(lv.op.context_op, lv.opcode_bits[0], lv.op.context_op); - let diff = builder.sub_extension(nv.context, lv.context); - let constr = builder.mul_extension(is_get_context, diff); - yield_constr.constraint_transition(builder, constr); -} - -/// Evaluates constraints for GET_CONTEXT. -fn eval_packed_get( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - // If the opcode is GET_CONTEXT, then lv.opcode_bits[0] = 0. - let filter = lv.op.context_op * (P::ONES - lv.opcode_bits[0]); - let new_stack_top = nv.mem_channels[0].value; - // Context is scaled by 2^64, hence stored in the 3rd limb. - yield_constr.constraint(filter * (new_stack_top[2] - lv.context)); - - for (_, &limb) in new_stack_top.iter().enumerate().filter(|(i, _)| *i != 2) { - yield_constr.constraint(filter * limb); - } - - // Constrain new stack length. - yield_constr.constraint(filter * (nv.stack_len - (lv.stack_len + P::ONES))); - - // Unused channels. - disable_unused_channels(lv, filter, vec![1], yield_constr); - yield_constr.constraint(filter * nv.mem_channels[0].used); -} - -/// Circuit version of `eval_packed_get`. -/// Evaluates constraints for GET_CONTEXT. -fn eval_ext_circuit_get, const D: usize>( - builder: &mut CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - // If the opcode is GET_CONTEXT, then lv.opcode_bits[0] = 0. - let prod = builder.mul_extension(lv.op.context_op, lv.opcode_bits[0]); - let filter = builder.sub_extension(lv.op.context_op, prod); - let new_stack_top = nv.mem_channels[0].value; - // Context is scaled by 2^64, hence stored in the 3rd limb. - { - let diff = builder.sub_extension(new_stack_top[2], lv.context); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - - for (_, &limb) in new_stack_top.iter().enumerate().filter(|(i, _)| *i != 2) { - let constr = builder.mul_extension(filter, limb); - yield_constr.constraint(builder, constr); - } - - // Constrain new stack length. - { - let new_len = builder.add_const_extension(lv.stack_len, F::ONE); - let diff = builder.sub_extension(nv.stack_len, new_len); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - - // Unused channels. - disable_unused_channels_circuit(builder, lv, filter, vec![1], yield_constr); - { - let constr = builder.mul_extension(filter, nv.mem_channels[0].used); - yield_constr.constraint(builder, constr); - } -} - -/// Evaluates constraints for `SET_CONTEXT`. -fn eval_packed_set( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - let filter = lv.op.context_op * lv.opcode_bits[0]; - let stack_top = lv.mem_channels[0].value; - - // The next row's context is read from stack_top. - yield_constr.constraint(filter * (stack_top[2] - nv.context)); - for (_, &limb) in stack_top.iter().enumerate().filter(|(i, _)| *i != 2) { - yield_constr.constraint(filter * limb); - } - - // The old SP is decremented (since the new context was popped) and stored in memory. - // The new SP is loaded from memory. - // This is all done with CTLs: nothing is constrained here. - - // Constrain stack_inv_aux_2. - let new_top_channel = nv.mem_channels[0]; - yield_constr.constraint( - lv.op.context_op - * (lv.general.stack().stack_inv_aux * lv.opcode_bits[0] - - lv.general.stack().stack_inv_aux_2), - ); - // The new top is loaded in memory channel 2, if the stack isn't empty (see eval_packed). - for (&limb_new_top, &limb_read_top) in new_top_channel - .value - .iter() - .zip(lv.mem_channels[2].value.iter()) - { - yield_constr.constraint( - lv.op.context_op * lv.general.stack().stack_inv_aux_2 * (limb_new_top - limb_read_top), - ); - } - - // Unused channels. - disable_unused_channels(lv, filter, vec![1], yield_constr); - yield_constr.constraint(filter * new_top_channel.used); -} - -/// Circuit version of `eval_packed_set`. -/// Evaluates constraints for SET_CONTEXT. -fn eval_ext_circuit_set, const D: usize>( - builder: &mut CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let filter = builder.mul_extension(lv.op.context_op, lv.opcode_bits[0]); - let stack_top = lv.mem_channels[0].value; - - // The next row's context is read from stack_top. - { - let diff = builder.sub_extension(stack_top[2], nv.context); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - for (_, &limb) in stack_top.iter().enumerate().filter(|(i, _)| *i != 2) { - let constr = builder.mul_extension(filter, limb); - yield_constr.constraint(builder, constr); - } - - // The old SP is decremented (since the new context was popped) and stored in memory. - // The new SP is loaded from memory. - // This is all done with CTLs: nothing is constrained here. - - // Constrain stack_inv_aux_2. - let new_top_channel = nv.mem_channels[0]; - { - let diff = builder.mul_sub_extension( - lv.general.stack().stack_inv_aux, - lv.opcode_bits[0], - lv.general.stack().stack_inv_aux_2, - ); - let constr = builder.mul_extension(lv.op.context_op, diff); - yield_constr.constraint(builder, constr); - } - // The new top is loaded in memory channel 2, if the stack isn't empty (see eval_packed). - for (&limb_new_top, &limb_read_top) in new_top_channel - .value - .iter() - .zip(lv.mem_channels[2].value.iter()) - { - let diff = builder.sub_extension(limb_new_top, limb_read_top); - let prod = builder.mul_extension(lv.general.stack().stack_inv_aux_2, diff); - let constr = builder.mul_extension(lv.op.context_op, prod); - yield_constr.constraint(builder, constr); - } - - // Unused channels. - disable_unused_channels_circuit(builder, lv, filter, vec![1], yield_constr); - { - let constr = builder.mul_extension(filter, new_top_channel.used); - yield_constr.constraint(builder, constr); - } -} - -/// Evaluates the constraints for the GET and SET opcodes. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - eval_packed_keep(lv, nv, yield_constr); - eval_packed_get(lv, nv, yield_constr); - eval_packed_set(lv, nv, yield_constr); - - // Stack constraints. - // Both operations use memory channel 2. The operations are similar enough that - // we can constrain both at the same time. - let filter = lv.op.context_op; - let channel = lv.mem_channels[2]; - // For get_context, we check if lv.stack_len is 0. For set_context, we check if nv.stack_len is 0. - // However, for get_context, we can deduce lv.stack_len from nv.stack_len since the operation only pushes. - let stack_len = nv.stack_len - (P::ONES - lv.opcode_bits[0]); - // Constrain stack_inv_aux. It's 0 if the relevant stack is empty, 1 otherwise. - yield_constr.constraint( - filter * (stack_len * lv.general.stack().stack_inv - lv.general.stack().stack_inv_aux), - ); - // Enable or disable the channel. - yield_constr.constraint(filter * (lv.general.stack().stack_inv_aux - channel.used)); - let new_filter = filter * lv.general.stack().stack_inv_aux; - // It's a write for get_context, a read for set_context. - yield_constr.constraint(new_filter * (channel.is_read - lv.opcode_bits[0])); - // In both cases, next row's context works. - yield_constr.constraint(new_filter * (channel.addr_context - nv.context)); - // Same segment for both. - yield_constr.constraint( - new_filter - * (channel.addr_segment - P::Scalar::from_canonical_usize(Segment::Stack.unscale())), - ); - // The address is one less than stack_len. - let addr_virtual = stack_len - P::ONES; - yield_constr.constraint(new_filter * (channel.addr_virtual - addr_virtual)); -} - -/// Circuit version of èval_packed`. -/// Evaluates the constraints for the GET and SET opcodes. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - eval_ext_circuit_keep(builder, lv, nv, yield_constr); - eval_ext_circuit_get(builder, lv, nv, yield_constr); - eval_ext_circuit_set(builder, lv, nv, yield_constr); - - // Stack constraints. - // Both operations use memory channel 2. The operations are similar enough that - // we can constrain both at the same time. - let filter = lv.op.context_op; - let channel = lv.mem_channels[2]; - // For get_context, we check if lv.stack_len is 0. For set_context, we check if nv.stack_len is 0. - // However, for get_context, we can deduce lv.stack_len from nv.stack_len since the operation only pushes. - let diff = builder.add_const_extension(lv.opcode_bits[0], -F::ONE); - let stack_len = builder.add_extension(nv.stack_len, diff); - // Constrain stack_inv_aux. It's 0 if the relevant stack is empty, 1 otherwise. - { - let diff = builder.mul_sub_extension( - stack_len, - lv.general.stack().stack_inv, - lv.general.stack().stack_inv_aux, - ); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - // Enable or disable the channel. - { - let diff = builder.sub_extension(lv.general.stack().stack_inv_aux, channel.used); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - let new_filter = builder.mul_extension(filter, lv.general.stack().stack_inv_aux); - // It's a write for get_context, a read for set_context. - { - let diff = builder.sub_extension(channel.is_read, lv.opcode_bits[0]); - let constr = builder.mul_extension(new_filter, diff); - yield_constr.constraint(builder, constr); - } - // In both cases, next row's context works. - { - let diff = builder.sub_extension(channel.addr_context, nv.context); - let constr = builder.mul_extension(new_filter, diff); - yield_constr.constraint(builder, constr); - } - // Same segment for both. - { - let diff = builder.add_const_extension( - channel.addr_segment, - -F::from_canonical_usize(Segment::Stack.unscale()), - ); - let constr = builder.mul_extension(new_filter, diff); - yield_constr.constraint(builder, constr); - } - // The address is one less than stack_len. - { - let addr_virtual = builder.add_const_extension(stack_len, -F::ONE); - let diff = builder.sub_extension(channel.addr_virtual, addr_virtual); - let constr = builder.mul_extension(new_filter, diff); - yield_constr.constraint(builder, constr); - } -} diff --git a/evm/src/cpu/control_flow.rs b/evm/src/cpu/control_flow.rs deleted file mode 100644 index bde5930572..0000000000 --- a/evm/src/cpu/control_flow.rs +++ /dev/null @@ -1,166 +0,0 @@ -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::{CpuColumnsView, COL_MAP}; -use crate::cpu::kernel::aggregator::KERNEL; - -const NATIVE_INSTRUCTIONS: [usize; 12] = [ - COL_MAP.op.binary_op, - COL_MAP.op.ternary_op, - COL_MAP.op.fp254_op, - COL_MAP.op.eq_iszero, - COL_MAP.op.logic_op, - COL_MAP.op.not_pop, - COL_MAP.op.shift, - COL_MAP.op.jumpdest_keccak_general, - // Not PROVER_INPUT: it is dealt with manually below. - // not JUMPS (possible need to jump) - COL_MAP.op.pc_push0, - // not PUSH (need to increment by more than 1) - COL_MAP.op.dup_swap, - COL_MAP.op.context_op, - // not EXIT_KERNEL (performs a jump) - COL_MAP.op.m_op_general, - // not SYSCALL (performs a jump) - // not exceptions (also jump) -]; - -/// Returns `halt`'s program counter. -pub(crate) fn get_halt_pc() -> F { - let halt_pc = KERNEL.global_labels["halt"]; - F::from_canonical_usize(halt_pc) -} - -/// Returns `main`'s program counter. -pub(crate) fn get_start_pc() -> F { - let start_pc = KERNEL.global_labels["main"]; - - F::from_canonical_usize(start_pc) -} - -/// Evaluates the constraints related to the flow of instructions. -pub(crate) fn eval_packed_generic( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - let is_cpu_cycle: P = COL_MAP.op.iter().map(|&col_i| lv[col_i]).sum(); - let is_cpu_cycle_next: P = COL_MAP.op.iter().map(|&col_i| nv[col_i]).sum(); - - let next_halt_state = P::ONES - is_cpu_cycle_next; - - // Once we start executing instructions, then we continue until the end of the table - // or we reach dummy padding rows. This, along with the constraints on the first row, - // enforces that operation flags and the halt flag are mutually exclusive over the entire - // CPU trace. - yield_constr - .constraint_transition(is_cpu_cycle * (is_cpu_cycle_next + next_halt_state - P::ONES)); - - // If a row is a CPU cycle and executing a native instruction (implemented as a table row; not - // microcoded) then the program counter is incremented by 1 to obtain the next row's program - // counter. Also, the next row has the same kernel flag. - let is_native_instruction: P = NATIVE_INSTRUCTIONS.iter().map(|&col_i| lv[col_i]).sum(); - yield_constr.constraint_transition( - is_native_instruction * (lv.program_counter - nv.program_counter + P::ONES), - ); - yield_constr - .constraint_transition(is_native_instruction * (lv.is_kernel_mode - nv.is_kernel_mode)); - - // Apply the same checks as before, for PROVER_INPUT. - let is_prover_input: P = lv.op.push_prover_input * (lv.opcode_bits[5] - P::ONES); - yield_constr.constraint_transition( - is_prover_input * (lv.program_counter - nv.program_counter + P::ONES), - ); - yield_constr.constraint_transition(is_prover_input * (lv.is_kernel_mode - nv.is_kernel_mode)); - - // If a non-CPU cycle row is followed by a CPU cycle row, then: - // - the `program_counter` of the CPU cycle row is `main` (the entry point of our kernel), - // - execution is in kernel mode, and - // - the stack is empty. - let is_last_noncpu_cycle = (is_cpu_cycle - P::ONES) * is_cpu_cycle_next; - let pc_diff = nv.program_counter - get_start_pc::(); - yield_constr.constraint_transition(is_last_noncpu_cycle * pc_diff); - yield_constr.constraint_transition(is_last_noncpu_cycle * (nv.is_kernel_mode - P::ONES)); - yield_constr.constraint_transition(is_last_noncpu_cycle * nv.stack_len); -} - -/// Circuit version of `eval_packed`. -/// Evaluates the constraints related to the flow of instructions. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let one = builder.one_extension(); - - let is_cpu_cycle = builder.add_many_extension(COL_MAP.op.iter().map(|&col_i| lv[col_i])); - let is_cpu_cycle_next = builder.add_many_extension(COL_MAP.op.iter().map(|&col_i| nv[col_i])); - - let next_halt_state = builder.sub_extension(one, is_cpu_cycle_next); - - // Once we start executing instructions, then we continue until the end of the table - // or we reach dummy padding rows. This, along with the constraints on the first row, - // enforces that operation flags and the halt flag are mutually exclusive over the entire - // CPU trace. - { - let constr = builder.add_extension(is_cpu_cycle_next, next_halt_state); - let constr = builder.mul_sub_extension(is_cpu_cycle, constr, is_cpu_cycle); - yield_constr.constraint_transition(builder, constr); - } - - // If a row is a CPU cycle and executing a native instruction (implemented as a table row; not - // microcoded) then the program counter is incremented by 1 to obtain the next row's program - // counter. Also, the next row has the same kernel flag. - { - let filter = builder.add_many_extension(NATIVE_INSTRUCTIONS.iter().map(|&col_i| lv[col_i])); - let pc_diff = builder.sub_extension(lv.program_counter, nv.program_counter); - let pc_constr = builder.mul_add_extension(filter, pc_diff, filter); - yield_constr.constraint_transition(builder, pc_constr); - let kernel_diff = builder.sub_extension(lv.is_kernel_mode, nv.is_kernel_mode); - let kernel_constr = builder.mul_extension(filter, kernel_diff); - yield_constr.constraint_transition(builder, kernel_constr); - - // Same constraints as before, for PROVER_INPUT. - let is_prover_input = builder.mul_sub_extension( - lv.op.push_prover_input, - lv.opcode_bits[5], - lv.op.push_prover_input, - ); - let pc_constr = builder.mul_add_extension(is_prover_input, pc_diff, is_prover_input); - yield_constr.constraint_transition(builder, pc_constr); - let kernel_constr = builder.mul_extension(is_prover_input, kernel_diff); - yield_constr.constraint_transition(builder, kernel_constr); - } - - // If a non-CPU cycle row is followed by a CPU cycle row, then: - // - the `program_counter` of the CPU cycle row is `main` (the entry point of our kernel), - // - execution is in kernel mode, and - // - the stack is empty. - { - let is_last_noncpu_cycle = - builder.mul_sub_extension(is_cpu_cycle, is_cpu_cycle_next, is_cpu_cycle_next); - - // Start at `main`. - let main = builder.constant_extension(get_start_pc::().into()); - let pc_diff = builder.sub_extension(nv.program_counter, main); - let pc_constr = builder.mul_extension(is_last_noncpu_cycle, pc_diff); - yield_constr.constraint_transition(builder, pc_constr); - - // Start in kernel mode - let kernel_constr = builder.mul_sub_extension( - is_last_noncpu_cycle, - nv.is_kernel_mode, - is_last_noncpu_cycle, - ); - yield_constr.constraint_transition(builder, kernel_constr); - - // Start with empty stack - let kernel_constr = builder.mul_extension(is_last_noncpu_cycle, nv.stack_len); - yield_constr.constraint_transition(builder, kernel_constr); - } -} diff --git a/evm/src/cpu/cpu_stark.rs b/evm/src/cpu/cpu_stark.rs deleted file mode 100644 index 8bcada2f3b..0000000000 --- a/evm/src/cpu/cpu_stark.rs +++ /dev/null @@ -1,569 +0,0 @@ -use core::borrow::Borrow; -use core::iter::repeat; -use core::marker::PhantomData; - -use itertools::Itertools; -use plonky2::field::extension::{Extendable, FieldExtension}; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use super::columns::CpuColumnsView; -use super::halt; -use super::kernel::constants::context_metadata::ContextMetadata; -use super::membus::NUM_GP_CHANNELS; -use crate::all_stark::Table; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::{COL_MAP, NUM_CPU_COLUMNS}; -use crate::cpu::{ - byte_unpacking, clock, contextops, control_flow, decode, dup_swap, gas, jumps, membus, memio, - modfp254, pc, push0, shift, simple_logic, stack, syscalls_exceptions, -}; -use crate::cross_table_lookup::TableWithColumns; -use crate::evaluation_frame::{StarkEvaluationFrame, StarkFrame}; -use crate::lookup::{Column, Filter}; -use crate::memory::segments::Segment; -use crate::memory::{NUM_CHANNELS, VALUE_LIMBS}; -use crate::stark::Stark; - -/// Creates the vector of `Columns` corresponding to the General Purpose channels when calling the Keccak sponge: -/// the CPU reads the output of the sponge directly from the `KeccakSpongeStark` table. -pub(crate) fn ctl_data_keccak_sponge() -> Vec> { - // When executing KECCAK_GENERAL, the GP memory channels are used as follows: - // GP channel 0: stack[-1] = addr (context, segment, virt) - // GP channel 1: stack[-2] = len - // Next GP channel 0: pushed = outputs - let (context, segment, virt) = get_addr(&COL_MAP, 0); - let context = Column::single(context); - let segment = Column::single(segment); - let virt = Column::single(virt); - let len = Column::single(COL_MAP.mem_channels[1].value[0]); - - let num_channels = F::from_canonical_usize(NUM_CHANNELS); - let timestamp = Column::linear_combination([(COL_MAP.clock, num_channels)]); - - let mut cols = vec![context, segment, virt, len, timestamp]; - cols.extend(Column::singles_next_row(COL_MAP.mem_channels[0].value)); - cols -} - -/// CTL filter for a call to the Keccak sponge. -// KECCAK_GENERAL is differentiated from JUMPDEST by its second bit set to 0. -pub(crate) fn ctl_filter_keccak_sponge() -> Filter { - Filter::new( - vec![( - Column::single(COL_MAP.op.jumpdest_keccak_general), - Column::linear_combination_with_constant([(COL_MAP.opcode_bits[1], -F::ONE)], F::ONE), - )], - vec![], - ) -} - -/// Creates the vector of `Columns` corresponding to the two inputs and -/// one output of a binary operation. -fn ctl_data_binops() -> Vec> { - let mut res = Column::singles(COL_MAP.mem_channels[0].value).collect_vec(); - res.extend(Column::singles(COL_MAP.mem_channels[1].value)); - res.extend(Column::singles_next_row(COL_MAP.mem_channels[0].value)); - res -} - -/// Creates the vector of `Columns` corresponding to the three inputs and -/// one output of a ternary operation. By default, ternary operations use -/// the first three memory channels, and the next top of the stack for the -/// result (binary operations do not use the third inputs). -fn ctl_data_ternops() -> Vec> { - let mut res = Column::singles(COL_MAP.mem_channels[0].value).collect_vec(); - res.extend(Column::singles(COL_MAP.mem_channels[1].value)); - res.extend(Column::singles(COL_MAP.mem_channels[2].value)); - res.extend(Column::singles_next_row(COL_MAP.mem_channels[0].value)); - res -} - -/// Creates the vector of columns corresponding to the opcode, the two inputs and the output of the logic operation. -pub(crate) fn ctl_data_logic() -> Vec> { - // Instead of taking single columns, we reconstruct the entire opcode value directly. - let mut res = vec![Column::le_bits(COL_MAP.opcode_bits)]; - res.extend(ctl_data_binops()); - res -} - -/// CTL filter for logic operations. -pub(crate) fn ctl_filter_logic() -> Filter { - Filter::new_simple(Column::single(COL_MAP.op.logic_op)) -} - -/// Returns the `TableWithColumns` for the CPU rows calling arithmetic operations. -pub(crate) fn ctl_arithmetic_base_rows() -> TableWithColumns { - // Instead of taking single columns, we reconstruct the entire opcode value directly. - let mut columns = vec![Column::le_bits(COL_MAP.opcode_bits)]; - columns.extend(ctl_data_ternops()); - // Create the CPU Table whose columns are those with the three - // inputs and one output of the ternary operations listed in `ops` - // (also `ops` is used as the operation filter). The list of - // operations includes binary operations which will simply ignore - // the third input. - let col_bit = Column::linear_combination_with_constant( - vec![(COL_MAP.opcode_bits[5], F::NEG_ONE)], - F::ONE, - ); - TableWithColumns::new( - *Table::Cpu, - columns, - Some(Filter::new( - vec![(Column::single(COL_MAP.op.push_prover_input), col_bit)], - vec![Column::sum([ - COL_MAP.op.binary_op, - COL_MAP.op.fp254_op, - COL_MAP.op.ternary_op, - COL_MAP.op.shift, - COL_MAP.op.syscall, - COL_MAP.op.exception, - ])], - )), - ) -} - -/// Creates the vector of `Columns` corresponding to the contents of General Purpose channels when calling byte packing. -/// We use `ctl_data_keccak_sponge` because the `Columns` are the same as the ones computed for `KeccakSpongeStark`. -pub(crate) fn ctl_data_byte_packing() -> Vec> { - let mut res = vec![Column::constant(F::ONE)]; // is_read - res.extend(ctl_data_keccak_sponge()); - res -} - -/// CTL filter for the `MLOAD_32BYTES` operation. -/// MLOAD_32 BYTES is differentiated from MSTORE_32BYTES by its fifth bit set to 1. -pub(crate) fn ctl_filter_byte_packing() -> Filter { - Filter::new( - vec![( - Column::single(COL_MAP.op.m_op_32bytes), - Column::single(COL_MAP.opcode_bits[5]), - )], - vec![], - ) -} - -/// Creates the vector of `Columns` corresponding to the contents of General Purpose channels when calling byte unpacking. -pub(crate) fn ctl_data_byte_unpacking() -> Vec> { - let is_read = Column::constant(F::ZERO); - - // When executing MSTORE_32BYTES, the GP memory channels are used as follows: - // GP channel 0: stack[-1] = addr (context, segment, virt) - // GP channel 1: stack[-2] = val - // Next GP channel 0: pushed = new_offset (virt + len) - let (context, segment, virt) = get_addr(&COL_MAP, 0); - let mut res = vec![ - is_read, - Column::single(context), - Column::single(segment), - Column::single(virt), - ]; - - // len can be reconstructed as new_offset - virt. - let len = Column::linear_combination_and_next_row_with_constant( - [(COL_MAP.mem_channels[0].value[0], -F::ONE)], - [(COL_MAP.mem_channels[0].value[0], F::ONE)], - F::ZERO, - ); - res.push(len); - - let num_channels = F::from_canonical_usize(NUM_CHANNELS); - let timestamp = Column::linear_combination([(COL_MAP.clock, num_channels)]); - res.push(timestamp); - - let val = Column::singles(COL_MAP.mem_channels[1].value); - res.extend(val); - - res -} - -/// CTL filter for the `MSTORE_32BYTES` operation. -/// MSTORE_32BYTES is differentiated from MLOAD_32BYTES by its fifth bit set to 0. -pub(crate) fn ctl_filter_byte_unpacking() -> Filter { - Filter::new( - vec![( - Column::single(COL_MAP.op.m_op_32bytes), - Column::linear_combination_with_constant([(COL_MAP.opcode_bits[5], -F::ONE)], F::ONE), - )], - vec![], - ) -} - -/// Creates the vector of `Columns` corresponding to three consecutive (byte) reads in memory. -/// It's used by syscalls and exceptions to read an address in a jumptable. -pub(crate) fn ctl_data_jumptable_read() -> Vec> { - let is_read = Column::constant(F::ONE); - let mut res = vec![is_read]; - - // When reading the jumptable, the address to start reading from is in - // GP channel 1; the result is in GP channel 1's values. - let channel_map = COL_MAP.mem_channels[1]; - res.extend(Column::singles([ - channel_map.addr_context, - channel_map.addr_segment, - channel_map.addr_virtual, - ])); - let val = Column::singles(channel_map.value); - - // len is always 3. - let len = Column::constant(F::from_canonical_usize(3)); - res.push(len); - - let num_channels = F::from_canonical_usize(NUM_CHANNELS); - let timestamp = Column::linear_combination([(COL_MAP.clock, num_channels)]); - res.push(timestamp); - - res.extend(val); - - res -} - -/// CTL filter for syscalls and exceptions. -pub(crate) fn ctl_filter_syscall_exceptions() -> Filter { - Filter::new_simple(Column::sum([COL_MAP.op.syscall, COL_MAP.op.exception])) -} - -/// Creates the vector of `Columns` corresponding to the contents of the CPU registers when performing a `PUSH`. -/// `PUSH` internal reads are done by calling `BytePackingStark`. -pub(crate) fn ctl_data_byte_packing_push() -> Vec> { - let is_read = Column::constant(F::ONE); - let context = Column::single(COL_MAP.code_context); - let segment = Column::constant(F::from_canonical_usize(Segment::Code as usize)); - // The initial offset if `pc + 1`. - let virt = - Column::linear_combination_with_constant([(COL_MAP.program_counter, F::ONE)], F::ONE); - let val = Column::singles_next_row(COL_MAP.mem_channels[0].value); - - // We fetch the length from the `PUSH` opcode lower bits, that indicate `len - 1`. - let len = Column::le_bits_with_constant(&COL_MAP.opcode_bits[0..5], F::ONE); - - let num_channels = F::from_canonical_usize(NUM_CHANNELS); - let timestamp = Column::linear_combination([(COL_MAP.clock, num_channels)]); - - let mut res = vec![is_read, context, segment, virt, len, timestamp]; - res.extend(val); - - res -} - -/// CTL filter for the `PUSH` operation. -pub(crate) fn ctl_filter_byte_packing_push() -> Filter { - let bit_col = Column::single(COL_MAP.opcode_bits[5]); - Filter::new( - vec![(Column::single(COL_MAP.op.push_prover_input), bit_col)], - vec![], - ) -} - -/// Index of the memory channel storing code. -pub(crate) const MEM_CODE_CHANNEL_IDX: usize = 0; -/// Index of the first general purpose memory channel. -pub(crate) const MEM_GP_CHANNELS_IDX_START: usize = MEM_CODE_CHANNEL_IDX + 1; - -/// Recover the three components of an address, given a CPU row and -/// a provided memory channel index. -/// The components are recovered as follows: -/// -/// - `context`, shifted by 2^64 (i.e. at index 2) -/// - `segment`, shifted by 2^32 (i.e. at index 1) -/// - `virtual`, not shifted (i.e. at index 0) -pub(crate) const fn get_addr(lv: &CpuColumnsView, mem_channel: usize) -> (T, T, T) { - let addr_context = lv.mem_channels[mem_channel].value[2]; - let addr_segment = lv.mem_channels[mem_channel].value[1]; - let addr_virtual = lv.mem_channels[mem_channel].value[0]; - (addr_context, addr_segment, addr_virtual) -} - -/// Make the time/channel column for memory lookups. -fn mem_time_and_channel(channel: usize) -> Column { - let scalar = F::from_canonical_usize(NUM_CHANNELS); - let addend = F::from_canonical_usize(channel); - Column::linear_combination_with_constant([(COL_MAP.clock, scalar)], addend) -} - -/// Creates the vector of `Columns` corresponding to the contents of the code channel when reading code values. -pub(crate) fn ctl_data_code_memory() -> Vec> { - let mut cols = vec![ - Column::constant(F::ONE), // is_read - Column::single(COL_MAP.code_context), // addr_context - Column::constant(F::from_canonical_usize(Segment::Code.unscale())), // addr_segment - Column::single(COL_MAP.program_counter), // addr_virtual - ]; - - // Low limb of the value matches the opcode bits - cols.push(Column::le_bits(COL_MAP.opcode_bits)); - - // High limbs of the value are all zero. - cols.extend(repeat(Column::constant(F::ZERO)).take(VALUE_LIMBS - 1)); - - cols.push(mem_time_and_channel(MEM_CODE_CHANNEL_IDX)); - - cols -} - -/// Creates the vector of `Columns` corresponding to the contents of General Purpose channels. -pub(crate) fn ctl_data_gp_memory(channel: usize) -> Vec> { - let channel_map = COL_MAP.mem_channels[channel]; - let mut cols: Vec<_> = Column::singles([ - channel_map.is_read, - channel_map.addr_context, - channel_map.addr_segment, - channel_map.addr_virtual, - ]) - .collect(); - - cols.extend(Column::singles(channel_map.value)); - - cols.push(mem_time_and_channel(MEM_GP_CHANNELS_IDX_START + channel)); - - cols -} - -pub(crate) fn ctl_data_partial_memory() -> Vec> { - let channel_map = COL_MAP.partial_channel; - let values = COL_MAP.mem_channels[0].value; - let mut cols: Vec<_> = Column::singles([ - channel_map.is_read, - channel_map.addr_context, - channel_map.addr_segment, - channel_map.addr_virtual, - ]) - .collect(); - - cols.extend(Column::singles(values)); - - cols.push(mem_time_and_channel( - MEM_GP_CHANNELS_IDX_START + NUM_GP_CHANNELS, - )); - - cols -} - -/// Old stack pointer write for SET_CONTEXT. -pub(crate) fn ctl_data_memory_old_sp_write_set_context() -> Vec> { - let mut cols = vec![ - Column::constant(F::ZERO), // is_read - Column::single(COL_MAP.context), // addr_context - Column::constant(F::from_canonical_usize(Segment::ContextMetadata.unscale())), // addr_segment - Column::constant(F::from_canonical_usize( - ContextMetadata::StackSize.unscale(), - )), // addr_virtual - ]; - - // Low limb is current stack length minus one. - cols.push(Column::linear_combination_with_constant( - [(COL_MAP.stack_len, F::ONE)], - -F::ONE, - )); - - // High limbs of the value are all zero. - cols.extend(repeat(Column::constant(F::ZERO)).take(VALUE_LIMBS - 1)); - - cols.push(mem_time_and_channel(MEM_GP_CHANNELS_IDX_START + 1)); - - cols -} - -/// New stack pointer read for SET_CONTEXT. -pub(crate) fn ctl_data_memory_new_sp_read_set_context() -> Vec> { - let mut cols = vec![ - Column::constant(F::ONE), // is_read - Column::single(COL_MAP.mem_channels[0].value[2]), // addr_context (in the top of the stack) - Column::constant(F::from_canonical_usize(Segment::ContextMetadata.unscale())), // addr_segment - Column::constant(F::from_canonical_u64( - ContextMetadata::StackSize as u64 - Segment::ContextMetadata as u64, - )), // addr_virtual - ]; - - // Low limb is new stack length. - cols.push(Column::single_next_row(COL_MAP.stack_len)); - - // High limbs of the value are all zero. - cols.extend(repeat(Column::constant(F::ZERO)).take(VALUE_LIMBS - 1)); - - cols.push(mem_time_and_channel(MEM_GP_CHANNELS_IDX_START + 2)); - - cols -} - -/// CTL filter for code read and write operations. -pub(crate) fn ctl_filter_code_memory() -> Filter { - Filter::new_simple(Column::sum(COL_MAP.op.iter())) -} - -/// CTL filter for General Purpose memory read and write operations. -pub(crate) fn ctl_filter_gp_memory(channel: usize) -> Filter { - Filter::new_simple(Column::single(COL_MAP.mem_channels[channel].used)) -} - -pub(crate) fn ctl_filter_partial_memory() -> Filter { - Filter::new_simple(Column::single(COL_MAP.partial_channel.used)) -} - -/// CTL filter for the `SET_CONTEXT` operation. -/// SET_CONTEXT is differentiated from GET_CONTEXT by its zeroth bit set to 1 -pub(crate) fn ctl_filter_set_context() -> Filter { - Filter::new( - vec![( - Column::single(COL_MAP.op.context_op), - Column::single(COL_MAP.opcode_bits[0]), - )], - vec![], - ) -} - -/// Disable the specified memory channels. -/// Since channel 0 contains the top of the stack and is handled specially, -/// channels to disable are 1, 2 or both. All cases can be expressed as a vec. -pub(crate) fn disable_unused_channels( - lv: &CpuColumnsView

, - filter: P, - channels: Vec, - yield_constr: &mut ConstraintConsumer

, -) { - for i in channels { - yield_constr.constraint(filter * lv.mem_channels[i].used); - } -} - -/// Circuit version of `disable_unused_channels`. -/// Disable the specified memory channels. -/// Since channel 0 contains the top of the stack and is handled specially, -/// channels to disable are 1, 2 or both. All cases can be expressed as a vec. -pub(crate) fn disable_unused_channels_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - filter: ExtensionTarget, - channels: Vec, - yield_constr: &mut RecursiveConstraintConsumer, -) { - for i in channels { - let constr = builder.mul_extension(filter, lv.mem_channels[i].used); - yield_constr.constraint(builder, constr); - } -} - -/// Structure representing the CPU Stark. -#[derive(Copy, Clone, Default)] -pub(crate) struct CpuStark { - pub f: PhantomData, -} - -impl, const D: usize> Stark for CpuStark { - type EvaluationFrame = StarkFrame - where - FE: FieldExtension, - P: PackedField; - - type EvaluationFrameTarget = StarkFrame, NUM_CPU_COLUMNS>; - - /// Evaluates all CPU constraints. - fn eval_packed_generic( - &self, - vars: &Self::EvaluationFrame, - yield_constr: &mut ConstraintConsumer

, - ) where - FE: FieldExtension, - P: PackedField, - { - let local_values: &[P; NUM_CPU_COLUMNS] = vars.get_local_values().try_into().unwrap(); - let local_values: &CpuColumnsView

= local_values.borrow(); - let next_values: &[P; NUM_CPU_COLUMNS] = vars.get_next_values().try_into().unwrap(); - let next_values: &CpuColumnsView

= next_values.borrow(); - - byte_unpacking::eval_packed(local_values, next_values, yield_constr); - clock::eval_packed(local_values, next_values, yield_constr); - contextops::eval_packed(local_values, next_values, yield_constr); - control_flow::eval_packed_generic(local_values, next_values, yield_constr); - decode::eval_packed_generic(local_values, yield_constr); - dup_swap::eval_packed(local_values, next_values, yield_constr); - gas::eval_packed(local_values, next_values, yield_constr); - halt::eval_packed(local_values, next_values, yield_constr); - jumps::eval_packed(local_values, next_values, yield_constr); - membus::eval_packed(local_values, yield_constr); - memio::eval_packed(local_values, next_values, yield_constr); - modfp254::eval_packed(local_values, yield_constr); - pc::eval_packed(local_values, next_values, yield_constr); - push0::eval_packed(local_values, next_values, yield_constr); - shift::eval_packed(local_values, yield_constr); - simple_logic::eval_packed(local_values, next_values, yield_constr); - stack::eval_packed(local_values, next_values, yield_constr); - syscalls_exceptions::eval_packed(local_values, next_values, yield_constr); - } - - /// Circuit version of `eval_packed_generic`. - /// Evaluates all CPU constraints. - fn eval_ext_circuit( - &self, - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - vars: &Self::EvaluationFrameTarget, - yield_constr: &mut RecursiveConstraintConsumer, - ) { - let local_values: &[ExtensionTarget; NUM_CPU_COLUMNS] = - vars.get_local_values().try_into().unwrap(); - let local_values: &CpuColumnsView> = local_values.borrow(); - let next_values: &[ExtensionTarget; NUM_CPU_COLUMNS] = - vars.get_next_values().try_into().unwrap(); - let next_values: &CpuColumnsView> = next_values.borrow(); - - byte_unpacking::eval_ext_circuit(builder, local_values, next_values, yield_constr); - clock::eval_ext_circuit(builder, local_values, next_values, yield_constr); - contextops::eval_ext_circuit(builder, local_values, next_values, yield_constr); - control_flow::eval_ext_circuit(builder, local_values, next_values, yield_constr); - decode::eval_ext_circuit(builder, local_values, yield_constr); - dup_swap::eval_ext_circuit(builder, local_values, next_values, yield_constr); - gas::eval_ext_circuit(builder, local_values, next_values, yield_constr); - halt::eval_ext_circuit(builder, local_values, next_values, yield_constr); - jumps::eval_ext_circuit(builder, local_values, next_values, yield_constr); - membus::eval_ext_circuit(builder, local_values, yield_constr); - memio::eval_ext_circuit(builder, local_values, next_values, yield_constr); - modfp254::eval_ext_circuit(builder, local_values, yield_constr); - pc::eval_ext_circuit(builder, local_values, next_values, yield_constr); - push0::eval_ext_circuit(builder, local_values, next_values, yield_constr); - shift::eval_ext_circuit(builder, local_values, yield_constr); - simple_logic::eval_ext_circuit(builder, local_values, next_values, yield_constr); - stack::eval_ext_circuit(builder, local_values, next_values, yield_constr); - syscalls_exceptions::eval_ext_circuit(builder, local_values, next_values, yield_constr); - } - - fn constraint_degree(&self) -> usize { - 3 - } -} - -#[cfg(test)] -mod tests { - use anyhow::Result; - use plonky2::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - - use crate::cpu::cpu_stark::CpuStark; - use crate::stark_testing::{test_stark_circuit_constraints, test_stark_low_degree}; - - #[test] - fn test_stark_degree() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = CpuStark; - - let stark = S { - f: Default::default(), - }; - test_stark_low_degree(stark) - } - - #[test] - fn test_stark_circuit() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = CpuStark; - - let stark = S { - f: Default::default(), - }; - test_stark_circuit_constraints::(stark) - } -} diff --git a/evm/src/cpu/decode.rs b/evm/src/cpu/decode.rs deleted file mode 100644 index 4c2c43221e..0000000000 --- a/evm/src/cpu/decode.rs +++ /dev/null @@ -1,405 +0,0 @@ -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::{CpuColumnsView, COL_MAP}; - -/// List of opcode blocks -/// Each block corresponds to exactly one flag, and each flag corresponds to exactly one block. -/// Each block of opcodes: -/// - is contiguous, -/// - has a length that is a power of 2, and -/// - its start index is a multiple of its length (it is aligned). -/// These properties permit us to check if an opcode belongs to a block of length 2^n by checking -/// its top 8-n bits. -/// Additionally, each block can be made available only to the user, only to the kernel, or to -/// both. This is mainly useful for making some instructions kernel-only, while still decoding to -/// invalid for the user. We do this by making one kernel-only block and another user-only block. -/// The exception is the PANIC instruction which is user-only without a corresponding kernel block. -/// This makes the proof unverifiable when PANIC is executed in kernel mode, which is the intended -/// behavior. -/// Note: invalid opcodes are not represented here. _Any_ opcode is permitted to decode to -/// `is_invalid`. The kernel then verifies that the opcode was _actually_ invalid. -const OPCODES: [(u8, usize, bool, usize); 5] = [ - // (start index of block, number of top bits to check (log2), kernel-only, flag column) - // ADD, MUL, SUB, DIV, MOD, LT, GT and BYTE flags are handled partly manually here, and partly through the Arithmetic table CTL. - // ADDMOD, MULMOD and SUBMOD flags are handled partly manually here, and partly through the Arithmetic table CTL. - // FP254 operation flags are handled partly manually here, and partly through the Arithmetic table CTL. - (0x14, 1, false, COL_MAP.op.eq_iszero), - // AND, OR and XOR flags are handled partly manually here, and partly through the Logic table CTL. - // NOT and POP are handled manually here. - // SHL and SHR flags are handled partly manually here, and partly through the Logic table CTL. - // JUMPDEST and KECCAK_GENERAL are handled manually here. - (0x56, 1, false, COL_MAP.op.jumps), // 0x56-0x57 - (0x80, 5, false, COL_MAP.op.dup_swap), // 0x80-0x9f - (0xf6, 1, true, COL_MAP.op.context_op), //0xf6-0xf7 - (0xf9, 0, true, COL_MAP.op.exit_kernel), - // MLOAD_GENERAL and MSTORE_GENERAL flags are handled manually here. -]; - -/// List of combined opcodes requiring a special handling. -/// Each index in the list corresponds to an arbitrary combination -/// of opcodes defined in evm/src/cpu/columns/ops.rs. -const COMBINED_OPCODES: [usize; 11] = [ - COL_MAP.op.logic_op, - COL_MAP.op.fp254_op, - COL_MAP.op.binary_op, - COL_MAP.op.ternary_op, - COL_MAP.op.shift, - COL_MAP.op.m_op_general, - COL_MAP.op.jumpdest_keccak_general, - COL_MAP.op.not_pop, - COL_MAP.op.pc_push0, - COL_MAP.op.m_op_32bytes, - COL_MAP.op.push_prover_input, -]; - -/// Break up an opcode (which is 8 bits long) into its eight bits. -const fn bits_from_opcode(opcode: u8) -> [bool; 8] { - [ - opcode & (1 << 0) != 0, - opcode & (1 << 1) != 0, - opcode & (1 << 2) != 0, - opcode & (1 << 3) != 0, - opcode & (1 << 4) != 0, - opcode & (1 << 5) != 0, - opcode & (1 << 6) != 0, - opcode & (1 << 7) != 0, - ] -} - -/// Evaluates the constraints for opcode decoding. -pub(crate) fn eval_packed_generic( - lv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - // Ensure that the kernel flag is valid (either 0 or 1). - let kernel_mode = lv.is_kernel_mode; - yield_constr.constraint(kernel_mode * (kernel_mode - P::ONES)); - - // Ensure that the opcode bits are valid: each has to be either 0 or 1. - for bit in lv.opcode_bits { - yield_constr.constraint(bit * (bit - P::ONES)); - } - - // Check that the instruction flags are valid. - // First, check that they are all either 0 or 1. - for (_, _, _, flag_col) in OPCODES { - let flag = lv[flag_col]; - yield_constr.constraint(flag * (flag - P::ONES)); - } - // Also check that the combined instruction flags are valid. - for flag_idx in COMBINED_OPCODES { - yield_constr.constraint(lv[flag_idx] * (lv[flag_idx] - P::ONES)); - } - - // Now check that they sum to 0 or 1, including the combined flags. - let flag_sum: P = OPCODES - .into_iter() - .map(|(_, _, _, flag_col)| lv[flag_col]) - .chain(COMBINED_OPCODES.map(|op| lv[op])) - .sum::

(); - yield_constr.constraint(flag_sum * (flag_sum - P::ONES)); - - // Finally, classify all opcodes, together with the kernel flag, into blocks - for (oc, block_length, kernel_only, col) in OPCODES { - // 0 if the block/flag is available to us (is always available or we are in kernel mode) and - // 1 otherwise. - let unavailable = match kernel_only { - false => P::ZEROS, - true => P::ONES - kernel_mode, - }; - // 0 if all the opcode bits match, and something in {1, ..., 8}, otherwise. - let opcode_mismatch: P = lv - .opcode_bits - .into_iter() - .zip(bits_from_opcode(oc)) - .rev() - .take(8 - block_length) - .map(|(row_bit, flag_bit)| match flag_bit { - // 1 if the bit does not match, and 0 otherwise - false => row_bit, - true => P::ONES - row_bit, - }) - .sum(); - - // If unavailable + opcode_mismatch is 0, then the opcode bits all match and we are in the - // correct mode. - yield_constr.constraint(lv[col] * (unavailable + opcode_mismatch)); - } - - let opcode_high_bits = |num_high_bits| -> P { - lv.opcode_bits - .into_iter() - .enumerate() - .rev() - .take(num_high_bits) - .map(|(i, bit)| bit * P::Scalar::from_canonical_u64(1 << i)) - .sum() - }; - - // Manually check lv.op.m_op_constr - let opcode = opcode_high_bits(8); - yield_constr.constraint((P::ONES - kernel_mode) * lv.op.m_op_general); - - let m_op_constr = (opcode - P::Scalar::from_canonical_usize(0xfb_usize)) - * (opcode - P::Scalar::from_canonical_usize(0xfc_usize)) - * lv.op.m_op_general; - yield_constr.constraint(m_op_constr); - - // Manually check lv.op.jumpdest_keccak_general. - // KECCAK_GENERAL is a kernel-only instruction, but not JUMPDEST. - // JUMPDEST is differentiated from KECCAK_GENERAL by its second bit set to 1. - yield_constr.constraint( - (P::ONES - kernel_mode) * lv.op.jumpdest_keccak_general * (P::ONES - lv.opcode_bits[1]), - ); - - // Check the JUMPDEST and KERNEL_GENERAL opcodes. - let jumpdest_opcode = P::Scalar::from_canonical_usize(0x5b); - let keccak_general_opcode = P::Scalar::from_canonical_usize(0x21); - let jumpdest_keccak_general_constr = (opcode - keccak_general_opcode) - * (opcode - jumpdest_opcode) - * lv.op.jumpdest_keccak_general; - yield_constr.constraint(jumpdest_keccak_general_constr); - - // Manually check lv.op.pc_push0. - // Both PC and PUSH0 can be called outside of the kernel mode: - // there is no need to constrain them in that regard. - let pc_push0_constr = (opcode - P::Scalar::from_canonical_usize(0x58_usize)) - * (opcode - P::Scalar::from_canonical_usize(0x5f_usize)) - * lv.op.pc_push0; - yield_constr.constraint(pc_push0_constr); - - // Manually check lv.op.not_pop. - // Both NOT and POP can be called outside of the kernel mode: - // there is no need to constrain them in that regard. - let not_pop_op = (opcode - P::Scalar::from_canonical_usize(0x19_usize)) - * (opcode - P::Scalar::from_canonical_usize(0x50_usize)) - * lv.op.not_pop; - yield_constr.constraint(not_pop_op); - - // Manually check lv.op.m_op_32bytes. - // Both are kernel-only. - yield_constr.constraint((P::ONES - kernel_mode) * lv.op.m_op_32bytes); - - // Check the MSTORE_32BYTES and MLOAD-32BYTES opcodes. - let opcode_high_three = opcode_high_bits(3); - let op_32bytes = (opcode_high_three - P::Scalar::from_canonical_usize(0xc0_usize)) - * (opcode - P::Scalar::from_canonical_usize(0xf8_usize)) - * lv.op.m_op_32bytes; - yield_constr.constraint(op_32bytes); - - // Manually check PUSH and PROVER_INPUT. - // PROVER_INPUT is a kernel-only instruction, but not PUSH. - let push_prover_input_constr = (opcode - P::Scalar::from_canonical_usize(0x49_usize)) - * (opcode_high_three - P::Scalar::from_canonical_usize(0x60_usize)) - * lv.op.push_prover_input; - yield_constr.constraint(push_prover_input_constr); - let prover_input_constr = - lv.op.push_prover_input * (lv.opcode_bits[5] - P::ONES) * (P::ONES - kernel_mode); - yield_constr.constraint(prover_input_constr); -} - -fn opcode_high_bits_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - num_high_bits: usize, -) -> ExtensionTarget { - lv.opcode_bits - .into_iter() - .enumerate() - .rev() - .take(num_high_bits) - .fold(builder.zero_extension(), |cumul, (i, bit)| { - builder.mul_const_add_extension(F::from_canonical_usize(1 << i), bit, cumul) - }) -} - -/// Circuit version of `eval_packed_generic`. -/// Evaluates the constraints for opcode decoding. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let one = builder.one_extension(); - - // Note: The constraints below do not need to be restricted to CPU cycles. - - // Ensure that the kernel flag is valid (either 0 or 1). - let kernel_mode = lv.is_kernel_mode; - { - let constr = builder.mul_sub_extension(kernel_mode, kernel_mode, kernel_mode); - yield_constr.constraint(builder, constr); - } - - // Ensure that the opcode bits are valid: each has to be either 0 or 1. - for bit in lv.opcode_bits { - let constr = builder.mul_sub_extension(bit, bit, bit); - yield_constr.constraint(builder, constr); - } - - // Check that the instruction flags are valid. - // First, check that they are all either 0 or 1. - for (_, _, _, flag_col) in OPCODES { - let flag = lv[flag_col]; - let constr = builder.mul_sub_extension(flag, flag, flag); - yield_constr.constraint(builder, constr); - } - // Also check that the combined instruction flags are valid. - for flag_idx in COMBINED_OPCODES { - let constr = builder.mul_sub_extension(lv[flag_idx], lv[flag_idx], lv[flag_idx]); - yield_constr.constraint(builder, constr); - } - - // Now check that they sum to 0 or 1, including the combined flags. - { - let mut flag_sum = - builder.add_many_extension(COMBINED_OPCODES.into_iter().map(|idx| lv[idx])); - for (_, _, _, flag_col) in OPCODES { - let flag = lv[flag_col]; - flag_sum = builder.add_extension(flag_sum, flag); - } - let constr = builder.mul_sub_extension(flag_sum, flag_sum, flag_sum); - yield_constr.constraint(builder, constr); - } - - // Finally, classify all opcodes, together with the kernel flag, into blocks - for (oc, block_length, kernel_only, col) in OPCODES { - // 0 if the block/flag is available to us (is always available or we are in kernel mode) and - // 1 otherwise. - let unavailable = match kernel_only { - false => builder.zero_extension(), - true => builder.sub_extension(one, kernel_mode), - }; - // 0 if all the opcode bits match, and something in {1, ..., 8}, otherwise. - let opcode_mismatch = lv - .opcode_bits - .into_iter() - .zip(bits_from_opcode(oc)) - .rev() - .take(8 - block_length) - .fold(builder.zero_extension(), |cumul, (row_bit, flag_bit)| { - let to_add = match flag_bit { - false => row_bit, - true => builder.sub_extension(one, row_bit), - }; - builder.add_extension(cumul, to_add) - }); - - // If unavailable + opcode_mismatch is 0, then the opcode bits all match and we are in the - // correct mode. - let constr = builder.add_extension(unavailable, opcode_mismatch); - let constr = builder.mul_extension(lv[col], constr); - yield_constr.constraint(builder, constr); - } - - // Manually check lv.op.m_op_constr - let opcode = opcode_high_bits_circuit(builder, lv, 8); - - let mload_opcode = builder.constant_extension(F::Extension::from_canonical_usize(0xfb_usize)); - let mstore_opcode = builder.constant_extension(F::Extension::from_canonical_usize(0xfc_usize)); - - let one_extension = builder.constant_extension(F::Extension::ONE); - let is_not_kernel_mode = builder.sub_extension(one_extension, kernel_mode); - let constr = builder.mul_extension(is_not_kernel_mode, lv.op.m_op_general); - yield_constr.constraint(builder, constr); - - let mload_constr = builder.sub_extension(opcode, mload_opcode); - let mstore_constr = builder.sub_extension(opcode, mstore_opcode); - let mut m_op_constr = builder.mul_extension(mload_constr, mstore_constr); - m_op_constr = builder.mul_extension(m_op_constr, lv.op.m_op_general); - - yield_constr.constraint(builder, m_op_constr); - - // Manually check lv.op.jumpdest_keccak_general. - // KECCAK_GENERAL is a kernel-only instruction, but not JUMPDEST. - // JUMPDEST is differentiated from KECCAK_GENERAL by its second bit set to 1. - let jumpdest_opcode = - builder.constant_extension(F::Extension::from_canonical_usize(0x5b_usize)); - let keccak_general_opcode = - builder.constant_extension(F::Extension::from_canonical_usize(0x21_usize)); - - // Check that KECCAK_GENERAL is kernel-only. - let mut kernel_general_filter = builder.sub_extension(one, lv.opcode_bits[1]); - kernel_general_filter = - builder.mul_extension(lv.op.jumpdest_keccak_general, kernel_general_filter); - let constr = builder.mul_extension(is_not_kernel_mode, kernel_general_filter); - yield_constr.constraint(builder, constr); - - // Check the JUMPDEST and KERNEL_GENERAL opcodes. - let jumpdest_constr = builder.sub_extension(opcode, jumpdest_opcode); - let keccak_general_constr = builder.sub_extension(opcode, keccak_general_opcode); - let mut jumpdest_keccak_general_constr = - builder.mul_extension(jumpdest_constr, keccak_general_constr); - jumpdest_keccak_general_constr = builder.mul_extension( - jumpdest_keccak_general_constr, - lv.op.jumpdest_keccak_general, - ); - - yield_constr.constraint(builder, jumpdest_keccak_general_constr); - - // Manually check lv.op.pc_push0. - // Both PC and PUSH0 can be called outside of the kernel mode: - // there is no need to constrain them in that regard. - let pc_opcode = builder.constant_extension(F::Extension::from_canonical_usize(0x58_usize)); - let push0_opcode = builder.constant_extension(F::Extension::from_canonical_usize(0x5f_usize)); - let pc_constr = builder.sub_extension(opcode, pc_opcode); - let push0_constr = builder.sub_extension(opcode, push0_opcode); - let mut pc_push0_constr = builder.mul_extension(pc_constr, push0_constr); - pc_push0_constr = builder.mul_extension(pc_push0_constr, lv.op.pc_push0); - yield_constr.constraint(builder, pc_push0_constr); - - // Manually check lv.op.not_pop. - // Both NOT and POP can be called outside of the kernel mode: - // there is no need to constrain them in that regard. - let not_opcode = builder.constant_extension(F::Extension::from_canonical_usize(0x19_usize)); - let pop_opcode = builder.constant_extension(F::Extension::from_canonical_usize(0x50_usize)); - - let not_constr = builder.sub_extension(opcode, not_opcode); - let pop_constr = builder.sub_extension(opcode, pop_opcode); - - let mut not_pop_constr = builder.mul_extension(not_constr, pop_constr); - not_pop_constr = builder.mul_extension(lv.op.not_pop, not_pop_constr); - yield_constr.constraint(builder, not_pop_constr); - - // Manually check lv.op.m_op_32bytes. - // Both are kernel-only. - let constr = builder.mul_extension(is_not_kernel_mode, lv.op.m_op_32bytes); - yield_constr.constraint(builder, constr); - - // Check the MSTORE_32BYTES and MLOAD-32BYTES opcodes. - let opcode_high_three = opcode_high_bits_circuit(builder, lv, 3); - let mstore_32bytes_opcode = - builder.constant_extension(F::Extension::from_canonical_usize(0xc0_usize)); - let mload_32bytes_opcode = - builder.constant_extension(F::Extension::from_canonical_usize(0xf8_usize)); - let mstore_32bytes_constr = builder.sub_extension(opcode_high_three, mstore_32bytes_opcode); - let mload_32bytes_constr = builder.sub_extension(opcode, mload_32bytes_opcode); - let constr = builder.mul_extension(mstore_32bytes_constr, mload_32bytes_constr); - let constr = builder.mul_extension(constr, lv.op.m_op_32bytes); - yield_constr.constraint(builder, constr); - - // Manually check PUSH and PROVER_INPUT. - // PROVER_INPUT is a kernel-only instruction, but not PUSH. - let prover_input_opcode = - builder.constant_extension(F::Extension::from_canonical_usize(0x49usize)); - let push_opcodes = builder.constant_extension(F::Extension::from_canonical_usize(0x60usize)); - - let push_constr = builder.sub_extension(opcode_high_three, push_opcodes); - let prover_input_constr = builder.sub_extension(opcode, prover_input_opcode); - - let push_prover_input_constr = - builder.mul_many_extension([lv.op.push_prover_input, prover_input_constr, push_constr]); - yield_constr.constraint(builder, push_prover_input_constr); - let prover_input_filter = builder.mul_sub_extension( - lv.op.push_prover_input, - lv.opcode_bits[5], - lv.op.push_prover_input, - ); - let constr = builder.mul_extension(prover_input_filter, is_not_kernel_mode); - yield_constr.constraint(builder, constr); -} diff --git a/evm/src/cpu/dup_swap.rs b/evm/src/cpu/dup_swap.rs deleted file mode 100644 index 1abec5fc61..0000000000 --- a/evm/src/cpu/dup_swap.rs +++ /dev/null @@ -1,343 +0,0 @@ -use itertools::izip; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::{CpuColumnsView, MemoryChannelView}; -use crate::memory::segments::Segment; - -/// Constrain two channels to have equal values. -fn channels_equal_packed( - filter: P, - ch_a: &MemoryChannelView

, - ch_b: &MemoryChannelView

, - yield_constr: &mut ConstraintConsumer

, -) { - for (limb_a, limb_b) in izip!(ch_a.value, ch_b.value) { - yield_constr.constraint(filter * (limb_a - limb_b)); - } -} - -/// Constrain two channels to have equal values. -fn channels_equal_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - filter: ExtensionTarget, - ch_a: &MemoryChannelView>, - ch_b: &MemoryChannelView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - for (limb_a, limb_b) in izip!(ch_a.value, ch_b.value) { - let diff = builder.sub_extension(limb_a, limb_b); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } -} - -/// Set `used`, `is_read`, and address for channel. -/// -/// `offset` is the stack index before this instruction is executed, e.g. `0` for the top of the -/// stack. -fn constrain_channel_packed( - is_read: bool, - filter: P, - offset: P, - channel: &MemoryChannelView

, - lv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - yield_constr.constraint(filter * (channel.used - P::ONES)); - yield_constr.constraint(filter * (channel.is_read - P::Scalar::from_bool(is_read))); - yield_constr.constraint(filter * (channel.addr_context - lv.context)); - yield_constr.constraint( - filter * (channel.addr_segment - P::Scalar::from_canonical_usize(Segment::Stack.unscale())), - ); - // Top of the stack is at `addr = lv.stack_len - 1`. - let addr_virtual = lv.stack_len - P::ONES - offset; - yield_constr.constraint(filter * (channel.addr_virtual - addr_virtual)); -} - -/// Set `used`, `is_read`, and address for channel. -/// -/// `offset` is the stack index before this instruction is executed, e.g. `0` for the top of the -/// stack. -fn constrain_channel_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - is_read: bool, - filter: ExtensionTarget, - offset: ExtensionTarget, - channel: &MemoryChannelView>, - lv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - { - let constr = builder.mul_sub_extension(filter, channel.used, filter); - yield_constr.constraint(builder, constr); - } - { - let constr = if is_read { - builder.mul_sub_extension(filter, channel.is_read, filter) - } else { - builder.mul_extension(filter, channel.is_read) - }; - yield_constr.constraint(builder, constr); - } - { - let diff = builder.sub_extension(channel.addr_context, lv.context); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.arithmetic_extension( - F::ONE, - -F::from_canonical_usize(Segment::Stack.unscale()), - filter, - channel.addr_segment, - filter, - ); - yield_constr.constraint(builder, constr); - } - // Top of the stack is at `addr = lv.stack_len - 1`. - { - let constr = builder.add_extension(channel.addr_virtual, offset); - let constr = builder.sub_extension(constr, lv.stack_len); - let constr = builder.mul_add_extension(filter, constr, filter); - yield_constr.constraint(builder, constr); - } -} - -/// Evaluates constraints for DUP. -fn eval_packed_dup( - n: P, - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - // DUP opcodes have 0 at the 5-th position, while SWAP opcodes have 1. - let filter = lv.op.dup_swap * (P::ONES - lv.opcode_bits[4]); - - let write_channel = &lv.mem_channels[1]; - let read_channel = &lv.mem_channels[2]; - - // Constrain the input and top of the stack channels to have the same value. - channels_equal_packed(filter, write_channel, &lv.mem_channels[0], yield_constr); - // Constrain the output channel's addresses, `is_read` and `used` fields. - constrain_channel_packed(false, filter, P::ZEROS, write_channel, lv, yield_constr); - - // Constrain the output and top of the stack channels to have the same value. - channels_equal_packed(filter, read_channel, &nv.mem_channels[0], yield_constr); - // Constrain the input channel's addresses, `is_read` and `used` fields. - constrain_channel_packed(true, filter, n, read_channel, lv, yield_constr); - - // Constrain nv.stack_len. - yield_constr.constraint_transition(filter * (nv.stack_len - lv.stack_len - P::ONES)); - - // Disable next top. - yield_constr.constraint(filter * nv.mem_channels[0].used); -} - -/// Circuit version of `eval_packed_dup`. -/// Evaluates constraints for DUP. -fn eval_ext_circuit_dup, const D: usize>( - builder: &mut CircuitBuilder, - n: ExtensionTarget, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let zero = builder.zero_extension(); - let one = builder.one_extension(); - // DUP opcodes have 0 at the 5-th position, while SWAP opcodes have 1. - let mut filter = builder.sub_extension(one, lv.opcode_bits[4]); - filter = builder.mul_extension(lv.op.dup_swap, filter); - - let write_channel = &lv.mem_channels[1]; - let read_channel = &lv.mem_channels[2]; - - // Constrain the input and top of the stack channels to have the same value. - channels_equal_ext_circuit( - builder, - filter, - write_channel, - &lv.mem_channels[0], - yield_constr, - ); - // Constrain the output channel's addresses, `is_read` and `used` fields. - constrain_channel_ext_circuit( - builder, - false, - filter, - zero, - write_channel, - lv, - yield_constr, - ); - - // Constrain the output and top of the stack channels to have the same value. - channels_equal_ext_circuit( - builder, - filter, - read_channel, - &nv.mem_channels[0], - yield_constr, - ); - // Constrain the input channel's addresses, `is_read` and `used` fields. - constrain_channel_ext_circuit(builder, true, filter, n, read_channel, lv, yield_constr); - - // Constrain nv.stack_len. - { - let diff = builder.sub_extension(nv.stack_len, lv.stack_len); - let constr = builder.mul_sub_extension(filter, diff, filter); - yield_constr.constraint_transition(builder, constr); - } - - // Disable next top. - { - let constr = builder.mul_extension(filter, nv.mem_channels[0].used); - yield_constr.constraint(builder, constr); - } -} - -/// Evaluates constraints for SWAP. -fn eval_packed_swap( - n: P, - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - let n_plus_one = n + P::ONES; - - // DUP opcodes have 0 at the 5-th position, while SWAP opcodes have 1. - let filter = lv.op.dup_swap * lv.opcode_bits[4]; - - let in1_channel = &lv.mem_channels[0]; - let in2_channel = &lv.mem_channels[1]; - let out_channel = &lv.mem_channels[2]; - - // Constrain the first input channel value to be equal to the output channel value. - channels_equal_packed(filter, in1_channel, out_channel, yield_constr); - // We set `is_read`, `used` and the address for the first input. The first input is - // read from the top of the stack, and is therefore not a memory read. - constrain_channel_packed(false, filter, n_plus_one, out_channel, lv, yield_constr); - - // Constrain the second input channel value to be equal to the new top of the stack. - channels_equal_packed(filter, in2_channel, &nv.mem_channels[0], yield_constr); - // We set `is_read`, `used` and the address for the second input. - constrain_channel_packed(true, filter, n_plus_one, in2_channel, lv, yield_constr); - - // Constrain nv.stack_len. - yield_constr.constraint(filter * (nv.stack_len - lv.stack_len)); - - // Disable next top. - yield_constr.constraint(filter * nv.mem_channels[0].used); -} - -/// Circuit version of `eval_packed_swap`. -/// Evaluates constraints for SWAP. -fn eval_ext_circuit_swap, const D: usize>( - builder: &mut CircuitBuilder, - n: ExtensionTarget, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let one = builder.one_extension(); - let n_plus_one = builder.add_extension(n, one); - - // DUP opcodes have 0 at the 5-th position, while SWAP opcodes have 1. - let filter = builder.mul_extension(lv.op.dup_swap, lv.opcode_bits[4]); - - let in1_channel = &lv.mem_channels[0]; - let in2_channel = &lv.mem_channels[1]; - let out_channel = &lv.mem_channels[2]; - - // Constrain the first input channel value to be equal to the output channel value. - channels_equal_ext_circuit(builder, filter, in1_channel, out_channel, yield_constr); - // We set `is_read`, `used` and the address for the first input. The first input is - // read from the top of the stack, and is therefore not a memory read. - constrain_channel_ext_circuit( - builder, - false, - filter, - n_plus_one, - out_channel, - lv, - yield_constr, - ); - - // Constrain the second input channel value to be equal to the new top of the stack. - channels_equal_ext_circuit( - builder, - filter, - in2_channel, - &nv.mem_channels[0], - yield_constr, - ); - // We set `is_read`, `used` and the address for the second input. - constrain_channel_ext_circuit( - builder, - true, - filter, - n_plus_one, - in2_channel, - lv, - yield_constr, - ); - - // Constrain nv.stack_len. - let diff = builder.sub_extension(nv.stack_len, lv.stack_len); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - - // Disable next top. - { - let constr = builder.mul_extension(filter, nv.mem_channels[0].used); - yield_constr.constraint(builder, constr); - } -} - -/// Evaluates the constraints for the DUP and SWAP opcodes. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - let n = lv.opcode_bits[0] - + lv.opcode_bits[1] * P::Scalar::from_canonical_u64(2) - + lv.opcode_bits[2] * P::Scalar::from_canonical_u64(4) - + lv.opcode_bits[3] * P::Scalar::from_canonical_u64(8); - - eval_packed_dup(n, lv, nv, yield_constr); - eval_packed_swap(n, lv, nv, yield_constr); - - // For both, disable the partial channel. - yield_constr.constraint(lv.op.dup_swap * lv.partial_channel.used); -} - -/// Circuit version of `eval_packed`. -/// Evaluates the constraints for the DUP and SWAP opcodes. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let n = lv.opcode_bits[..4].iter().enumerate().fold( - builder.zero_extension(), - |cumul, (i, &bit)| { - builder.mul_const_add_extension(F::from_canonical_u64(1 << i), bit, cumul) - }, - ); - - eval_ext_circuit_dup(builder, n, lv, nv, yield_constr); - eval_ext_circuit_swap(builder, n, lv, nv, yield_constr); - - // For both, disable the partial channel. - { - let constr = builder.mul_extension(lv.op.dup_swap, lv.partial_channel.used); - yield_constr.constraint(builder, constr); - } -} diff --git a/evm/src/cpu/gas.rs b/evm/src/cpu/gas.rs deleted file mode 100644 index be033c3c43..0000000000 --- a/evm/src/cpu/gas.rs +++ /dev/null @@ -1,324 +0,0 @@ -use itertools::izip; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use super::columns::COL_MAP; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::ops::OpsColumnsView; -use crate::cpu::columns::CpuColumnsView; - -const KERNEL_ONLY_INSTR: Option = Some(0); -const G_JUMPDEST: Option = Some(1); -const G_BASE: Option = Some(2); -const G_VERYLOW: Option = Some(3); -const G_LOW: Option = Some(5); -const G_MID: Option = Some(8); -const G_HIGH: Option = Some(10); - -const SIMPLE_OPCODES: OpsColumnsView> = OpsColumnsView { - binary_op: None, // This is handled manually below - ternary_op: None, // This is handled manually below - fp254_op: KERNEL_ONLY_INSTR, - eq_iszero: G_VERYLOW, - logic_op: G_VERYLOW, - not_pop: None, // This is handled manually below - shift: G_VERYLOW, - jumpdest_keccak_general: None, // This is handled manually below. - push_prover_input: None, // This is handled manually below. - jumps: None, // Combined flag handled separately. - pc_push0: G_BASE, - dup_swap: G_VERYLOW, - context_op: KERNEL_ONLY_INSTR, - m_op_32bytes: KERNEL_ONLY_INSTR, - exit_kernel: None, - m_op_general: KERNEL_ONLY_INSTR, - syscall: None, - exception: None, -}; - -fn eval_packed_accumulate( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - // Is it an instruction that we constrain here? - // I.e., does it always cost a constant amount of gas? - let filter: P = SIMPLE_OPCODES - .into_iter() - .enumerate() - .filter_map(|(i, maybe_cost)| { - // Add flag `lv.op[i]` to the sum if `SIMPLE_OPCODES[i]` is `Some`. - maybe_cost.map(|_| lv.op[i]) - }) - .sum(); - - // How much gas did we use? - let gas_used: P = SIMPLE_OPCODES - .into_iter() - .enumerate() - .filter_map(|(i, maybe_cost)| { - maybe_cost.map(|cost| P::Scalar::from_canonical_u32(cost) * lv.op[i]) - }) - .sum(); - - let constr = nv.gas - (lv.gas + gas_used); - yield_constr.constraint_transition(filter * constr); - - let gas_diff = nv.gas - lv.gas; - - for (maybe_cost, op_flag) in izip!(SIMPLE_OPCODES.into_iter(), lv.op.into_iter()) { - if let Some(cost) = maybe_cost { - let cost = P::Scalar::from_canonical_u32(cost); - yield_constr.constraint_transition(op_flag * (gas_diff - cost)); - } - } - - // For jumps. - let jump_gas_cost = P::Scalar::from_canonical_u32(G_MID.unwrap()) - + lv.opcode_bits[0] * P::Scalar::from_canonical_u32(G_HIGH.unwrap() - G_MID.unwrap()); - yield_constr.constraint_transition(lv.op.jumps * (gas_diff - jump_gas_cost)); - - // For binary_ops. - // MUL, DIV and MOD are differentiated from ADD, SUB, LT, GT and BYTE by their first and fifth bits set to 0. - let cost_filter = lv.opcode_bits[0] + lv.opcode_bits[4] - lv.opcode_bits[0] * lv.opcode_bits[4]; - let binary_op_cost = P::Scalar::from_canonical_u32(G_LOW.unwrap()) - + cost_filter - * (P::Scalar::from_canonical_u32(G_VERYLOW.unwrap()) - - P::Scalar::from_canonical_u32(G_LOW.unwrap())); - yield_constr.constraint_transition(lv.op.binary_op * (gas_diff - binary_op_cost)); - - // For ternary_ops. - // SUBMOD is differentiated by its second bit set to 1. - let ternary_op_cost = P::Scalar::from_canonical_u32(G_MID.unwrap()) - - lv.opcode_bits[1] * P::Scalar::from_canonical_u32(G_MID.unwrap()); - yield_constr.constraint_transition(lv.op.ternary_op * (gas_diff - ternary_op_cost)); - - // For NOT and POP. - // NOT is differentiated from POP by its first bit set to 1. - let not_pop_cost = (P::ONES - lv.opcode_bits[0]) - * P::Scalar::from_canonical_u32(G_BASE.unwrap()) - + lv.opcode_bits[0] * P::Scalar::from_canonical_u32(G_VERYLOW.unwrap()); - yield_constr.constraint_transition(lv.op.not_pop * (gas_diff - not_pop_cost)); - - // For JUMPDEST and KECCAK_GENERAL. - // JUMPDEST is differentiated from KECCAK_GENERAL by its second bit set to 1. - let jumpdest_keccak_general_gas_cost = lv.opcode_bits[1] - * P::Scalar::from_canonical_u32(G_JUMPDEST.unwrap()) - + (P::ONES - lv.opcode_bits[1]) * P::Scalar::from_canonical_u32(KERNEL_ONLY_INSTR.unwrap()); - yield_constr.constraint_transition( - lv.op.jumpdest_keccak_general * (gas_diff - jumpdest_keccak_general_gas_cost), - ); - - // For PROVER_INPUT and PUSH operations. - // PUSH operations are differentiated from PROVER_INPUT by their 6th bit set to 1. - let push_prover_input_gas_cost = lv.opcode_bits[5] - * P::Scalar::from_canonical_u32(G_VERYLOW.unwrap()) - + (P::ONES - lv.opcode_bits[5]) * P::Scalar::from_canonical_u32(KERNEL_ONLY_INSTR.unwrap()); - yield_constr - .constraint_transition(lv.op.push_prover_input * (gas_diff - push_prover_input_gas_cost)); -} - -fn eval_packed_init( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - let is_cpu_cycle: P = COL_MAP.op.iter().map(|&col_i| lv[col_i]).sum(); - let is_cpu_cycle_next: P = COL_MAP.op.iter().map(|&col_i| nv[col_i]).sum(); - // `nv` is the first row that executes an instruction. - let filter = (is_cpu_cycle - P::ONES) * is_cpu_cycle_next; - // Set initial gas to zero. - yield_constr.constraint_transition(filter * nv.gas); -} - -/// Evaluate the gas constraints for the opcodes that cost a constant gas. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - eval_packed_accumulate(lv, nv, yield_constr); - eval_packed_init(lv, nv, yield_constr); -} - -fn eval_ext_circuit_accumulate, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - // Is it an instruction that we constrain here? - // I.e., does it always cost a constant amount of gas? - let filter = SIMPLE_OPCODES.into_iter().enumerate().fold( - builder.zero_extension(), - |cumul, (i, maybe_cost)| { - // Add flag `lv.op[i]` to the sum if `SIMPLE_OPCODES[i]` is `Some`. - match maybe_cost { - None => cumul, - Some(_) => builder.add_extension(lv.op[i], cumul), - } - }, - ); - - // How much gas did we use? - let gas_used = SIMPLE_OPCODES.into_iter().enumerate().fold( - builder.zero_extension(), - |cumul, (i, maybe_cost)| match maybe_cost { - None => cumul, - Some(cost) => { - let cost_ext = builder.constant_extension(F::from_canonical_u32(cost).into()); - builder.mul_add_extension(lv.op[i], cost_ext, cumul) - } - }, - ); - - let constr = { - let t = builder.add_extension(lv.gas, gas_used); - builder.sub_extension(nv.gas, t) - }; - let filtered_constr = builder.mul_extension(filter, constr); - yield_constr.constraint_transition(builder, filtered_constr); - - for (maybe_cost, op_flag) in izip!(SIMPLE_OPCODES.into_iter(), lv.op.into_iter()) { - if let Some(cost) = maybe_cost { - let nv_lv_diff = builder.sub_extension(nv.gas, lv.gas); - let constr = builder.arithmetic_extension( - F::ONE, - -F::from_canonical_u32(cost), - op_flag, - nv_lv_diff, - op_flag, - ); - yield_constr.constraint_transition(builder, constr); - } - } - - // For jumps. - let filter = lv.op.jumps; - let jump_gas_cost = builder.mul_const_extension( - F::from_canonical_u32(G_HIGH.unwrap() - G_MID.unwrap()), - lv.opcode_bits[0], - ); - let jump_gas_cost = - builder.add_const_extension(jump_gas_cost, F::from_canonical_u32(G_MID.unwrap())); - - let nv_lv_diff = builder.sub_extension(nv.gas, lv.gas); - let gas_diff = builder.sub_extension(nv_lv_diff, jump_gas_cost); - let constr = builder.mul_extension(filter, gas_diff); - yield_constr.constraint_transition(builder, constr); - - // For binary_ops. - // MUL, DIV and MOD are differentiated from ADD, SUB, LT, GT and BYTE by their first and fifth bits set to 0. - let filter = lv.op.binary_op; - let cost_filter = { - let a = builder.add_extension(lv.opcode_bits[0], lv.opcode_bits[4]); - let b = builder.mul_extension(lv.opcode_bits[0], lv.opcode_bits[4]); - builder.sub_extension(a, b) - }; - let binary_op_cost = builder.mul_const_extension( - F::from_canonical_u32(G_VERYLOW.unwrap()) - F::from_canonical_u32(G_LOW.unwrap()), - cost_filter, - ); - let binary_op_cost = - builder.add_const_extension(binary_op_cost, F::from_canonical_u32(G_LOW.unwrap())); - - let nv_lv_diff = builder.sub_extension(nv.gas, lv.gas); - let gas_diff = builder.sub_extension(nv_lv_diff, binary_op_cost); - let constr = builder.mul_extension(filter, gas_diff); - yield_constr.constraint_transition(builder, constr); - - // For ternary_ops. - // SUBMOD is differentiated by its second bit set to 1. - let filter = lv.op.ternary_op; - let ternary_op_cost = builder.mul_const_extension( - F::from_canonical_u32(G_MID.unwrap()).neg(), - lv.opcode_bits[1], - ); - let ternary_op_cost = - builder.add_const_extension(ternary_op_cost, F::from_canonical_u32(G_MID.unwrap())); - - let nv_lv_diff = builder.sub_extension(nv.gas, lv.gas); - let gas_diff = builder.sub_extension(nv_lv_diff, ternary_op_cost); - let constr = builder.mul_extension(filter, gas_diff); - yield_constr.constraint_transition(builder, constr); - - // For NOT and POP. - // NOT is differentiated from POP by its first bit set to 1. - let filter = lv.op.not_pop; - let one = builder.one_extension(); - let mut not_pop_cost = - builder.mul_const_extension(F::from_canonical_u32(G_VERYLOW.unwrap()), lv.opcode_bits[0]); - let mut pop_cost = builder.sub_extension(one, lv.opcode_bits[0]); - pop_cost = builder.mul_const_extension(F::from_canonical_u32(G_BASE.unwrap()), pop_cost); - not_pop_cost = builder.add_extension(not_pop_cost, pop_cost); - - let not_pop_gas_diff = builder.sub_extension(nv_lv_diff, not_pop_cost); - let not_pop_constr = builder.mul_extension(filter, not_pop_gas_diff); - yield_constr.constraint_transition(builder, not_pop_constr); - - // For JUMPDEST and KECCAK_GENERAL. - // JUMPDEST is differentiated from KECCAK_GENERAL by its second bit set to 1. - let one = builder.one_extension(); - let filter = lv.op.jumpdest_keccak_general; - - let jumpdest_keccak_general_gas_cost = builder.arithmetic_extension( - F::from_canonical_u32(G_JUMPDEST.unwrap()) - - F::from_canonical_u32(KERNEL_ONLY_INSTR.unwrap()), - F::from_canonical_u32(KERNEL_ONLY_INSTR.unwrap()), - lv.opcode_bits[1], - one, - one, - ); - - let gas_diff = builder.sub_extension(nv_lv_diff, jumpdest_keccak_general_gas_cost); - let constr = builder.mul_extension(filter, gas_diff); - - yield_constr.constraint_transition(builder, constr); - - // For PROVER_INPUT and PUSH operations. - // PUSH operations are differentiated from PROVER_INPUT by their 6th bit set to 1. - let push_prover_input_gas_cost = builder.arithmetic_extension( - F::from_canonical_u32(G_VERYLOW.unwrap()) - - F::from_canonical_u32(KERNEL_ONLY_INSTR.unwrap()), - F::from_canonical_u32(KERNEL_ONLY_INSTR.unwrap()), - lv.opcode_bits[5], - one, - one, - ); - let gas_diff = builder.sub_extension(nv_lv_diff, push_prover_input_gas_cost); - let constr = builder.mul_extension(lv.op.push_prover_input, gas_diff); - - yield_constr.constraint_transition(builder, constr); -} - -fn eval_ext_circuit_init, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - // `nv` is the first row that executes an instruction. - let is_cpu_cycle = builder.add_many_extension(COL_MAP.op.iter().map(|&col_i| lv[col_i])); - let is_cpu_cycle_next = builder.add_many_extension(COL_MAP.op.iter().map(|&col_i| nv[col_i])); - let filter = builder.mul_sub_extension(is_cpu_cycle, is_cpu_cycle_next, is_cpu_cycle_next); - // Set initial gas to zero. - let constr = builder.mul_extension(filter, nv.gas); - yield_constr.constraint_transition(builder, constr); -} - -/// Circuit version of `eval_packed`. -/// Evaluate the gas constraints for the opcodes that cost a constant gas. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - // Evaluates the transition gas constraints. - eval_ext_circuit_accumulate(builder, lv, nv, yield_constr); - // Evaluates the initial gas constraints. - eval_ext_circuit_init(builder, lv, nv, yield_constr); -} diff --git a/evm/src/cpu/halt.rs b/evm/src/cpu/halt.rs deleted file mode 100644 index 80ac32853c..0000000000 --- a/evm/src/cpu/halt.rs +++ /dev/null @@ -1,104 +0,0 @@ -//! Once the CPU execution is over (i.e. reached the `halt` label in the kernel), -//! the CPU trace will be padded with special dummy rows, incurring no memory overhead. - -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use super::control_flow::get_halt_pc; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::{CpuColumnsView, COL_MAP}; -use crate::cpu::membus::NUM_GP_CHANNELS; - -/// Evaluates constraints for the `halt` flag. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - let is_cpu_cycle: P = COL_MAP.op.iter().map(|&col_i| lv[col_i]).sum(); - let is_cpu_cycle_next: P = COL_MAP.op.iter().map(|&col_i| nv[col_i]).sum(); - - let halt_state = P::ONES - is_cpu_cycle; - let next_halt_state = P::ONES - is_cpu_cycle_next; - - // The halt flag must be boolean. - yield_constr.constraint(halt_state * (halt_state - P::ONES)); - // Once we reach a padding row, there must be only padding rows. - yield_constr.constraint_transition(halt_state * (next_halt_state - P::ONES)); - // Check that we're in kernel mode. - yield_constr.constraint(halt_state * (lv.is_kernel_mode - P::ONES)); - - // Padding rows should have their memory channels disabled. - for i in 0..NUM_GP_CHANNELS { - let channel = lv.mem_channels[i]; - yield_constr.constraint(halt_state * channel.used); - } - - // The last row must be a dummy padding row. - yield_constr.constraint_last_row(halt_state - P::ONES); - - // Also, a padding row's `program_counter` must be at the `halt` label. - // In particular, it ensures that the first padding row may only be added - // after we jumped to the `halt` function. Subsequent padding rows may set - // the `program_counter` to arbitrary values (there's no transition - // constraints) so we can place this requirement on them too. - let halt_pc = get_halt_pc::(); - yield_constr.constraint(halt_state * (lv.program_counter - halt_pc)); -} - -/// Circuit version of `eval_packed`. -/// Evaluates constraints for the `halt` flag. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let one = builder.one_extension(); - - let is_cpu_cycle = builder.add_many_extension(COL_MAP.op.iter().map(|&col_i| lv[col_i])); - let is_cpu_cycle_next = builder.add_many_extension(COL_MAP.op.iter().map(|&col_i| nv[col_i])); - - let halt_state = builder.sub_extension(one, is_cpu_cycle); - let next_halt_state = builder.sub_extension(one, is_cpu_cycle_next); - - // The halt flag must be boolean. - let constr = builder.mul_sub_extension(halt_state, halt_state, halt_state); - yield_constr.constraint(builder, constr); - // Once we reach a padding row, there must be only padding rows. - let constr = builder.mul_sub_extension(halt_state, next_halt_state, halt_state); - yield_constr.constraint_transition(builder, constr); - // Check that we're in kernel mode. - let constr = builder.mul_sub_extension(halt_state, lv.is_kernel_mode, halt_state); - yield_constr.constraint(builder, constr); - - // Padding rows should have their memory channels disabled. - for i in 0..NUM_GP_CHANNELS { - let channel = lv.mem_channels[i]; - let constr = builder.mul_extension(halt_state, channel.used); - yield_constr.constraint(builder, constr); - } - - // The last row must be a dummy padding row. - { - let one = builder.one_extension(); - let constr = builder.sub_extension(halt_state, one); - yield_constr.constraint_last_row(builder, constr); - } - - // Also, a padding row's `program_counter` must be at the `halt` label. - // In particular, it ensures that the first padding row may only be added - // after we jumped to the `halt` function. Subsequent padding rows may set - // the `program_counter` to arbitrary values (there's no transition - // constraints) so we can place this requirement on them too. - { - let halt_pc = get_halt_pc(); - let halt_pc_target = builder.constant_extension(halt_pc); - let constr = builder.sub_extension(lv.program_counter, halt_pc_target); - let constr = builder.mul_extension(halt_state, constr); - - yield_constr.constraint(builder, constr); - } -} diff --git a/evm/src/cpu/jumps.rs b/evm/src/cpu/jumps.rs deleted file mode 100644 index fd7fcfd962..0000000000 --- a/evm/src/cpu/jumps.rs +++ /dev/null @@ -1,390 +0,0 @@ -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; -use crate::cpu::membus::NUM_GP_CHANNELS; -use crate::memory::segments::Segment; - -/// Evaluates constraints for EXIT_KERNEL. -pub(crate) fn eval_packed_exit_kernel( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - let input = lv.mem_channels[0].value; - let filter = lv.op.exit_kernel; - - // If we are executing `EXIT_KERNEL` then we simply restore the program counter, kernel mode - // flag, and gas counter. The middle 4 (32-bit) limbs are ignored (this is not part of the spec, - // but we trust the kernel to set them to zero). - yield_constr.constraint_transition(filter * (input[0] - nv.program_counter)); - yield_constr.constraint_transition(filter * (input[1] - nv.is_kernel_mode)); - yield_constr.constraint_transition(filter * (input[6] - nv.gas)); - // High limb of gas must be 0 for convenient detection of overflow. - yield_constr.constraint(filter * input[7]); -} - -/// Circuit version of `eval_packed_exit_kernel`. -/// Evaluates constraints for EXIT_KERNEL. -pub(crate) fn eval_ext_circuit_exit_kernel, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let input = lv.mem_channels[0].value; - let filter = lv.op.exit_kernel; - - // If we are executing `EXIT_KERNEL` then we simply restore the program counter and kernel mode - // flag. The top 6 (32-bit) limbs are ignored (this is not part of the spec, but we trust the - // kernel to set them to zero). - - let pc_constr = builder.sub_extension(input[0], nv.program_counter); - let pc_constr = builder.mul_extension(filter, pc_constr); - yield_constr.constraint_transition(builder, pc_constr); - - let kernel_constr = builder.sub_extension(input[1], nv.is_kernel_mode); - let kernel_constr = builder.mul_extension(filter, kernel_constr); - yield_constr.constraint_transition(builder, kernel_constr); - - { - let diff = builder.sub_extension(input[6], nv.gas); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint_transition(builder, constr); - } - { - // High limb of gas must be 0 for convenient detection of overflow. - let constr = builder.mul_extension(filter, input[7]); - yield_constr.constraint(builder, constr); - } -} - -/// Evaluates constraints jump operations: JUMP and JUMPI. -pub(crate) fn eval_packed_jump_jumpi( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - let jumps_lv = lv.general.jumps(); - let dst = lv.mem_channels[0].value; - let cond = lv.mem_channels[1].value; - let filter = lv.op.jumps; // `JUMP` or `JUMPI` - let jumpdest_flag_channel = lv.mem_channels[NUM_GP_CHANNELS - 1]; - let is_jump = filter * (P::ONES - lv.opcode_bits[0]); - let is_jumpi = filter * lv.opcode_bits[0]; - - // Stack constraints. - // If (JUMP and stack_len != 1) or (JUMPI and stack_len != 2)... - let len_diff = lv.stack_len - P::ONES - lv.opcode_bits[0]; - let new_filter = len_diff * filter; - // Read an extra element. - let channel = nv.mem_channels[0]; - yield_constr.constraint_transition(new_filter * (channel.used - P::ONES)); - yield_constr.constraint_transition(new_filter * (channel.is_read - P::ONES)); - yield_constr.constraint_transition(new_filter * (channel.addr_context - nv.context)); - yield_constr.constraint_transition( - new_filter - * (channel.addr_segment - P::Scalar::from_canonical_usize(Segment::Stack.unscale())), - ); - let addr_virtual = nv.stack_len - P::ONES; - yield_constr.constraint_transition(new_filter * (channel.addr_virtual - addr_virtual)); - // Constrain `stack_inv_aux`. - yield_constr.constraint( - filter * (len_diff * lv.general.stack().stack_inv - lv.general.stack().stack_inv_aux), - ); - // Disable channel if stack_len == N. - let empty_stack_filter = filter * (lv.general.stack().stack_inv_aux - P::ONES); - yield_constr.constraint_transition(empty_stack_filter * channel.used); - - // If `JUMP`, re-use the `JUMPI` logic, but setting the second input (the predicate) to be 1. - // In other words, we implement `JUMP(dst)` as `JUMPI(dst, cond=1)`. - yield_constr.constraint(is_jump * (cond[0] - P::ONES)); - for &limb in &cond[1..] { - // Set all limbs (other than the least-significant limb) to 0. - // NB: Technically, they don't have to be 0, as long as the sum - // `cond[0] + ... + cond[7]` cannot overflow. - yield_constr.constraint(is_jump * limb); - } - - // Check `should_jump`: - yield_constr.constraint(filter * jumps_lv.should_jump * (jumps_lv.should_jump - P::ONES)); - let cond_sum: P = cond.into_iter().sum(); - yield_constr.constraint(filter * (jumps_lv.should_jump - P::ONES) * cond_sum); - yield_constr.constraint(filter * (jumps_lv.cond_sum_pinv * cond_sum - jumps_lv.should_jump)); - - // If we're jumping, then the high 7 limbs of the destination must be 0. - let dst_hi_sum: P = dst[1..].iter().copied().sum(); - yield_constr.constraint(filter * jumps_lv.should_jump * dst_hi_sum); - // Check that the destination address holds a `JUMPDEST` instruction. Note that this constraint - // does not need to be conditioned on `should_jump` because no read takes place if we're not - // jumping, so we're free to set the channel to 1. - yield_constr.constraint(filter * (jumpdest_flag_channel.value[0] - P::ONES)); - - // Make sure that the JUMPDEST flag channel is constrained. - // Only need to read if we're about to jump and we're not in kernel mode. - yield_constr.constraint( - filter - * (jumpdest_flag_channel.used - jumps_lv.should_jump * (P::ONES - lv.is_kernel_mode)), - ); - yield_constr.constraint(filter * (jumpdest_flag_channel.is_read - P::ONES)); - yield_constr.constraint(filter * (jumpdest_flag_channel.addr_context - lv.context)); - yield_constr.constraint( - filter - * (jumpdest_flag_channel.addr_segment - - P::Scalar::from_canonical_usize(Segment::JumpdestBits.unscale())), - ); - yield_constr.constraint(filter * (jumpdest_flag_channel.addr_virtual - dst[0])); - - // Disable unused memory channels - for &channel in &lv.mem_channels[2..NUM_GP_CHANNELS - 1] { - yield_constr.constraint(filter * channel.used); - } - yield_constr.constraint(filter * lv.partial_channel.used); - - // Channel 1 is unused by the `JUMP` instruction. - yield_constr.constraint(is_jump * lv.mem_channels[1].used); - - // Update stack length. - yield_constr.constraint_transition(is_jump * (nv.stack_len - lv.stack_len + P::ONES)); - yield_constr.constraint_transition( - is_jumpi * (nv.stack_len - lv.stack_len + P::Scalar::from_canonical_u64(2)), - ); - - // Finally, set the next program counter. - let fallthrough_dst = lv.program_counter + P::ONES; - let jump_dest = dst[0]; - yield_constr.constraint_transition( - filter * (jumps_lv.should_jump - P::ONES) * (nv.program_counter - fallthrough_dst), - ); - yield_constr - .constraint_transition(filter * jumps_lv.should_jump * (nv.program_counter - jump_dest)); -} - -/// Circuit version of `eval_packed_jumpi_jumpi`. -/// Evaluates constraints jump operations: JUMP and JUMPI. -pub(crate) fn eval_ext_circuit_jump_jumpi, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let jumps_lv = lv.general.jumps(); - let dst = lv.mem_channels[0].value; - let cond = lv.mem_channels[1].value; - let filter = lv.op.jumps; // `JUMP` or `JUMPI` - let jumpdest_flag_channel = lv.mem_channels[NUM_GP_CHANNELS - 1]; - let one_extension = builder.one_extension(); - let is_jump = builder.sub_extension(one_extension, lv.opcode_bits[0]); - let is_jump = builder.mul_extension(filter, is_jump); - let is_jumpi = builder.mul_extension(filter, lv.opcode_bits[0]); - - // Stack constraints. - // If (JUMP and stack_len != 1) or (JUMPI and stack_len != 2)... - let len_diff = builder.sub_extension(lv.stack_len, one_extension); - let len_diff = builder.sub_extension(len_diff, lv.opcode_bits[0]); - let new_filter = builder.mul_extension(len_diff, filter); - // Read an extra element. - let channel = nv.mem_channels[0]; - - { - let constr = builder.mul_sub_extension(new_filter, channel.used, new_filter); - yield_constr.constraint_transition(builder, constr); - } - { - let constr = builder.mul_sub_extension(new_filter, channel.is_read, new_filter); - yield_constr.constraint_transition(builder, constr); - } - { - let diff = builder.sub_extension(channel.addr_context, nv.context); - let constr = builder.mul_extension(new_filter, diff); - yield_constr.constraint_transition(builder, constr); - } - { - let constr = builder.arithmetic_extension( - F::ONE, - -F::from_canonical_usize(Segment::Stack.unscale()), - new_filter, - channel.addr_segment, - new_filter, - ); - yield_constr.constraint_transition(builder, constr); - } - { - let diff = builder.sub_extension(channel.addr_virtual, nv.stack_len); - let constr = builder.arithmetic_extension(F::ONE, F::ONE, new_filter, diff, new_filter); - yield_constr.constraint_transition(builder, constr); - } - // Constrain `stack_inv_aux`. - { - let prod = builder.mul_extension(len_diff, lv.general.stack().stack_inv); - let diff = builder.sub_extension(prod, lv.general.stack().stack_inv_aux); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - // Disable channel if stack_len == N. - { - let empty_stack_filter = - builder.mul_sub_extension(filter, lv.general.stack().stack_inv_aux, filter); - let constr = builder.mul_extension(empty_stack_filter, channel.used); - yield_constr.constraint_transition(builder, constr); - } - - // If `JUMP`, re-use the `JUMPI` logic, but setting the second input (the predicate) to be 1. - // In other words, we implement `JUMP(dst)` as `JUMPI(dst, cond=1)`. - { - let constr = builder.mul_sub_extension(is_jump, cond[0], is_jump); - yield_constr.constraint(builder, constr); - } - for &limb in &cond[1..] { - // Set all limbs (other than the least-significant limb) to 0. - // NB: Technically, they don't have to be 0, as long as the sum - // `cond[0] + ... + cond[7]` cannot overflow. - let constr = builder.mul_extension(is_jump, limb); - yield_constr.constraint(builder, constr); - } - - // Check `should_jump`: - { - let constr = builder.mul_sub_extension( - jumps_lv.should_jump, - jumps_lv.should_jump, - jumps_lv.should_jump, - ); - let constr = builder.mul_extension(filter, constr); - yield_constr.constraint(builder, constr); - } - let cond_sum = builder.add_many_extension(cond); - { - let constr = builder.mul_sub_extension(cond_sum, jumps_lv.should_jump, cond_sum); - let constr = builder.mul_extension(filter, constr); - yield_constr.constraint(builder, constr); - } - { - let constr = - builder.mul_sub_extension(jumps_lv.cond_sum_pinv, cond_sum, jumps_lv.should_jump); - let constr = builder.mul_extension(filter, constr); - yield_constr.constraint(builder, constr); - } - - // If we're jumping, then the high 7 limbs of the destination must be 0. - let dst_hi_sum = builder.add_many_extension(&dst[1..]); - { - let constr = builder.mul_extension(jumps_lv.should_jump, dst_hi_sum); - let constr = builder.mul_extension(filter, constr); - yield_constr.constraint(builder, constr); - } - // Check that the destination address holds a `JUMPDEST` instruction. Note that this constraint - // does not need to be conditioned on `should_jump` because no read takes place if we're not - // jumping, so we're free to set the channel to 1. - { - let constr = builder.mul_sub_extension(filter, jumpdest_flag_channel.value[0], filter); - yield_constr.constraint(builder, constr); - } - - // Make sure that the JUMPDEST flag channel is constrained. - // Only need to read if we're about to jump and we're not in kernel mode. - { - let constr = builder.mul_sub_extension( - jumps_lv.should_jump, - lv.is_kernel_mode, - jumps_lv.should_jump, - ); - let constr = builder.add_extension(jumpdest_flag_channel.used, constr); - let constr = builder.mul_extension(filter, constr); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.mul_sub_extension(filter, jumpdest_flag_channel.is_read, filter); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.sub_extension(jumpdest_flag_channel.addr_context, lv.context); - let constr = builder.mul_extension(filter, constr); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.arithmetic_extension( - F::ONE, - -F::from_canonical_usize(Segment::JumpdestBits.unscale()), - filter, - jumpdest_flag_channel.addr_segment, - filter, - ); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.sub_extension(jumpdest_flag_channel.addr_virtual, dst[0]); - let constr = builder.mul_extension(filter, constr); - yield_constr.constraint(builder, constr); - } - - // Disable unused memory channels - for &channel in &lv.mem_channels[2..NUM_GP_CHANNELS - 1] { - let constr = builder.mul_extension(filter, channel.used); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.mul_extension(filter, lv.partial_channel.used); - yield_constr.constraint(builder, constr); - } - // Channel 1 is unused by the `JUMP` instruction. - { - let constr = builder.mul_extension(is_jump, lv.mem_channels[1].used); - yield_constr.constraint(builder, constr); - } - - // Update stack length. - { - let diff = builder.sub_extension(nv.stack_len, lv.stack_len); - let constr = builder.mul_add_extension(is_jump, diff, is_jump); - yield_constr.constraint_transition(builder, constr); - } - { - let diff = builder.sub_extension(nv.stack_len, lv.stack_len); - let diff = builder.add_const_extension(diff, F::TWO); - let constr = builder.mul_extension(is_jumpi, diff); - yield_constr.constraint_transition(builder, constr); - } - - // Finally, set the next program counter. - let fallthrough_dst = builder.add_const_extension(lv.program_counter, F::ONE); - let jump_dest = dst[0]; - { - let constr_a = builder.mul_sub_extension(filter, jumps_lv.should_jump, filter); - let constr_b = builder.sub_extension(nv.program_counter, fallthrough_dst); - let constr = builder.mul_extension(constr_a, constr_b); - yield_constr.constraint_transition(builder, constr); - } - { - let constr_a = builder.mul_extension(filter, jumps_lv.should_jump); - let constr_b = builder.sub_extension(nv.program_counter, jump_dest); - let constr = builder.mul_extension(constr_a, constr_b); - yield_constr.constraint_transition(builder, constr); - } -} - -/// Evaluates constraints for EXIT_KERNEL, JUMP and JUMPI. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - eval_packed_exit_kernel(lv, nv, yield_constr); - eval_packed_jump_jumpi(lv, nv, yield_constr); -} - -/// Circuit version of `eval_packed`. -/// Evaluates constraints for EXIT_KERNEL, JUMP and JUMPI. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - eval_ext_circuit_exit_kernel(builder, lv, nv, yield_constr); - eval_ext_circuit_jump_jumpi(builder, lv, nv, yield_constr); -} diff --git a/evm/src/cpu/kernel/aggregator.rs b/evm/src/cpu/kernel/aggregator.rs deleted file mode 100644 index 6376552550..0000000000 --- a/evm/src/cpu/kernel/aggregator.rs +++ /dev/null @@ -1,184 +0,0 @@ -//! Loads each kernel assembly file and concatenates them. - -use itertools::Itertools; -use once_cell::sync::Lazy; - -use super::assembler::{assemble, Kernel}; -use crate::cpu::kernel::constants::evm_constants; -use crate::cpu::kernel::parser::parse; - -pub static KERNEL: Lazy = Lazy::new(combined_kernel); - -pub(crate) fn combined_kernel() -> Kernel { - let files = vec![ - "global jumped_to_0: PANIC", - "global jumped_to_1: PANIC", - include_str!("asm/bignum/add.asm"), - include_str!("asm/bignum/addmul.asm"), - include_str!("asm/bignum/cmp.asm"), - include_str!("asm/bignum/isone.asm"), - include_str!("asm/bignum/iszero.asm"), - include_str!("asm/bignum/modexp.asm"), - include_str!("asm/bignum/modmul.asm"), - include_str!("asm/bignum/mul.asm"), - include_str!("asm/bignum/shr.asm"), - include_str!("asm/bignum/util.asm"), - include_str!("asm/core/call.asm"), - include_str!("asm/core/call_gas.asm"), - include_str!("asm/core/create.asm"), - include_str!("asm/core/create_addresses.asm"), - include_str!("asm/core/create_contract_account.asm"), - include_str!("asm/core/exception.asm"), - include_str!("asm/core/create_receipt.asm"), - include_str!("asm/core/gas.asm"), - include_str!("asm/core/intrinsic_gas.asm"), - include_str!("asm/core/jumpdest_analysis.asm"), - include_str!("asm/core/nonce.asm"), - include_str!("asm/core/process_txn.asm"), - include_str!("asm/core/syscall.asm"), - include_str!("asm/core/terminate.asm"), - include_str!("asm/core/transfer.asm"), - include_str!("asm/core/util.asm"), - include_str!("asm/core/access_lists.asm"), - include_str!("asm/core/log.asm"), - include_str!("asm/core/selfdestruct_list.asm"), - include_str!("asm/core/touched_addresses.asm"), - include_str!("asm/core/withdrawals.asm"), - include_str!("asm/core/precompiles/main.asm"), - include_str!("asm/core/precompiles/ecrec.asm"), - include_str!("asm/core/precompiles/sha256.asm"), - include_str!("asm/core/precompiles/rip160.asm"), - include_str!("asm/core/precompiles/id.asm"), - include_str!("asm/core/precompiles/expmod.asm"), - include_str!("asm/core/precompiles/bn_add.asm"), - include_str!("asm/core/precompiles/bn_mul.asm"), - include_str!("asm/core/precompiles/snarkv.asm"), - include_str!("asm/core/precompiles/blake2_f.asm"), - include_str!("asm/curve/bls381/util.asm"), - include_str!("asm/curve/bn254/curve_arithmetic/constants.asm"), - include_str!("asm/curve/bn254/curve_arithmetic/curve_add.asm"), - include_str!("asm/curve/bn254/curve_arithmetic/curve_mul.asm"), - include_str!("asm/curve/bn254/curve_arithmetic/final_exponent.asm"), - include_str!("asm/curve/bn254/curve_arithmetic/glv.asm"), - include_str!("asm/curve/bn254/curve_arithmetic/miller_loop.asm"), - include_str!("asm/curve/bn254/curve_arithmetic/msm.asm"), - include_str!("asm/curve/bn254/curve_arithmetic/pairing.asm"), - include_str!("asm/curve/bn254/curve_arithmetic/precomputation.asm"), - include_str!("asm/curve/bn254/curve_arithmetic/twisted_curve.asm"), - include_str!("asm/curve/bn254/field_arithmetic/degree_6_mul.asm"), - include_str!("asm/curve/bn254/field_arithmetic/degree_12_mul.asm"), - include_str!("asm/curve/bn254/field_arithmetic/frobenius.asm"), - include_str!("asm/curve/bn254/field_arithmetic/inverse.asm"), - include_str!("asm/curve/bn254/field_arithmetic/util.asm"), - include_str!("asm/curve/common.asm"), - include_str!("asm/curve/secp256k1/curve_add.asm"), - include_str!("asm/curve/secp256k1/ecrecover.asm"), - include_str!("asm/curve/secp256k1/inverse_scalar.asm"), - include_str!("asm/curve/secp256k1/lift_x.asm"), - include_str!("asm/curve/secp256k1/moddiv.asm"), - include_str!("asm/curve/secp256k1/glv.asm"), - include_str!("asm/curve/secp256k1/precomputation.asm"), - include_str!("asm/curve/wnaf.asm"), - include_str!("asm/exp.asm"), - include_str!("asm/halt.asm"), - include_str!("asm/hash/blake2/addresses.asm"), - include_str!("asm/hash/blake2/blake2_f.asm"), - // include_str!("asm/hash/blake2/blake2b.asm"), - // include_str!("asm/hash/blake2/compression.asm"), - include_str!("asm/hash/blake2/g_functions.asm"), - include_str!("asm/hash/blake2/hash.asm"), - include_str!("asm/hash/blake2/iv.asm"), - include_str!("asm/hash/blake2/ops.asm"), - include_str!("asm/hash/blake2/permutations.asm"), - include_str!("asm/hash/ripemd/box.asm"), - include_str!("asm/hash/ripemd/compression.asm"), - include_str!("asm/hash/ripemd/constants.asm"), - include_str!("asm/hash/ripemd/functions.asm"), - include_str!("asm/hash/ripemd/main.asm"), - include_str!("asm/hash/ripemd/update.asm"), - include_str!("asm/hash/sha2/compression.asm"), - include_str!("asm/hash/sha2/constants.asm"), - include_str!("asm/hash/sha2/main.asm"), - include_str!("asm/hash/sha2/message_schedule.asm"), - include_str!("asm/hash/sha2/ops.asm"), - include_str!("asm/hash/sha2/temp_words.asm"), - include_str!("asm/hash/sha2/write_length.asm"), - include_str!("asm/main.asm"), - include_str!("asm/memory/core.asm"), - include_str!("asm/memory/memcpy.asm"), - include_str!("asm/memory/memset.asm"), - include_str!("asm/memory/metadata.asm"), - include_str!("asm/memory/packing.asm"), - include_str!("asm/memory/syscalls.asm"), - include_str!("asm/memory/txn_fields.asm"), - include_str!("asm/mpt/accounts.asm"), - include_str!("asm/mpt/delete/delete.asm"), - include_str!("asm/mpt/delete/delete_branch.asm"), - include_str!("asm/mpt/delete/delete_extension.asm"), - include_str!("asm/mpt/hash/hash.asm"), - include_str!("asm/mpt/hash/hash_trie_specific.asm"), - include_str!("asm/mpt/hex_prefix.asm"), - include_str!("asm/mpt/insert/insert.asm"), - include_str!("asm/mpt/insert/insert_extension.asm"), - include_str!("asm/mpt/insert/insert_leaf.asm"), - include_str!("asm/mpt/insert/insert_trie_specific.asm"), - include_str!("asm/mpt/read.asm"), - include_str!("asm/mpt/storage/storage_read.asm"), - include_str!("asm/mpt/storage/storage_write.asm"), - include_str!("asm/mpt/util.asm"), - include_str!("asm/rlp/decode.asm"), - include_str!("asm/rlp/encode.asm"), - include_str!("asm/rlp/encode_rlp_scalar.asm"), - include_str!("asm/rlp/encode_rlp_string.asm"), - include_str!("asm/rlp/increment_bounded_rlp.asm"), - include_str!("asm/rlp/num_bytes.asm"), - include_str!("asm/rlp/read_to_memory.asm"), - include_str!("asm/shift.asm"), - include_str!("asm/signed.asm"), - include_str!("asm/journal/journal.asm"), - include_str!("asm/journal/account_loaded.asm"), - include_str!("asm/journal/account_destroyed.asm"), - include_str!("asm/journal/account_touched.asm"), - include_str!("asm/journal/balance_transfer.asm"), - include_str!("asm/journal/nonce_change.asm"), - include_str!("asm/journal/storage_change.asm"), - include_str!("asm/journal/storage_loaded.asm"), - include_str!("asm/journal/code_change.asm"), - include_str!("asm/journal/refund.asm"), - include_str!("asm/journal/account_created.asm"), - include_str!("asm/journal/revert.asm"), - include_str!("asm/journal/log.asm"), - include_str!("asm/transactions/common_decoding.asm"), - include_str!("asm/transactions/router.asm"), - include_str!("asm/transactions/type_0.asm"), - include_str!("asm/transactions/type_1.asm"), - include_str!("asm/transactions/type_2.asm"), - include_str!("asm/util/assertions.asm"), - include_str!("asm/util/basic_macros.asm"), - include_str!("asm/util/keccak.asm"), - include_str!("asm/util/math.asm"), - include_str!("asm/account_code.asm"), - include_str!("asm/balance.asm"), - include_str!("asm/bloom_filter.asm"), - ]; - - let parsed_files = files.iter().map(|f| parse(f)).collect_vec(); - assemble(parsed_files, evm_constants(), true) -} - -#[cfg(test)] -mod tests { - use env_logger::{try_init_from_env, Env, DEFAULT_FILTER_ENV}; - use log::debug; - - use crate::cpu::kernel::aggregator::combined_kernel; - - #[test] - fn make_kernel() { - let _ = try_init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "debug")); - - // Make sure we can parse and assemble the entire kernel. - let kernel = combined_kernel(); - debug!("Total kernel size: {} bytes", kernel.code.len()); - } -} diff --git a/evm/src/cpu/kernel/asm/account_code.asm b/evm/src/cpu/kernel/asm/account_code.asm deleted file mode 100644 index 2654bedc7b..0000000000 --- a/evm/src/cpu/kernel/asm/account_code.asm +++ /dev/null @@ -1,136 +0,0 @@ -global sys_extcodehash: - // stack: kexit_info, address - SWAP1 %u256_to_addr - // stack: address, kexit_info - SWAP1 - DUP2 %insert_accessed_addresses - // stack: cold_access, kexit_info, address - PUSH @GAS_COLDACCOUNTACCESS_MINUS_WARMACCESS - MUL - PUSH @GAS_WARMACCESS - ADD - %charge_gas - // stack: kexit_info, address - - SWAP1 - DUP1 %is_dead %jumpi(extcodehash_dead) - %extcodehash - // stack: hash, kexit_info - SWAP1 - EXIT_KERNEL -extcodehash_dead: - %stack (address, kexit_info) -> (kexit_info, 0) - EXIT_KERNEL - -global extcodehash: - // stack: address, retdest - %mpt_read_state_trie - // stack: account_ptr, retdest - DUP1 ISZERO %jumpi(retzero) - %add_const(3) - // stack: codehash_ptr, retdest - %mload_trie_data - // stack: codehash, retdest - SWAP1 JUMP -retzero: - %stack (account_ptr, retdest) -> (retdest, 0) - JUMP - -%macro extcodehash - %stack (address) -> (address, %%after) - %jump(extcodehash) -%%after: -%endmacro - -%macro ext_code_empty - %extcodehash - %eq_const(@EMPTY_STRING_HASH) -%endmacro - -%macro extcodesize - %stack (address) -> (address, %%after) - %jump(extcodesize) -%%after: -%endmacro - -global sys_extcodesize: - // stack: kexit_info, address - SWAP1 %u256_to_addr - // stack: address, kexit_info - SWAP1 - DUP2 %insert_accessed_addresses - // stack: cold_access, kexit_info, address - PUSH @GAS_COLDACCOUNTACCESS_MINUS_WARMACCESS - MUL - PUSH @GAS_WARMACCESS - ADD - %charge_gas - // stack: kexit_info, address - - SWAP1 - // stack: address, kexit_info - %extcodesize - // stack: code_size, kexit_info - SWAP1 - EXIT_KERNEL - -global extcodesize: - // stack: address, retdest - %next_context_id - // stack: codesize_ctx, address, retdest - SWAP1 - // stack: address, codesize_ctx, retdest - %jump(load_code) - -// Loads the code at `address` into memory, in the code segment of the given context, starting at offset 0. -// Checks that the hash of the loaded code corresponds to the `codehash` in the state trie. -// Pre stack: address, ctx, retdest -// Post stack: code_size -// -// NOTE: The provided `dest` **MUST** have a virtual address of 0. -global load_code: - %stack (address, ctx, retdest) -> (extcodehash, address, load_code_ctd, ctx, retdest) - JUMP -load_code_ctd: - // stack: codehash, ctx, retdest - DUP1 ISZERO %jumpi(load_code_non_existent_account) - // Load the code non-deterministically in memory and return the length. - PROVER_INPUT(account_code) - %stack (code_size, codehash, ctx, retdest) -> (ctx, code_size, codehash, retdest, code_size) - // Check that the hash of the loaded code equals `codehash`. - // ctx == DST, as SEGMENT_CODE == offset == 0. - KECCAK_GENERAL - // stack: shouldbecodehash, codehash, retdest, code_size - %assert_eq - // stack: retdest, code_size - JUMP - -load_code_non_existent_account: - // Write 0 at address 0 for soundness: SEGMENT_CODE == 0, hence ctx == addr. - // stack: codehash, addr, retdest - %stack (codehash, addr, retdest) -> (0, addr, retdest, 0) - MSTORE_GENERAL - // stack: retdest, 0 - JUMP - -// Identical to load_code, but adds 33 zeros after code_size for soundness reasons. -// If the code ends with an incomplete PUSH, we must make sure that every subsequent read is 0, -// accordingly to the Ethereum specs. -// Pre stack: address, ctx, retdest -// Post stack: code_size -global load_code_padded: - %stack (address, ctx, retdest) -> (address, ctx, load_code_padded_ctd, ctx, retdest) - %jump(load_code) - -load_code_padded_ctd: - // SEGMENT_CODE == 0. - // stack: code_size, ctx, retdest - %stack (code_size, ctx, retdest) -> (ctx, code_size, 0, retdest, code_size) - ADD - // stack: addr, 0, retdest, code_size - MSTORE_32BYTES_32 - // stack: addr', retdest, code_size - PUSH 0 - MSTORE_GENERAL - // stack: retdest, code_size - JUMP diff --git a/evm/src/cpu/kernel/asm/balance.asm b/evm/src/cpu/kernel/asm/balance.asm deleted file mode 100644 index d39f660630..0000000000 --- a/evm/src/cpu/kernel/asm/balance.asm +++ /dev/null @@ -1,56 +0,0 @@ -global sys_balance: - // stack: kexit_info, address - SWAP1 %u256_to_addr - // stack: address, kexit_info - SWAP1 - DUP2 %insert_accessed_addresses - // stack: cold_access, kexit_info, address - PUSH @GAS_COLDACCOUNTACCESS_MINUS_WARMACCESS - MUL - PUSH @GAS_WARMACCESS - ADD - %charge_gas - // stack: kexit_info, address - - SWAP1 - // stack: address, kexit_info - %balance - // stack: balance, kexit_info - SWAP1 - EXIT_KERNEL - -%macro balance - %stack (address) -> (address, %%after) - %jump(balance) -%%after: -%endmacro - -global balance: - // stack: address, retdest - %mpt_read_state_trie - // stack: account_ptr, retdest - DUP1 ISZERO %jumpi(retzero) // If the account pointer is null, return 0. - %add_const(1) - // stack: balance_ptr, retdest - %mload_trie_data - // stack: balance, retdest - SWAP1 JUMP - -retzero: - %stack (account_ptr, retdest) -> (retdest, 0) - JUMP - -global sys_selfbalance: - // stack: kexit_info - %charge_gas_const(@GAS_LOW) - %selfbalance - // stack: balance, kexit_info - SWAP1 - EXIT_KERNEL - -%macro selfbalance - PUSH %%after - %address - %jump(balance) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/bignum/add.asm b/evm/src/cpu/kernel/asm/bignum/add.asm deleted file mode 100644 index 4433ab2245..0000000000 --- a/evm/src/cpu/kernel/asm/bignum/add.asm +++ /dev/null @@ -1,73 +0,0 @@ -// Arithmetic on little-endian integers represented with 128-bit limbs. -// All integers must be under a given length bound, and are padded with leading zeroes. - -// Adds two bignums of the same given length. Assumes that len > 0. -// Replaces a with a + b, leaving b unchanged, and returns the final carry. -global add_bignum: - // stack: len, a_start_loc, b_start_loc, retdest - DUP1 - ISZERO - %jumpi(len_zero) - // stack: len, a_start_loc, b_start_loc, retdest - %build_current_general_address_no_offset - PUSH 0 - // stack: carry=0, base_addr, i=len, a_cur_loc=a_start_loc, b_cur_loc=b_start_loc, retdest -add_loop: - // stack: carry, base_addr, i, a_cur_loc, b_cur_loc, retdest - DUP2 - // stack: base_addr, carry, base_addr, i, a_cur_loc, b_cur_loc, retdest - DUP6 ADD // base_addr + b_cur_loc - MLOAD_GENERAL - // stack: b[cur], carry, base_addr, i, a_cur_loc, b_cur_loc, retdest - DUP3 - DUP6 ADD // base_addr + a_cur_loc - MLOAD_GENERAL - // stack: a[cur], b[cur], carry, base_addr, i, a_cur_loc, b_cur_loc, retdest - ADD - ADD - // stack: a[cur] + b[cur] + carry, base_addr, i, a_cur_loc, b_cur_loc, retdest - DUP1 - // stack: a[cur] + b[cur] + carry, a[cur] + b[cur] + carry, base_addr, i, a_cur_loc, b_cur_loc, retdest - %shr_const(128) - // stack: (a[cur] + b[cur] + carry) // 2^128, a[cur] + b[cur] + carry, base_addr, i, a_cur_loc, b_cur_loc, retdest - SWAP1 - // stack: a[cur] + b[cur] + carry, (a[cur] + b[cur] + carry) // 2^128, base_addr, i, a_cur_loc, b_cur_loc, retdest - %mod_const(0x100000000000000000000000000000000) - // stack: c[cur] = (a[cur] + b[cur] + carry) % 2^128, carry_new = (a[cur] + b[cur] + carry) // 2^128, base_addr, i, a_cur_loc, b_cur_loc, retdest - DUP3 - DUP6 - ADD // base_addr + a_cur_loc - // stack: a_cur_addr, c[cur], carry_new, base_addr, i, a_cur_loc, b_cur_loc, retdest - %swap_mstore - // stack: carry_new, base_addr, i, a_cur_loc, b_cur_loc, retdest - SWAP3 - %increment - SWAP3 - // stack: carry_new, base_addr, i, a_cur_loc + 1, b_cur_loc, retdest - SWAP4 - %increment - SWAP4 - // stack: carry_new, base_addr, i, a_cur_loc + 1, b_cur_loc + 1, retdest - SWAP2 - %decrement - SWAP2 - // stack: carry_new, base_addr, i - 1, a_cur_loc + 1, b_cur_loc + 1, retdest - DUP3 - // stack: i - 1, carry_new, base_addr, i - 1, a_cur_loc + 1, b_cur_loc + 1, retdest - %jumpi(add_loop) -add_end: - // stack: carry_new, base_addr, i - 1, a_cur_loc + 1, b_cur_loc + 1, retdest - %stack (c, addr, i, a, b) -> (c) - // stack: carry_new, retdest - SWAP1 - // stack: retdest, carry_new - JUMP - -len_zero: - // stack: len, a_start_loc, b_start_loc, retdest - %pop3 - // stack: retdest - PUSH 0 - // stack: carry=0, retdest - SWAP1 - JUMP diff --git a/evm/src/cpu/kernel/asm/bignum/addmul.asm b/evm/src/cpu/kernel/asm/bignum/addmul.asm deleted file mode 100644 index 9cdf904e1f..0000000000 --- a/evm/src/cpu/kernel/asm/bignum/addmul.asm +++ /dev/null @@ -1,116 +0,0 @@ -// Arithmetic on little-endian integers represented with 128-bit limbs. -// All integers must be under a given length bound, and are padded with leading zeroes. - -// Sets a[0:len] += b[0:len] * val, and returns the carry (a limb of up to 128 bits). -global addmul_bignum: - // stack: len, a_start_loc, b_start_loc, val, retdest - DUP1 - // stack: len, len, a_start_loc, b_start_loc, val, retdest - ISZERO - %jumpi(len_zero) - %build_current_general_address_no_offset - PUSH 0 - // stack: carry_limb=0, base_addr, i=len, a_cur_loc=a_start_loc, b_cur_loc=b_start_loc, val, retdest -addmul_loop: - // stack: carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - DUP2 - DUP6 ADD // base_addr + b_cur_loc - // stack: b_cur_addr, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - MLOAD_GENERAL - // stack: b[cur], carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - DUP7 - // stack: val, b[cur], carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - MUL - // stack: val * b[cur], carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - DUP1 - // stack: val * b[cur], val * b[cur], carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - %shr_const(128) - // stack: (val * b[cur]) // 2^128, val * b[cur], carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - SWAP1 - // stack: val * b[cur], (val * b[cur]) // 2^128, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - %shl_const(128) - %shr_const(128) - // stack: prod_lo = val * b[cur] % 2^128, prod_hi = (val * b[cur]) // 2^128, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - DUP4 - DUP7 ADD // base_addr + a_cur_loc - // stack: a_cur_addr, prod_lo, prod_hi, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - MLOAD_GENERAL - // stack: a[cur], prod_lo, prod_hi, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - DUP1 - // stack: a[cur], a[cur], prod_lo, prod_hi, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - SWAP2 - // stack: prod_lo, a[cur], a[cur], prod_hi, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - ADD - %shl_const(128) - %shr_const(128) - // stack: prod_lo' = (prod_lo + a[cur]) % 2^128, a[cur], prod_hi, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - DUP1 - // stack: prod_lo', prod_lo', a[cur], prod_hi, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - SWAP2 - // stack: a[cur], prod_lo', prod_lo', prod_hi, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - GT - // stack: prod_lo_carry_limb = a[cur] > prod_lo', prod_lo', prod_hi, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - SWAP1 - // stack: prod_lo', prod_lo_carry_limb, prod_hi, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - SWAP2 - // stack: prod_hi, prod_lo_carry_limb, prod_lo', carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - ADD - // stack: prod_hi' = prod_hi + prod_lo_carry_limb, prod_lo', carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - DUP3 - // stack: carry_limb, prod_hi', prod_lo', carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - DUP3 - // stack: prod_lo', carry_limb, prod_hi', prod_lo', carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - ADD - %shl_const(128) - %shr_const(128) - // stack: to_write = (prod_lo' + carry_limb) % 2^128, prod_hi', prod_lo', carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - SWAP2 - // stack: prod_lo', prod_hi', to_write, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - DUP3 - // stack: to_write, prod_lo', prod_hi', to_write, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - LT - // stack: carry_limb_new = to_write < prod_lo', prod_hi', to_write, carry_limb, i, a_cur_loc, b_cur_loc, val, retdest - %stack (vals: 3, c) -> (vals) - // stack: carry_limb_new, prod_hi', to_write, addr, i, a_cur_loc, b_cur_loc, val, retdest - ADD - // stack: carry_limb = carry_limb_new' + prod_hi', to_write, addr, i, a_cur_loc, b_cur_loc, val, retdest - SWAP1 - // stack: to_write, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - DUP3 - DUP6 ADD // base_addr + a_cur_loc - // stack: a_cur_addr, to_write, carry_limb, addr, i, a_cur_loc, b_cur_loc, val, retdest - %swap_mstore - // stack: carry_limb, base_addr, i, a_cur_loc, b_cur_loc, val, retdest - SWAP2 - // stack: i, base_addr, carry_limb, a_cur_loc, b_cur_loc, val, retdest - %decrement - // stack: i-1, base_addr, carry_limb, a_cur_loc, b_cur_loc, val, retdest - SWAP3 - // stack: a_cur_loc, base_addr, carry_limb, i-1, b_cur_loc, val, retdest - %increment - // stack: a_cur_loc+1, base_addr, carry_limb, i-1, b_cur_loc, val, retdest - SWAP4 - // stack: b_cur_loc, base_addr, carry_limb, i-1, a_cur_loc+1, val, retdest - %increment - // stack: b_cur_loc+1, base_addr, carry_limb, i-1, a_cur_loc+1, val, retdest - %stack (b, addr, c, i, a) -> (c, addr, i, a, b) - // stack: carry_limb, base_addr, i-1, a_cur_loc+1, b_cur_loc+1, val, retdest - DUP3 - // stack: i-1, carry_limb, base_addr, i-1, a_cur_loc+1, b_cur_loc+1, val, retdest - %jumpi(addmul_loop) -addmul_end: - // stack: carry_limb_new, base_addr, i-1, a_cur_loc+1, b_cur_loc+1, val, retdest - %stack (c, addr, i, a, b, v) -> (c) - // stack: carry_limb_new, retdest - SWAP1 - // stack: retdest, carry_limb_new - JUMP - -len_zero: - // stack: len, a_start_loc, b_start_loc, val, retdest - %pop4 - // stack: retdest - PUSH 0 - // stack: carry_limb=0, retdest - SWAP1 - JUMP diff --git a/evm/src/cpu/kernel/asm/bignum/cmp.asm b/evm/src/cpu/kernel/asm/bignum/cmp.asm deleted file mode 100644 index c27687542e..0000000000 --- a/evm/src/cpu/kernel/asm/bignum/cmp.asm +++ /dev/null @@ -1,93 +0,0 @@ -// Arithmetic on little-endian integers represented with 128-bit limbs. -// All integers must be under a given length bound, and are padded with leading zeroes. - -// Compares two bignums of the same given length. Assumes that len > 0. -// Returns 1 if a > b, 0 if a == b, and -1 (that is, 2^256 - 1) if a < b. -global cmp_bignum: - // stack: len, a_start_loc, b_start_loc, retdest - %build_current_general_address_no_offset - // stack: base_addr, len, a_start_loc, b_start_loc, retdest - DUP2 - // stack: len, base_addr, len, a_start_loc, b_start_loc, retdest - ISZERO - %jumpi(equal) // len and base_addr are swapped, but they will be popped anyway - // stack: base_addr, len, a_start_loc, b_start_loc, retdest - SWAP2 - // stack: a_start_loc, len, base_addr, b_start_loc, retdest - PUSH 1 - DUP3 - SUB - // stack: len-1, a_start_loc, len, base_addr, b_start_loc, retdest - ADD - // stack: a_end_loc, len, base_addr, b_start_loc, retdest - SWAP3 - // stack: b_start_loc, len, base_addr, a_end_loc, retdest - PUSH 1 - DUP3 - SUB - // stack: len-1, b_start_loc, len, base_addr, a_end_loc, retdest - ADD - // stack: b_end_loc, len, base_addr, a_end_loc, retdest - - %stack (b, l, addr, a) -> (l, addr, a, b) - // stack: len, base_addr, a_end_loc, b_end_loc, retdest - %decrement -ge_loop: - // stack: i, base_addr, a_i_loc, b_i_loc, retdest - DUP4 - // stack: b_i_loc, i, base_addr, a_i_loc, b_i_loc, retdest - DUP3 ADD // b_i_addr - MLOAD_GENERAL - // stack: b[i], i, base_addr, a_i_loc, b_i_loc, retdest - DUP4 - // stack: a_i_loc, b[i], i, base_addr, a_i_loc, b_i_loc, retdest - DUP4 ADD // a_i_addr - MLOAD_GENERAL - // stack: a[i], b[i], i, base_addr, a_i_loc, b_i_loc, retdest - %stack (vals: 2) -> (vals, vals) - GT - %jumpi(greater) - // stack: a[i], b[i], i, base_addr, a_i_loc, b_i_loc, retdest - LT - %jumpi(less) - // stack: i, base_addr, a_i_loc, b_i_loc, retdest - DUP1 - ISZERO - %jumpi(equal) - %decrement - // stack: i-1, base_addr, a_i_loc, b_i_loc, retdest - SWAP2 - // stack: a_i_loc, base_addr, i-1, b_i_loc, retdest - %decrement - // stack: a_i_loc_new, base_addr, i-1, b_i_loc, retdest - SWAP3 - // stack: b_i_loc, base_addr, i-1, a_i_loc_new, retdest - %decrement - // stack: b_i_loc_new, base_addr, i-1, a_i_loc_new, retdest - %stack (b, addr, i, a) -> (i, addr, a, b) - // stack: i-1, base_addr, a_i_loc_new, b_i_loc_new, retdest - %jump(ge_loop) -equal: - // stack: i, base_addr, a_i_loc, b_i_loc, retdest - %pop4 - // stack: retdest - PUSH 0 - // stack: 0, retdest - SWAP1 - JUMP -greater: - // stack: a[i], b[i], i, base_addr, a_i_loc, b_i_loc, retdest - %pop6 - // stack: retdest - PUSH 1 - // stack: 1, retdest - SWAP1 - JUMP -less: - // stack: i, base_addr, a_i_loc, b_i_loc, retdest - %pop4 - // stack: retdest - PUSH 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff - // stack: -1, retdest - SWAP1 - JUMP diff --git a/evm/src/cpu/kernel/asm/bignum/isone.asm b/evm/src/cpu/kernel/asm/bignum/isone.asm deleted file mode 100644 index 7aaf32f451..0000000000 --- a/evm/src/cpu/kernel/asm/bignum/isone.asm +++ /dev/null @@ -1,35 +0,0 @@ -// Arithmetic on little-endian integers represented with 128-bit limbs. -// All integers must be under a given length bound, and are padded with leading zeroes. - -global isone_bignum: - // stack: len, start_loc, retdest - DUP1 - // stack: len, len, start_loc, retdest - ISZERO - %jumpi(eqzero) - // stack: len, start_loc, retdest - DUP2 - // stack: start_loc, len, start_loc, retdest - %mload_current_general - // stack: start_val, len, start_loc, retdest - %eq_const(1) - %jumpi(starts_with_one) - // Does not start with one, so not equal to one. - // stack: len, start_loc, retdest - %stack (vals: 2, retdest) -> (retdest, 0) - JUMP -eqzero: - // Is zero, so not equal to one. - // stack: cur_loc, end_loc, retdest - %stack (vals: 2, retdest) -> (retdest, 0) - // stack: retdest, 0 - JUMP -starts_with_one: - // Starts with one, so check that the remaining limbs are zero. - // stack: len, start_loc, retdest - %decrement - SWAP1 - %increment - SWAP1 - // stack: len-1, start_loc+1, retdest - %jump(iszero_bignum) diff --git a/evm/src/cpu/kernel/asm/bignum/iszero.asm b/evm/src/cpu/kernel/asm/bignum/iszero.asm deleted file mode 100644 index a6027b6116..0000000000 --- a/evm/src/cpu/kernel/asm/bignum/iszero.asm +++ /dev/null @@ -1,40 +0,0 @@ -// Arithmetic on little-endian integers represented with 128-bit limbs. -// All integers must be under a given length bound, and are padded with leading zeroes. - -global iszero_bignum: - // stack: len, start_loc, retdest - DUP1 - // stack: len, len, start_loc, retdest - ISZERO - %jumpi(eqzero) - DUP2 - // stack: start_loc, len, start_loc, retdest - ADD - // stack: end_loc, start_loc, retdest - SWAP1 - // stack: cur_loc=start_loc, end_loc, retdest -iszero_loop: - // stack: cur_loc, end_loc, retdest - DUP1 - // stack: cur_loc, cur_loc, end_loc, retdest - %mload_current_general - // stack: cur_val, cur_loc, end_loc, retdest - %jumpi(neqzero) - // stack: cur_loc, end_loc, retdest - %increment - // stack: cur_loc + 1, end_loc, retdest - %stack (vals: 2) -> (vals, vals) - // stack: cur_loc + 1, end_loc, cur_loc + 1, end_loc, retdest - EQ - %jumpi(eqzero) - %jump(iszero_loop) -neqzero: - // stack: cur_loc, end_loc, retdest - %stack (vals: 2, retdest) -> (retdest, 0) - // stack: retdest, 0 - JUMP -eqzero: - // stack: cur_loc, end_loc, retdest - %stack (vals: 2, retdest) -> (retdest, 1) - // stack: retdest, 1 - JUMP diff --git a/evm/src/cpu/kernel/asm/bignum/modexp.asm b/evm/src/cpu/kernel/asm/bignum/modexp.asm deleted file mode 100644 index f149e54dfc..0000000000 --- a/evm/src/cpu/kernel/asm/bignum/modexp.asm +++ /dev/null @@ -1,192 +0,0 @@ -// Arithmetic on integers represented with 128-bit limbs. -// These integers are represented in LITTLE-ENDIAN form. -// All integers must be under a given length bound, and are padded with leading zeroes. - -// Stores b ^ e % m in output_loc, leaving b, e, and m unchanged. -// b, e, and m must have the same length. -// output_loc must have size length and be initialized with zeroes; scratch_1 must have size length. -// All of scratch_2..scratch_5 must have size 2 * length and be initialized with zeroes. -// Also, scratch_2..scratch_5 must be CONSECUTIVE in memory. -global modexp_bignum: - // stack: len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - - // Special input cases: - - // (1) Modulus is zero (also covers len=0 case). - PUSH modulus_zero_return - // stack: modulus_zero_return, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - DUP5 - // stack: m_loc, modulus_zero_return, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - DUP3 - // stack: len, m_loc, modulus_zero_return, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %jump(iszero_bignum) -modulus_zero_return: - // stack: m==0, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %jumpi(modulus_zero_or_one) - - // (2) Modulus is one. - PUSH modulus_one_return - // stack: modulus_one_return, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - DUP5 - // stack: m_loc, modulus_one_return, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - DUP3 - // stack: len, m_loc, modulus_one_return, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %jump(isone_bignum) -modulus_one_return: - // stack: m==1, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %jumpi(modulus_zero_or_one) - - // (3) Both b and e are zero. - PUSH b_zero_return - // stack: b_zero_return, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - DUP3 - // stack: b_loc, b_zero_return, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - DUP3 - // stack: len, b_loc, b_zero_return, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %jump(iszero_bignum) -b_zero_return: - // stack: b==0, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - PUSH e_zero_return - // stack: e_zero_return, b==0, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - DUP5 - // stack: e_loc, e_zero_return, b==0, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - DUP4 - // stack: len, e_loc, e_zero_return, b==0, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %jump(iszero_bignum) -e_zero_return: - // stack: e==0, b==0, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - MUL // logical AND - %jumpi(b_and_e_zero) - - // End of special cases. - - // We store the repeated-squares accumulator x_i in scratch_1, starting with x_0 := b. - DUP1 - DUP3 - DUP8 - // stack: s1, b_loc, len, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %memcpy_current_general - // stack: len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - - // We store the accumulated output value x_i in output_loc, starting with x_0=1. - PUSH 1 - DUP6 - // stack: out_loc, 1, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %mstore_current_general - -modexp_loop: - // stack: len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - - // y := e % 2 - DUP3 - // stack: e_loc, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %mload_current_general - // stack: e_first, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %mod_const(2) - // stack: y = e_first % 2 = e % 2, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - ISZERO - // stack: y == 0, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %jumpi(modexp_y_0) - - // if y == 1, modular-multiply output_loc by scratch_1, using scratch_2..scratch_4 as scratch space, and store in scratch_5. - PUSH modexp_mul_return - DUP10 - DUP10 - DUP10 - DUP14 - DUP9 - DUP12 - DUP12 - DUP9 - // stack: len, out_loc, s1, m_loc, s5, s2, s3, s4, modexp_mul_return, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %jump(modmul_bignum) -modexp_mul_return: - // stack: len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - - // Copy scratch_5 to output_loc. - DUP1 - DUP11 - DUP7 - // stack: out_loc, s5, len, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %memcpy_current_general - // stack: len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - - // Zero out scratch_2..scratch_5. - DUP1 - %mul_const(8) - DUP8 - // stack: s2, 8 * len, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %clear_current_general - // stack: len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - -modexp_y_0: - // if y == 0, do nothing - - // Modular-square repeated-squares accumulator x_i (in scratch_1), using scratch_2..scratch_4 as scratch space, and store in scratch_5. - PUSH modexp_square_return - DUP10 - DUP10 - DUP10 - DUP14 - DUP9 - DUP12 - DUP1 - DUP9 - // stack: len, s1, s1, m_loc, s5, s2, s3, s4, modexp_square_return, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %jump(modmul_bignum) - // stack: len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - -modexp_square_return: - // Copy scratch_5 to scratch_1. - DUP1 - DUP11 - DUP8 - // stack: s1, s5, len, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %memcpy_current_general - // stack: len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - - // Zero out scratch_2..scratch_5. - DUP1 - %mul_const(8) - DUP8 - // stack: s2, 8 * len, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %clear_current_general - // stack: len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - - // e //= 2 (with shr_bignum) - - PUSH modexp_shr_return - DUP4 - DUP3 - // stack: len, e_loc, modexp_shr_return, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %jump(shr_bignum) -modexp_shr_return: - // stack: len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - - // check if e == 0 (with iszero_bignum) - PUSH modexp_iszero_return - DUP4 - DUP3 - // stack: len, e_loc, modexp_iszero_return, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %jump(iszero_bignum) -modexp_iszero_return: - // stack: e == 0, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - ISZERO - // stack: e != 0, len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %jumpi(modexp_loop) -// end of modexp_loop -modulus_zero_or_one: - // If modulus is zero or one, return 0. - // stack: len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - %pop10 - // stack: retdest - JUMP -b_and_e_zero: - // If base and exponent are zero (and modulus > 1), return 1. - // stack: len, b_loc, e_loc, m_loc, out_loc, s1, s2, s3, s4, s5, retdest - PUSH 1 - DUP6 - %mstore_current_general - %pop10 - // stack: retdest - JUMP diff --git a/evm/src/cpu/kernel/asm/bignum/modmul.asm b/evm/src/cpu/kernel/asm/bignum/modmul.asm deleted file mode 100644 index 9735f6108d..0000000000 --- a/evm/src/cpu/kernel/asm/bignum/modmul.asm +++ /dev/null @@ -1,178 +0,0 @@ -// Arithmetic on little-endian integers represented with 128-bit limbs. -// All integers must be under a given length bound, and are padded with leading zeroes. - -// Stores a * b % m in output_loc, leaving a, b, and m unchanged. -// a, b, and m must have the same length. -// output_loc must have size length; scratch_2 must have size 2*length. -// Both scratch_2 and scratch_3 have size 2*length and be initialized with zeroes. - -// The prover provides x := (a * b) % m, which is the output of this function. -// We first check that x < m. -// The prover also provides k := (a * b) / m, stored in scratch space. -// We then check that x + k * m = a * b, by computing both of those using -// bignum arithmetic, storing the results in scratch space. -// We assert equality between those two, limb by limb. -global modmul_bignum: - // stack: len, a_loc, b_loc, m_loc, out_loc, s1 (=scratch_1), s2, s3, retdest - DUP1 - ISZERO - %jumpi(len_zero) - - // STEP 1: - // The prover provides x := (a * b) % m, which we store in output_loc. - - %build_current_general_address_no_offset - - PUSH 0 - // stack: i=0, base_addr, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest -modmul_remainder_loop: - // stack: i, base_addr, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - PROVER_INPUT(bignum_modmul) - // stack: PI, i, base_addr, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - DUP8 - DUP3 - ADD - // stack: out_loc[i], PI, i, base_addr, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - DUP4 ADD // out_addr_i - %swap_mstore - // stack: i, base_addr, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - %increment - DUP3 - DUP2 - // stack: i+1, len, i+1, base_addr, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - SUB // functions as NEQ - // stack: i+1!=len, i+1, base_addr, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - %jumpi(modmul_remainder_loop) -// end of modmul_remainder_loop - // stack: i, base_addr, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - %pop2 - // stack: len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - - // stack: len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - - // STEP 2: - // We check that x < m. - - PUSH modmul_return_1 - DUP6 - DUP6 - DUP4 - // stack: len, m_loc, out_loc, modmul_return_1, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - // Should return 1 iff the value at m_loc > the value at out_loc; in other words, if x < m. - %jump(cmp_bignum) -modmul_return_1: - // stack: cmp_result, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - PUSH 1 - %assert_eq - - // STEP 3: - // The prover provides k := (a * b) / m, which we store in scratch_1. - - // stack: len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - DUP1 - // stack: len, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - %mul_const(2) - // stack: 2*len, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - - %build_current_general_address_no_offset - - PUSH 0 - // stack: i=0, base_addr, 2*len, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest -modmul_quotient_loop: - // stack: i, base_addr, 2*len, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - PROVER_INPUT(bignum_modmul) - // stack: PI, i, base_addr, 2*len, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - DUP10 - DUP3 - ADD - // stack: s1[i], PI, i, base_addr, 2*len, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - DUP4 ADD // s1_addr_i - %swap_mstore - // stack: i, base_addr, 2*len, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - %increment - DUP3 - DUP2 - // stack: i+1, 2*len, i+1, base_addr, 2*len, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - SUB // functions as NEQ - // stack: i+1!=2*len, i+1, base_addr, 2*len, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - %jumpi(modmul_quotient_loop) -// end of modmul_quotient_loop - // stack: i, base_addr, 2*len, len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - %pop3 - // stack: len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - - // STEP 4: - // We calculate x + k * m. - - // STEP 4.1: - // Multiply k with m and store k * m in scratch_2. - PUSH modmul_return_2 - %stack (return, len, a, b, m, out, s1, s2) -> (len, s1, m, s2, return, len, a, b, out, s2) - // stack: len, s1, m_loc, s2, modmul_return_2, len, a_loc, b_loc, out_loc, s2, s3, retdest - %jump(mul_bignum) -modmul_return_2: - // stack: len, a_loc, b_loc, out_loc, s2, s3, retdest - - // STEP 4.2: - // Add x into k * m (in scratch_2). - PUSH modmul_return_3 - %stack (return, len, a, b, out, s2) -> (len, s2, out, return, len, a, b, s2) - // stack: len, s2, out_loc, modmul_return_3, len, a_loc, b_loc, s2, s3, retdest - %jump(add_bignum) -modmul_return_3: - // stack: carry, len, a_loc, b_loc, s2, s3, retdest - POP - // stack: len, a_loc, b_loc, s2, s3, retdest - - // STEP 5: - // We calculate a * b. - - // Multiply a with b and store a * b in scratch_3. - PUSH modmul_return_4 - %stack (return, len, a, b, s2, s3) -> (len, a, b, s3, return, len, s2, s3) - // stack: len, a_loc, b_loc, s3, modmul_return_4, len, s2, s3, retdest - %jump(mul_bignum) -modmul_return_4: - // stack: len, s2, s3, retdest - - // STEP 6: - // Check that x + k * m = a * b. - - %build_current_general_address_no_offset - // stack: base_addr, n=len, i=s2, j=s3, retdest -modmul_check_loop: - // stack: base_addr, n, i, j, retdest - %stack (addr, l, i, j) -> (j, i, addr, addr, l, i, j) - // stack: j, i, base_addr, base_addr, n, i, j, retdest - DUP3 ADD // addr_j - MLOAD_GENERAL - // stack: mem[j], i, base_addr, base_addr, n, i, j, retdest - SWAP2 - ADD // addr_i - MLOAD_GENERAL - // stack: mem[i], mem[j], base_addr, n, i, j, retdest - %assert_eq - // stack: base_addr, n, i, j, retdest - SWAP1 - %decrement - // stack: n-1, base_addr, i, j, retdest - SWAP2 - %increment - // stack: i+1, base_addr, n-1, j, retdest - SWAP3 - %increment - // stack: j+1, base_addr, n-1, i+1, retdest - %stack (j, addr, n, i) -> (n, addr, n, i, j) - // stack: n-1, base_addr, n-1, i+1, j+1, retdest - %jumpi(modmul_check_loop) -// end of modmul_check_loop - // stack: base_addr, n-1, i+1, j+1, retdest - %pop4 - // stack: retdest - JUMP - -len_zero: - // stack: len, a_loc, b_loc, m_loc, out_loc, s1, s2, s3, retdest - %pop8 - // stack: retdest - JUMP diff --git a/evm/src/cpu/kernel/asm/bignum/mul.asm b/evm/src/cpu/kernel/asm/bignum/mul.asm deleted file mode 100644 index b3269f73a9..0000000000 --- a/evm/src/cpu/kernel/asm/bignum/mul.asm +++ /dev/null @@ -1,70 +0,0 @@ -// Arithmetic on little-endian integers represented with 128-bit limbs. -// All integers must be under a given length bound, and are padded with leading zeroes. - -// Stores a * b in output_loc, leaving a and b unchanged. -// Both a and b have length len; a * b will have length 2 * len. -// output_loc must be initialized as 2 * len zeroes. -// TODO: possible optimization: allow output_loc to be uninitialized, and write over it with a[0:len] * b[0] (a multiplication -// with carry) in place of the first addmul. -global mul_bignum: - // stack: len, a_start_loc, b_start_loc, output_loc, retdest - DUP1 - // stack: len, len, a_start_loc, b_start_loc, output_loc, retdest - ISZERO - %jumpi(len_zero) - - %build_current_general_address_no_offset - - DUP2 - // stack: n=len, base_addr, len, a_start_loc, bi=b_start_loc, output_cur=output_loc, retdest -mul_loop: - // stack: n, base_addr, len, a_start_loc, bi, output_cur, retdest - PUSH mul_addmul_return - // stack: mul_addmul_return, n, base_addr, len, a_start_loc, bi, output_cur, retdest - DUP6 - // stack: bi, mul_addmul_return, n, base_addr, len, a_start_loc, bi, output_cur, retdest - DUP4 ADD // bi_addr - MLOAD_GENERAL - // stack: b[i], mul_addmul_return, n, base_addr, len, a_start_loc, bi, output_cur, retdest - DUP6 - // stack: a_start_loc, b[i], mul_addmul_return, n, base_addr, len, a_start_loc, bi, output_cur, retdest - DUP9 - // stack: output_loc, a_start_loc, b[i], mul_addmul_return, n, base_addr, len, a_start_loc, bi, output_cur, retdest - DUP7 - // stack: len, output_loc, a_start_loc, b[i], mul_addmul_return, n, base_addr, len, a_start_loc, bi, output_cur, retdest - %jump(addmul_bignum) -mul_addmul_return: - // stack: carry_limb, n, base_addr, len, a_start_loc, bi, output_cur, retdest - DUP7 - // stack: output_cur, carry_limb, n, base_addr, len, a_start_loc, bi, output_cur, retdest - DUP5 - // stack: len, output_cur, carry_limb, n, base_addr, len, a_start_loc, bi, output_cur, retdest - ADD - // stack: output_cur + len, carry_limb, n, base_addr, len, a_start_loc, bi, output_cur, retdest - DUP4 ADD - %swap_mstore - // stack: n, base_addr, len, a_start_loc, bi, output_cur, retdest - %decrement - // stack: n-1, base_addr, len, a_start_loc, bi, output_cur, retdest - SWAP4 - %increment - SWAP4 - // stack: n-1, base_addr, len, a_start_loc, bi+1, output_cur, retdest - SWAP5 - %increment - SWAP5 - // stack: n-1, base_addr, len, a_start_loc, bi+1, output_cur+1, retdest - DUP1 - // stack: n-1, n-1, base_addr, len, a_start_loc, bi+1, output_cur+1, retdest - %jumpi(mul_loop) -mul_end: - // stack: n-1, base_addr, len, a_start_loc, bi+1, output_cur+1, retdest - %pop6 - // stack: retdest - JUMP - -len_zero: - // stack: len, a_start_loc, b_start_loc, output_loc, retdest - %pop4 - // stack: retdest - JUMP diff --git a/evm/src/cpu/kernel/asm/bignum/shr.asm b/evm/src/cpu/kernel/asm/bignum/shr.asm deleted file mode 100644 index 88d08f05f2..0000000000 --- a/evm/src/cpu/kernel/asm/bignum/shr.asm +++ /dev/null @@ -1,74 +0,0 @@ -// Arithmetic on little-endian integers represented with 128-bit limbs. -// All integers must be under a given length bound, and are padded with leading zeroes. - -// Shifts a given bignum right by one bit (in place). -// Assumes that len > 0. -global shr_bignum: - // stack: len, start_loc, retdest - DUP1 - // stack: len, len, start_loc, retdest - ISZERO - %jumpi(len_zero) - // stack: len, start_loc, retdest - DUP2 - // stack: start_loc, len, start_loc, retdest - ADD - // stack: start_loc + len, start_loc, retdest - %decrement - // stack: end_loc, start_loc, retdest - - %build_current_general_address_no_offset - - // stack: base_addr, end_loc, start_loc, retdest - %stack (addr, e) -> (e, addr, 0) - // stack: i=end_loc, base_addr, carry=0, start_loc, retdest -shr_loop: - // stack: i, base_addr, carry, start_loc, retdest - DUP1 - // stack: i, i, base_addr, carry, start_loc, retdest - DUP3 ADD // addr_i - MLOAD_GENERAL - // stack: a[i], i, base_addr, carry, start_loc, retdest - DUP1 - // stack: a[i], a[i], i, base_addr, carry, start_loc, retdest - %shr_const(1) - // stack: a[i] >> 1, a[i], i, base_addr, carry, start_loc, retdest - SWAP1 - // stack: a[i], a[i] >> 1, i, base_addr, carry, start_loc, retdest - %mod_const(2) - // stack: new_carry = a[i] % 2, a[i] >> 1, i, base_addr, carry, start_loc, retdest - SWAP4 - // stack: carry, a[i] >> 1, i, base_addr, new_carry, start_loc, retdest - %shl_const(127) - // stack: carry << 127, a[i] >> 1, i, base_addr, new_carry, start_loc, retdest - ADD - // stack: carry << 127 | a[i] >> 1, i, base_addr, new_carry, start_loc, retdest - DUP2 - // stack: i, carry << 127 | a[i] >> 1, i, base_addr, new_carry, start_loc, retdest - DUP4 ADD // addr_i - %swap_mstore - // stack: i, base_addr, new_carry, start_loc, retdest - PUSH 1 - DUP2 - SUB - // stack: i-1, i, base_addr, new_carry, start_loc, retdest - SWAP1 - // stack: i, i-1, base_addr, new_carry, start_loc, retdest - DUP5 - // stack: start_loc, i, i-1, base_addr, new_carry, start_loc, retdest - EQ - // stack: i == start_loc, i-1, base_addr, new_carry, start_loc, retdest - ISZERO - // stack: i != start_loc, i-1, base_addr, new_carry, start_loc, retdest - %jumpi(shr_loop) -shr_end: - // stack: i, base_addr, new_carry, start_loc, retdest - %pop4 - // stack: retdest - JUMP - -len_zero: - // stack: len, start_loc, retdest - %pop2 - // stack: retdest - JUMP diff --git a/evm/src/cpu/kernel/asm/bignum/util.asm b/evm/src/cpu/kernel/asm/bignum/util.asm deleted file mode 100644 index f0a1563450..0000000000 --- a/evm/src/cpu/kernel/asm/bignum/util.asm +++ /dev/null @@ -1,21 +0,0 @@ -%macro memcpy_current_general - // stack: dst, src, len - // DST and SRC are offsets, for the same memory segment - %build_current_general_address_no_offset - %stack (addr_no_offset, dst, src, len) -> (addr_no_offset, src, addr_no_offset, dst, len, %%after) - ADD - // stack: SRC, addr_no_offset, dst, len, %%after - SWAP2 - ADD - // stack: DST, SRC, len, %%after - %jump(memcpy) -%%after: -%endmacro - -%macro clear_current_general - // stack: dst, len - %build_current_general_address - %stack (DST, len) -> (DST, len, %%after) - %jump(memset) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/bloom_filter.asm b/evm/src/cpu/kernel/asm/bloom_filter.asm deleted file mode 100644 index 35a4ebd763..0000000000 --- a/evm/src/cpu/kernel/asm/bloom_filter.asm +++ /dev/null @@ -1,166 +0,0 @@ -/// Implementation of Bloom filters for logs. - -// Adds a Bloom entry to the transaction Bloom filter and the block Bloom filter. -// -// This is calculated by taking the least significant 11 bits from -// the first 3 16-bit bytes of the keccak_256 hash of bloom_entry. -add_to_bloom: - // stack: is_topic, bloom_entry, retdest - %compute_entry_hash - // stack: hash, retdest - DUP1 - // stack: hash, hash, retdest - %shr_const(240) - // stack: hahs_shft_240, hash, retdest - %bloom_byte_indices - // stack: byte_index, byte_bit_index, hash, retdest - %bloom_write_bit - // stack: hash, retdest - - // We shift the hash by 16 bits and repeat. - DUP1 %shr_const(224) - // stack: hash_shft_224, hash, retdest - %bloom_byte_indices - // stack: byte_index, byte_bit_index, hash, retdest - %bloom_write_bit - // stack: hash, retdest - - // We shift again the hash by 16 bits and repeat. - %shr_const(208) - // stack: hash_shft_208, retdest - %bloom_byte_indices - // stack: byte_index, byte_bit_index, retdest - %bloom_write_bit - // stack: retdest - JUMP - -// The LOGS segment is [log0_ptr, log1_ptr...]. logs_len is a global metadata for the number of logs. -// A log in the LOGS_DATA segment is [log_payload_len, address, num_topics, [topics], data_len, [data]]. -global logs_bloom: - // stack: retdest - %mload_global_metadata(@GLOBAL_METADATA_LOGS_LEN) - // stack: logs_len, retdest - PUSH 0 - -logs_bloom_loop: - // stack: i, logs_len, retdest - DUP2 DUP2 EQ - // stack: i == logs_len, i, logs_len, retdest - %jumpi(logs_bloom_end) - // stack: i, logs_len, retdest - DUP1 - %mload_kernel(@SEGMENT_LOGS) - // stack: log_payload_len_ptr, i, logs_len, retdest - - // Add address to bloom filter. - %increment - // stack: addr_ptr, i, logs_len, retdest - PUSH @SEGMENT_LOGS_DATA %build_kernel_address - DUP1 - MLOAD_GENERAL - // stack: addr, full_addr_ptr, i, logs_len, retdest - PUSH 0 - // stack: is_topic, addr, full_addr_ptr, i, logs_len, retdest - %add_to_bloom - // stack: full_addr_ptr, i, logs_len, retdest - %increment - // stack: full_num_topics_ptr, i, logs_len, retdest - DUP1 - MLOAD_GENERAL - // stack: num_topics, full_num_topics_ptr, i, logs_len, retdest - SWAP1 %increment - // stack: full_topics_ptr, num_topics, i, logs_len, retdest - PUSH 0 - -logs_bloom_topic_loop: - // stack: j, topics_ptr, num_topics, i, logs_len, retdest - DUP3 DUP2 EQ - // stack: j == num_topics, j, topics_ptr, num_topics, i, logs_len, retdest - %jumpi(logs_bloom_topic_end) - DUP2 DUP2 ADD - // stack: curr_topic_ptr, j, topics_ptr, num_topics, i, logs_len, retdest - MLOAD_GENERAL - // stack: topic, j, topics_ptr, num_topics, i, logs_len, retdest - PUSH 1 - // stack: is_topic, topic, j, topics_ptr, num_topics, i, logs_len, retdest - %add_to_bloom - // stack: j, topics_ptr, num_topics, i, logs_len, retdest - %increment - %jump(logs_bloom_topic_loop) - -logs_bloom_topic_end: - // stack: num_topics, topics_ptr, num_topics, i, logs_len, retdest - %pop3 - %increment - %jump(logs_bloom_loop) - -logs_bloom_end: - // stack: logs_len, logs_len, retdest - %pop2 - JUMP - -%macro compute_entry_hash - // stack: is_topic, bloom_entry - ISZERO - %jumpi(%%compute_entry_hash_address) - // stack: bloom_entry - %keccak256_word(32) - // stack: topic_hash - %jump(%%after) - -%%compute_entry_hash_address: - // stack: bloom_entry - %keccak256_word(20) - // stack: address_hash - -%%after: -%endmacro - -%macro add_to_bloom - %stack (is_topic, bloom_entry) -> (is_topic, bloom_entry, %%after) - %jump(add_to_bloom) - -%%after: -%endmacro - -// Computes the byte index and bit index within to update the Bloom filter with. -// The hash value must be properly shifted prior calling this macro. -%macro bloom_byte_indices - // stack: hash - %and_const(0x07FF) - PUSH 0x07FF - SUB - // stack: bit_index - DUP1 - %and_const(0x7) - SWAP1 - %shr_const(0x3) - // stack: byte_index, byte_bit_index -%endmacro - - -// Updates the corresponding bloom filter byte with provided bit. -// Also updates the block bloom filter. -%macro bloom_write_bit - // stack: byte_index, byte_bit_index - PUSH @SEGMENT_TXN_BLOOM - %build_kernel_address - PUSH 1 - DUP3 - // stack: byte_bit_index, 1, byte_addr, byte_bit_index - PUSH 7 SUB - SHL - // Updates the current txn bloom filter. - SWAP2 POP DUP1 - MLOAD_GENERAL - // stack: old_bloom_byte, byte_addr, one_shifted_by_index - DUP3 OR - // stack: new_bloom_byte, byte_addr, one_shifted_by_index - MSTORE_GENERAL - // stack: one_shifted_by_index - POP - // stack: empty -%endmacro - - - diff --git a/evm/src/cpu/kernel/asm/core/access_lists.asm b/evm/src/cpu/kernel/asm/core/access_lists.asm deleted file mode 100644 index 30afe27c41..0000000000 --- a/evm/src/cpu/kernel/asm/core/access_lists.asm +++ /dev/null @@ -1,203 +0,0 @@ -/// Access lists for addresses and storage keys. -/// The access list is stored in an array. The length of the array is stored in the global metadata. -/// For storage keys, the address and key are stored as two consecutive elements. -/// The array is stored in the SEGMENT_ACCESSED_ADDRESSES segment for addresses and in the SEGMENT_ACCESSED_STORAGE_KEYS segment for storage keys. -/// Both arrays are stored in the kernel memory (context=0). -/// Searching and inserting is done by doing a linear search through the array. -/// If the address/storage key isn't found in the array, it is inserted at the end. -/// TODO: Look into using a more efficient data structure for the access lists. - -%macro insert_accessed_addresses - %stack (addr) -> (addr, %%after) - %jump(insert_accessed_addresses) -%%after: - // stack: cold_access -%endmacro - -%macro insert_accessed_addresses_no_return - %insert_accessed_addresses - POP -%endmacro - -/// Inserts the address into the access list if it is not already present. -/// Return 1 if the address was inserted, 0 if it was already present. -global insert_accessed_addresses: - // stack: addr, retdest - %mload_global_metadata(@GLOBAL_METADATA_ACCESSED_ADDRESSES_LEN) - // stack: len, addr, retdest - PUSH @SEGMENT_ACCESSED_ADDRESSES ADD - PUSH @SEGMENT_ACCESSED_ADDRESSES -insert_accessed_addresses_loop: - // `i` and `len` are both scaled by SEGMENT_ACCESSED_ADDRESSES - %stack (i, len, addr, retdest) -> (i, len, i, len, addr, retdest) - EQ %jumpi(insert_address) - // stack: i, len, addr, retdest - DUP1 - MLOAD_GENERAL - // stack: loaded_addr, i, len, addr, retdest - DUP4 - // stack: addr, loaded_addr, i, len, addr, retdest - EQ %jumpi(insert_accessed_addresses_found) - // stack: i, len, addr, retdest - %increment - %jump(insert_accessed_addresses_loop) - -insert_address: - %stack (i, len, addr, retdest) -> (i, addr, len, retdest) - DUP2 %journal_add_account_loaded // Add a journal entry for the loaded account. - %swap_mstore // Store new address at the end of the array. - // stack: len, retdest - %increment - %sub_const(@SEGMENT_ACCESSED_ADDRESSES) // unscale `len` - %mstore_global_metadata(@GLOBAL_METADATA_ACCESSED_ADDRESSES_LEN) // Store new length. - PUSH 1 // Return 1 to indicate that the address was inserted. - SWAP1 JUMP - -insert_accessed_addresses_found: - %stack (i, len, addr, retdest) -> (retdest, 0) // Return 0 to indicate that the address was already present. - JUMP - -/// Remove the address from the access list. -/// Panics if the address is not in the access list. -global remove_accessed_addresses: - // stack: addr, retdest - %mload_global_metadata(@GLOBAL_METADATA_ACCESSED_ADDRESSES_LEN) - // stack: len, addr, retdest - PUSH @SEGMENT_ACCESSED_ADDRESSES ADD - PUSH @SEGMENT_ACCESSED_ADDRESSES -remove_accessed_addresses_loop: - // `i` and `len` are both scaled by SEGMENT_ACCESSED_ADDRESSES - %stack (i, len, addr, retdest) -> (i, len, i, len, addr, retdest) - EQ %jumpi(panic) - // stack: i, len, addr, retdest - DUP1 MLOAD_GENERAL - // stack: loaded_addr, i, len, addr, retdest - DUP4 - // stack: addr, loaded_addr, i, len, addr, retdest - EQ %jumpi(remove_accessed_addresses_found) - // stack: i, len, addr, retdest - %increment - %jump(remove_accessed_addresses_loop) -remove_accessed_addresses_found: - %stack (i, len, addr, retdest) -> (len, 1, i, retdest) - SUB // len -= 1 - PUSH @SEGMENT_ACCESSED_ADDRESSES - DUP2 SUB // unscale `len` - %mstore_global_metadata(@GLOBAL_METADATA_ACCESSED_ADDRESSES_LEN) // Decrement the access list length. - // stack: len-1, i, retdest - MLOAD_GENERAL // Load the last address in the access list. - // stack: last_addr, i, retdest - MSTORE_GENERAL - // Store the last address at the position of the removed address. - JUMP - - -%macro insert_accessed_storage_keys - %stack (addr, key, value) -> (addr, key, value, %%after) - %jump(insert_accessed_storage_keys) -%%after: - // stack: cold_access, original_value -%endmacro - -/// Inserts the storage key and value into the access list if it is not already present. -/// `value` should be the current storage value at the slot `(addr, key)`. -/// Return `1, original_value` if the storage key was inserted, `0, original_value` if it was already present. -global insert_accessed_storage_keys: - // stack: addr, key, value, retdest - %mload_global_metadata(@GLOBAL_METADATA_ACCESSED_STORAGE_KEYS_LEN) - // stack: len, addr, key, value, retdest - PUSH @SEGMENT_ACCESSED_STORAGE_KEYS ADD - PUSH @SEGMENT_ACCESSED_STORAGE_KEYS -insert_accessed_storage_keys_loop: - // `i` and `len` are both scaled by SEGMENT_ACCESSED_STORAGE_KEYS - %stack (i, len, addr, key, value, retdest) -> (i, len, i, len, addr, key, value, retdest) - EQ %jumpi(insert_storage_key) - // stack: i, len, addr, key, value, retdest - DUP1 %increment MLOAD_GENERAL - // stack: loaded_key, i, len, addr, key, value, retdest - DUP2 MLOAD_GENERAL - // stack: loaded_addr, loaded_key, i, len, addr, key, value, retdest - DUP5 EQ - // stack: loaded_addr==addr, loaded_key, i, len, addr, key, value, retdest - SWAP1 DUP6 EQ - // stack: loaded_key==key, loaded_addr==addr, i, len, addr, key, value, retdest - MUL // AND - %jumpi(insert_accessed_storage_keys_found) - // stack: i, len, addr, key, value, retdest - %add_const(3) - %jump(insert_accessed_storage_keys_loop) - -insert_storage_key: - // stack: i, len, addr, key, value, retdest - DUP4 DUP4 %journal_add_storage_loaded // Add a journal entry for the loaded storage key. - // stack: i, len, addr, key, value, retdest - - %stack(dst, len, addr, key, value) -> (addr, dst, dst, key, dst, value, dst, @SEGMENT_ACCESSED_STORAGE_KEYS, value) - MSTORE_GENERAL // Store new address at the end of the array. - // stack: dst, key, dst, value, dst, segment, value, retdest - %increment SWAP1 - MSTORE_GENERAL // Store new key after that - // stack: dst, value, dst, segment, value, retdest - %add_const(2) SWAP1 - MSTORE_GENERAL // Store new value after that - // stack: dst, segment, value, retdest - %add_const(3) - SUB // unscale dst - %mstore_global_metadata(@GLOBAL_METADATA_ACCESSED_STORAGE_KEYS_LEN) // Store new length. - %stack (value, retdest) -> (retdest, 1, value) // Return 1 to indicate that the storage key was inserted. - JUMP - -insert_accessed_storage_keys_found: - // stack: i, len, addr, key, value, retdest - %add_const(2) - MLOAD_GENERAL - %stack (original_value, len, addr, key, value, retdest) -> (retdest, 0, original_value) // Return 0 to indicate that the storage key was already present. - JUMP - -/// Remove the storage key and its value from the access list. -/// Panics if the key is not in the list. -global remove_accessed_storage_keys: - // stack: addr, key, retdest - %mload_global_metadata(@GLOBAL_METADATA_ACCESSED_STORAGE_KEYS_LEN) - // stack: len, addr, key, retdest - PUSH @SEGMENT_ACCESSED_STORAGE_KEYS ADD - PUSH @SEGMENT_ACCESSED_STORAGE_KEYS -remove_accessed_storage_keys_loop: - // `i` and `len` are both scaled by SEGMENT_ACCESSED_STORAGE_KEYS - %stack (i, len, addr, key, retdest) -> (i, len, i, len, addr, key, retdest) - EQ %jumpi(panic) - // stack: i, len, addr, key, retdest - DUP1 %increment MLOAD_GENERAL - // stack: loaded_key, i, len, addr, key, retdest - DUP2 MLOAD_GENERAL - // stack: loaded_addr, loaded_key, i, len, addr, key, retdest - DUP5 EQ - // stack: loaded_addr==addr, loaded_key, i, len, addr, key, retdest - SWAP1 DUP6 EQ - // stack: loaded_key==key, loaded_addr==addr, i, len, addr, key, retdest - MUL // AND - %jumpi(remove_accessed_storage_keys_found) - // stack: i, len, addr, key, retdest - %add_const(3) - %jump(remove_accessed_storage_keys_loop) - -remove_accessed_storage_keys_found: - %stack (i, len, addr, key, retdest) -> (len, 3, i, retdest) - SUB - PUSH @SEGMENT_ACCESSED_STORAGE_KEYS - DUP2 SUB // unscale - %mstore_global_metadata(@GLOBAL_METADATA_ACCESSED_STORAGE_KEYS_LEN) // Decrease the access list length. - // stack: len-3, i, retdest - DUP1 %add_const(2) MLOAD_GENERAL - // stack: last_value, len-3, i, retdest - DUP2 %add_const(1) MLOAD_GENERAL - // stack: last_key, last_value, len-3, i, retdest - DUP3 MLOAD_GENERAL - // stack: last_addr, last_key, last_value, len-3, i, retdest - DUP5 %swap_mstore // Move the last tuple to the position of the removed tuple. - // stack: last_key, last_value, len-3, i, retdest - DUP4 %add_const(1) %swap_mstore - // stack: last_value, len-3, i, retdest - DUP3 %add_const(2) %swap_mstore - // stack: len-3, i, retdest - %pop2 JUMP diff --git a/evm/src/cpu/kernel/asm/core/call.asm b/evm/src/cpu/kernel/asm/core/call.asm deleted file mode 100644 index b5b8935471..0000000000 --- a/evm/src/cpu/kernel/asm/core/call.asm +++ /dev/null @@ -1,447 +0,0 @@ -// Handlers for call-like operations, namely CALL, CALLCODE, STATICCALL and DELEGATECALL. -// Reminder: All context metadata hardcoded offsets are already scaled by `Segment::ContextMetadata`. - -// Creates a new sub context and executes the code of the given account. -global sys_call: - // Check that the value is zero if the context is static. - // stack: kexit_info, gas, address, value, args_offset, args_size, ret_offset, ret_size - DUP4 ISZERO %not_bit - // stack: value≠0, kexit_info, gas, address, value, args_offset, args_size, ret_offset, ret_size - %mload_context_metadata(@CTX_METADATA_STATIC) - // stack: is_static, value≠0, kexit_info, gas, address, value, args_offset, args_size, ret_offset, ret_size - MUL // Cheaper than AND - %jumpi(fault_exception) - - %stack (kexit_info, gas, address, value, args_offset, args_size, ret_offset, ret_size) -> - (args_size, args_offset, kexit_info, gas, address, value, args_offset, args_size, ret_offset, ret_size) - %checked_mem_expansion - %stack (kexit_info, gas, address, value, args_offset, args_size, ret_offset, ret_size) -> - (ret_size, ret_offset, kexit_info, gas, address, value, args_offset, args_size, ret_offset, ret_size) - %checked_mem_expansion - - SWAP2 - // stack: address, gas, kexit_info, value, args_offset, args_size, ret_offset, ret_size - %u256_to_addr // Truncate to 160 bits - DUP1 %insert_accessed_addresses - - %call_charge_gas(1, 1) - %check_depth - - %checkpoint // Checkpoint - DUP3 %insert_touched_addresses - - %create_context - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - - %stack (new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) -> - (new_ctx, args_offset, args_size, new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) - %copy_mem_to_calldata - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - DUP5 DUP5 %address %transfer_eth %jumpi(call_insufficient_balance) - DUP5 DUP5 %address %journal_add_balance_transfer - DUP3 %set_new_ctx_gas_limit - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - DUP4 - // stack: address, new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - %handle_precompiles - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - %set_new_ctx_parent_pc(after_call_instruction) - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - - // Each line in the block below does not change the stack. - %set_static - DUP4 %set_new_ctx_addr - %address %set_new_ctx_caller - DUP5 %set_new_ctx_value - DUP4 %set_new_ctx_code - - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - %stack (new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) - -> (new_ctx, kexit_info, ret_offset, ret_size) - %enter_new_ctx - -// Creates a new sub context as if calling itself, but with the code of the -// given account. In particular the storage remains the same. -global sys_callcode: - - // stack: kexit_info, gas, address, value, args_offset, args_size, ret_offset, ret_size - %stack (kexit_info, gas, address, value, args_offset, args_size, ret_offset, ret_size) -> - (args_size, args_offset, kexit_info, gas, address, value, args_offset, args_size, ret_offset, ret_size) - %checked_mem_expansion - %stack (kexit_info, gas, address, value, args_offset, args_size, ret_offset, ret_size) -> - (ret_size, ret_offset, kexit_info, gas, address, value, args_offset, args_size, ret_offset, ret_size) - %checked_mem_expansion - - SWAP2 - // stack: address, gas, kexit_info, value, args_offset, args_size, ret_offset, ret_size - %u256_to_addr // Truncate to 160 bits - DUP1 %insert_accessed_addresses - - %call_charge_gas(1, 0) - %check_depth - - %checkpoint // Checkpoint - %address %insert_touched_addresses - - // stack: kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - %create_context - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - - %stack (new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) -> - (new_ctx, args_offset, args_size, new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) - %copy_mem_to_calldata - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - DUP5 %address %address %transfer_eth %jumpi(call_insufficient_balance) - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - DUP3 %set_new_ctx_gas_limit - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - DUP4 - // stack: address, new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - %handle_precompiles - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - %set_new_ctx_parent_pc(after_call_instruction) - - // Each line in the block below does not change the stack. - %set_static - %address %set_new_ctx_addr - %address %set_new_ctx_caller - DUP5 %set_new_ctx_value - DUP4 %set_new_ctx_code - - - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - %stack (new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) - -> (new_ctx, kexit_info, ret_offset, ret_size) - %enter_new_ctx - -// Creates a new sub context and executes the code of the given account. -// Equivalent to CALL, except that it does not allow any state modifying -// instructions or sending ETH in the sub context. The disallowed instructions -// are CREATE, CREATE2, LOG0, LOG1, LOG2, LOG3, LOG4, SSTORE, SELFDESTRUCT and -// CALL if the value sent is not 0. -global sys_staticcall: - // stack: kexit_info, gas, address, args_offset, args_size, ret_offset, ret_size - %stack (kexit_info, gas, address, args_offset, args_size, ret_offset, ret_size) -> - (args_size, args_offset, kexit_info, gas, address, args_offset, args_size, ret_offset, ret_size) - %checked_mem_expansion - %stack (kexit_info, gas, address, args_offset, args_size, ret_offset, ret_size) -> - (ret_size, ret_offset, kexit_info, gas, address, args_offset, args_size, ret_offset, ret_size) - %checked_mem_expansion - - SWAP2 - // stack: address, gas, kexit_info, args_offset, args_size, ret_offset, ret_size - %u256_to_addr // Truncate to 160 bits - DUP1 %insert_accessed_addresses - - // Add a value of 0 to the stack. Slightly inefficient but that way we can reuse %call_charge_gas. - %stack (cold_access, address, gas, kexit_info) -> (cold_access, address, gas, kexit_info, 0) - %call_charge_gas(0, 1) - %check_depth - - %checkpoint // Checkpoint - DUP3 %insert_touched_addresses - - // stack: kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - %create_context - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - - %stack (new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) -> - (new_ctx, args_offset, args_size, new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) - %copy_mem_to_calldata - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - DUP3 %set_new_ctx_gas_limit - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - DUP4 - // stack: address, new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - %handle_precompiles - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - %set_new_ctx_parent_pc(after_call_instruction) - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - - // Each line in the block below does not change the stack. - %set_static_true - DUP4 %set_new_ctx_addr - %address %set_new_ctx_caller - PUSH 0 %set_new_ctx_value - DUP4 %set_new_ctx_code - - - %stack (new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) - -> (new_ctx, kexit_info, ret_offset, ret_size) - %enter_new_ctx - -// Creates a new sub context as if calling itself, but with the code of the -// given account. In particular the storage, the current sender and the current -// value remain the same. -global sys_delegatecall: - - // stack: kexit_info, gas, address, args_offset, args_size, ret_offset, ret_size - %stack (kexit_info, gas, address, args_offset, args_size, ret_offset, ret_size) -> - (args_size, args_offset, kexit_info, gas, address, args_offset, args_size, ret_offset, ret_size) - %checked_mem_expansion - %stack (kexit_info, gas, address, args_offset, args_size, ret_offset, ret_size) -> - (ret_size, ret_offset, kexit_info, gas, address, args_offset, args_size, ret_offset, ret_size) - %checked_mem_expansion - - SWAP2 - // stack: address, gas, kexit_info, args_offset, args_size, ret_offset, ret_size - %u256_to_addr // Truncate to 160 bits - DUP1 %insert_accessed_addresses - - // Add a value of 0 to the stack. Slightly inefficient but that way we can reuse %call_charge_gas. - %stack (cold_access, address, gas, kexit_info) -> (cold_access, address, gas, kexit_info, 0) - %call_charge_gas(0, 0) - %check_depth - - %checkpoint // Checkpoint - %address %insert_touched_addresses - - // stack: kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - %create_context - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - - %stack (new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) -> - (new_ctx, args_offset, args_size, new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) - %copy_mem_to_calldata - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - DUP3 %set_new_ctx_gas_limit - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - DUP4 - // stack: address, new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - %handle_precompiles - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - %set_new_ctx_parent_pc(after_call_instruction) - // stack: new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size - - // Each line in the block below does not change the stack. - %set_static - %address %set_new_ctx_addr - %caller %set_new_ctx_caller - %callvalue %set_new_ctx_value - %set_new_ctx_parent_pc(after_call_instruction) - DUP4 %set_new_ctx_code - - %stack (new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) - -> (new_ctx, kexit_info, ret_offset, ret_size) - %enter_new_ctx - -// We go here after any CALL type instruction (but not after the special call by the transaction originator). -global after_call_instruction: - // stack: success, leftover_gas, new_ctx, kexit_info, ret_offset, ret_size - DUP1 ISZERO %jumpi(after_call_instruction_failed) - %pop_checkpoint -after_call_instruction_contd: - SWAP3 - // stack: kexit_info, leftover_gas, new_ctx, success, ret_offset, ret_size - // Add the leftover gas into the appropriate bits of kexit_info. - SWAP1 %shl_const(192) SWAP1 SUB - // stack: kexit_info, new_ctx, success, ret_offset, ret_size - - // The callee's terminal instruction will have populated RETURNDATA. - %copy_returndata_to_mem - EXIT_KERNEL - -after_call_instruction_failed: - // stack: success, leftover_gas, new_ctx, kexit_info, ret_offset, ret_size - %revert_checkpoint - %jump(after_call_instruction_contd) - -call_insufficient_balance: - %stack (new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) -> - (callgas, kexit_info, 0) - %shl_const(192) SWAP1 SUB - // stack: kexit_info', 0 - %mstore_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 0) - EXIT_KERNEL - -%macro check_depth - %call_depth - %gt_const(@CALL_STACK_LIMIT) - %jumpi(call_too_deep) -%endmacro - -call_too_deep: - %stack (kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) -> - (callgas, kexit_info, 0) - %shl_const(192) SWAP1 SUB - // stack: kexit_info', 0 - %mstore_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 0) - EXIT_KERNEL - -// Set @CTX_METADATA_STATIC to 1. Note that there is no corresponding set_static_false routine -// because it will already be 0 by default. -%macro set_static_true - // stack: new_ctx - DUP1 - %build_address_with_ctx_no_segment(@CTX_METADATA_STATIC) - PUSH 1 - // stack: 1, addr, new_ctx - MSTORE_GENERAL - // stack: new_ctx -%endmacro - -// Set @CTX_METADATA_STATIC of the next context to the current value. -%macro set_static - // stack: new_ctx - DUP1 - %build_address_with_ctx_no_segment(@CTX_METADATA_STATIC) - %mload_context_metadata(@CTX_METADATA_STATIC) - // stack: is_static, addr, new_ctx - MSTORE_GENERAL - // stack: new_ctx -%endmacro - -%macro set_new_ctx_addr - // stack: called_addr, new_ctx - DUP2 - %build_address_with_ctx_no_segment(@CTX_METADATA_ADDRESS) - SWAP1 - // stack: called_addr, addr, new_ctx - MSTORE_GENERAL - // stack: new_ctx -%endmacro - -%macro set_new_ctx_caller - // stack: sender, new_ctx - DUP2 - %build_address_with_ctx_no_segment(@CTX_METADATA_CALLER) - SWAP1 - // stack: sender, addr, new_ctx - MSTORE_GENERAL - // stack: new_ctx -%endmacro - -%macro set_new_ctx_value - // stack: value, new_ctx - DUP2 - %build_address_with_ctx_no_segment(@CTX_METADATA_CALL_VALUE) - SWAP1 - // stack: value, addr, new_ctx - MSTORE_GENERAL - // stack: new_ctx -%endmacro - -%macro set_new_ctx_code_size - // stack: code_size, new_ctx - DUP2 - %build_address_with_ctx_no_segment(@CTX_METADATA_CODE_SIZE) - SWAP1 - // stack: code_size, addr, new_ctx - MSTORE_GENERAL - // stack: new_ctx -%endmacro - -%macro set_new_ctx_calldata_size - // stack: calldata_size, new_ctx - DUP2 - %build_address_with_ctx_no_segment(@CTX_METADATA_CALLDATA_SIZE) - SWAP1 - // stack: calldata_size, addr, new_ctx - MSTORE_GENERAL - // stack: new_ctx -%endmacro - -%macro set_new_ctx_gas_limit - // stack: gas_limit, new_ctx - DUP2 - %build_address_with_ctx_no_segment(@CTX_METADATA_GAS_LIMIT) - SWAP1 - // stack: gas_limit, addr, new_ctx - MSTORE_GENERAL - // stack: new_ctx -%endmacro - -%macro set_new_ctx_parent_ctx - // stack: new_ctx - DUP1 - %build_address_with_ctx_no_segment(@CTX_METADATA_PARENT_CONTEXT) - GET_CONTEXT - // stack: ctx, addr, new_ctx - MSTORE_GENERAL - // stack: new_ctx -%endmacro - -%macro set_new_ctx_parent_pc(label) - // stack: new_ctx - DUP1 - %build_address_with_ctx_no_segment(@CTX_METADATA_PARENT_PC) - PUSH $label - // stack: label, addr, new_ctx - MSTORE_GENERAL - // stack: new_ctx -%endmacro - -%macro set_new_ctx_code - %stack (address, new_ctx) -> (address, new_ctx, %%after, new_ctx) - %jump(load_code_padded) -%%after: - %set_new_ctx_code_size - // stack: new_ctx -%endmacro - -%macro enter_new_ctx - // stack: new_ctx - // Switch to the new context and go to usermode with PC=0. - DUP1 // new_ctx - SET_CONTEXT - %checkpoint // Checkpoint - %increment_call_depth - // Perform jumpdest analyis - %mload_context_metadata(@CTX_METADATA_CODE_SIZE) - GET_CONTEXT - // stack: ctx, code_size, retdest - %jumpdest_analysis - PUSH 0 // jump dest - EXIT_KERNEL - // (Old context) stack: new_ctx -%endmacro - -%macro copy_mem_to_calldata - // stack: new_ctx, args_offset, args_size - GET_CONTEXT - %stack(ctx, new_ctx, args_offset, args_size) -> (ctx, @SEGMENT_MAIN_MEMORY, args_offset, args_size, %%after, new_ctx, args_size) - %build_address - // stack: SRC, args_size, %%after, new_ctx, args_size - DUP4 - %build_address_with_ctx_no_offset(@SEGMENT_CALLDATA) - // stack: DST, SRC, args_size, %%after, new_ctx, args_size - %jump(memcpy_bytes) -%%after: - // stack: new_ctx, args_size - %build_address_with_ctx_no_segment(@CTX_METADATA_CALLDATA_SIZE) - // stack: addr, args_size - SWAP1 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -%macro copy_returndata_to_mem - // stack: kexit_info, new_ctx, success, ret_offset, ret_size - SWAP4 - %returndatasize - // stack: returndata_size, ret_size, new_ctx, success, ret_offset, kexit_info - %min - GET_CONTEXT - %stack (ctx, n, new_ctx, success, ret_offset, kexit_info) -> (ctx, @SEGMENT_RETURNDATA, @SEGMENT_MAIN_MEMORY, ret_offset, ctx, n, %%after, kexit_info, success) - %build_address_no_offset - // stack: SRC, @SEGMENT_MAIN_MEMORY, ret_offset, ctx, n, %%after, kexit_info, success - SWAP3 - %build_address - // stack: DST, SRC, n, %%after, kexit_info, success - %jump(memcpy_bytes) -%%after: -%endmacro - -// Checked memory expansion. -%macro checked_mem_expansion - // stack: size, offset, kexit_info - DUP1 ISZERO %jumpi(%%zero) - %add_or_fault - // stack: expanded_num_bytes, kexit_info - DUP1 %ensure_reasonable_offset - %update_mem_bytes - %jump(%%after) -%%zero: - %pop2 -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/core/call_gas.asm b/evm/src/cpu/kernel/asm/core/call_gas.asm deleted file mode 100644 index 3961352139..0000000000 --- a/evm/src/cpu/kernel/asm/core/call_gas.asm +++ /dev/null @@ -1,92 +0,0 @@ -%macro call_charge_gas(is_call_or_callcode, is_call_or_staticcall) - %stack (cold_access, address, gas, kexit_info, value) -> - ($is_call_or_callcode, $is_call_or_staticcall, cold_access, address, gas, kexit_info, value, %%after) - %jump(call_charge_gas) -%%after: - // stack: kexit_info, C_callgas, address, value -%endmacro - -// Charge gas for *call opcodes and return the sub-context gas limit. -// Doesn't include memory expansion costs. -global call_charge_gas: - // Compute C_access - // stack: is_call_or_callcode, is_call_or_staticcall, cold_access, address, gas, kexit_info, value, retdest - SWAP2 - // stack: cold_access, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - %mul_const(@GAS_COLDACCOUNTACCESS_MINUS_WARMACCESS) - %add_const(@GAS_WARMACCESS) - // stack: cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - DUP3 - // stack: is_call_or_callcode, cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - %jumpi(xfer_cost) -after_xfer_cost: - // stack: cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - DUP2 - %jumpi(new_cost) -after_new_cost: - %stack (Cextra, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest) -> - (Cextra, address, gas, kexit_info, value, retdest) - // Compute C_gascap - // stack: Cextra, address, gas, kexit_info, value, retdest - DUP4 %leftover_gas - // stack: leftover_gas, Cextra, address, gas, kexit_info, value, retdest - DUP2 DUP2 LT - // stack: leftover_gas=Cextra, (leftover_gas=Cextra, (leftover_gas=Cextra, (leftover_gas (Cextra, Cgascap, Cgascap) - ADD - %stack (C_call, Cgascap, address, gas, kexit_info, value) -> - (C_call, kexit_info, Cgascap, address, gas, value) - %charge_gas - - // Compute C_callgas - %stack (kexit_info, Cgascap, address, gas, value) -> - (Cgascap, address, gas, kexit_info, value) - DUP5 ISZERO %not_bit - // stack: value!=0, Cgascap, address, gas, kexit_info, value, retdest - %mul_const(@GAS_CALLSTIPEND) ADD - %stack (C_callgas, address, gas, kexit_info, value, retdest) -> - (retdest, kexit_info, C_callgas, address, value) - JUMP - -global xfer_cost: - // stack: cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - DUP7 - // stack: value, cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - %jumpi(xfer_cost_nonzero) - // stack: cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - %jump(after_xfer_cost) -xfer_cost_nonzero: - // stack: cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - %add_const(@GAS_CALLVALUE) - // stack: cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - %jump(after_xfer_cost) - -new_cost: - // stack: cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - DUP7 - // stack: value, cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - %jumpi(new_cost_transfers_value) - // stack: cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - %jump(after_new_cost) -new_cost_transfers_value: - // stack: cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - DUP4 %is_dead - %jumpi(new_cost_nonzero) - // stack: cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - %jump(after_new_cost) -new_cost_nonzero: - // stack: cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest - %add_const(@GAS_NEWACCOUNT) - %jump(after_new_cost) diff --git a/evm/src/cpu/kernel/asm/core/create.asm b/evm/src/cpu/kernel/asm/core/create.asm deleted file mode 100644 index 80f8f46188..0000000000 --- a/evm/src/cpu/kernel/asm/core/create.asm +++ /dev/null @@ -1,291 +0,0 @@ -// The CREATE syscall. Address will be -// address = KEC(RLP(sender, nonce))[12:] -// -// Pre stack: kexit_info, value, code_offset, code_len -// Post stack: address -global sys_create: - %check_static - - %stack (kexit_info, value, code_offset, code_len) -> (code_len, code_offset, kexit_info, value, code_offset, code_len) - %checked_mem_expansion - // stack: kexit_info, value, code_offset, code_len - %charge_gas_const(@GAS_CREATE) - // stack: kexit_info, value, code_offset, code_len - DUP4 - // stack: code_len, kexit_info, value, code_offset, code_len - %check_initcode_size - - %stack (kexit_info, value, code_offset, code_len) - -> (sys_create_got_address, value, code_offset, code_len, kexit_info) - %address - // stack: sender, sys_create_got_address, value, code_offset, code_len, kexit_info - DUP1 %nonce - // stack: nonce, sender, sys_create_got_address, value, code_offset, code_len, kexit_info - SWAP1 - // stack: sender, nonce, sys_create_got_address, value, code_offset, code_len, kexit_info - %jump(get_create_address) -sys_create_got_address: - // stack: address, value, code_offset, code_len, kexit_info - %jump(create_common) - -// The CREATE2 syscall; see EIP-1014. Address will be -// address = KEC(0xff || sender || salt || code_hash)[12:] -// -// Pre stack: kexit_info, value, code_offset, code_len, salt -// Post stack: address -global sys_create2: - %check_static - - // stack: kexit_info, value, code_offset, code_len, salt - %stack (kexit_info, value, code_offset, code_len) -> (code_len, code_offset, kexit_info, value, code_offset, code_len) - %checked_mem_expansion - // stack: kexit_info, value, code_offset, code_len, salt - DUP4 %num_bytes_to_num_words - %mul_const(@GAS_KECCAK256WORD) %add_const(@GAS_CREATE) %charge_gas - // stack: kexit_info, value, code_offset, code_len, salt - DUP4 - // stack: code_len, kexit_info, value, code_offset, code_len, salt - %check_initcode_size - - - SWAP4 - %stack (salt) -> (salt, create_common) - // stack: salt, create_common, value, code_offset, code_len, kexit_info - - // Hash the code. - DUP5 // code_len - DUP5 // code_offset - PUSH @SEGMENT_MAIN_MEMORY - GET_CONTEXT - %build_address - KECCAK_GENERAL - // stack: hash, salt, create_common, value, code_offset, code_len, kexit_info - - %address - // stack: sender, hash, salt, create_common, value, code_offset, code_len, kexit_info - %jump(get_create2_address) - -// Pre stack: address, value, code_offset, code_len, kexit_info -// Post stack: address -global create_common: - // stack: address, value, code_offset, code_len, kexit_info - DUP1 %insert_accessed_addresses_no_return - - // Check call depth - %call_depth - %gt_const(@CALL_STACK_LIMIT) - %jumpi(create_too_deep) - - // stack: address, value, code_offset, code_len, kexit_info - DUP2 %selfbalance LT %jumpi(create_insufficient_balance) - // Increment the sender's nonce. - %address - DUP1 %nonce %eq_const(@MAX_NONCE) %jumpi(nonce_overflow) // EIP-2681 - %increment_nonce - // stack: address, value, code_offset, code_len, kexit_info - - %checkpoint - - // stack: address, value, code_offset, code_len, kexit_info - DUP2 DUP2 %address %transfer_eth %jumpi(panic) // We checked the balance above, so this should never happen. - DUP2 DUP2 %address %journal_add_balance_transfer // Add journal entry for the balance transfer. - - %create_context - // stack: new_ctx, address, value, code_offset, code_len, kexit_info - GET_CONTEXT - // stack: src_ctx, new_ctx, address, value, code_offset, code_len, kexit_info - - %stack (src_ctx, new_ctx, address, value, code_offset, code_len) -> - (code_len, new_ctx, src_ctx, new_ctx, address, value, code_offset, code_len) - %set_new_ctx_code_size POP - // Copy the code from memory to the new context's code segment. - %stack (src_ctx, new_ctx, address, value, code_offset, code_len) - -> (src_ctx, @SEGMENT_MAIN_MEMORY, code_offset, // SRC - new_ctx, // DST (SEGMENT_CODE == virt == 0) - code_len, - run_constructor, - new_ctx, value, address) - %build_address - // stack: SRC, DST, code_len, run_constructor, new_ctx, value, address - SWAP1 - // stack: DST, SRC, code_len, run_constructor, new_ctx, value, address - %jump(memcpy_bytes) - -run_constructor: - // stack: new_ctx, value, address, kexit_info - SWAP1 %set_new_ctx_value - // stack: new_ctx, address, kexit_info - - // Each line in the block below does not change the stack. - DUP2 %set_new_ctx_addr - %address %set_new_ctx_caller - %set_new_ctx_parent_pc(after_constructor) - // stack: new_ctx, address, kexit_info - - // All but 1/64 of the sender's remaining gas goes to the constructor. - SWAP2 - // stack: kexit_info, address, new_ctx - %drain_all_but_one_64th_gas - %stack (kexit_info, drained_gas, address, new_ctx) -> (drained_gas, new_ctx, address, kexit_info) - %set_new_ctx_gas_limit - // stack: new_ctx, address, kexit_info - - // Create the new contract account in the state trie. - DUP2 - %create_contract_account - // stack: status, new_ctx, address, kexit_info - %jumpi(create_collision) - - %enter_new_ctx - // (Old context) stack: new_ctx, address, kexit_info - -after_constructor: - // stack: success, leftover_gas, new_ctx, address, kexit_info - DUP1 ISZERO %jumpi(after_constructor_failed) - - // stack: success, leftover_gas, new_ctx, address, kexit_info - SWAP2 - // stack: new_ctx, leftover_gas, success, address, kexit_info - POP - - // EIP-3541: Reject new contract code starting with the 0xEF byte - PUSH @SEGMENT_RETURNDATA - GET_CONTEXT - %build_address_no_offset - MLOAD_GENERAL - %eq_const(0xEF) %jumpi(create_first_byte_ef) - - // Charge gas for the code size. - // stack: leftover_gas, success, address, kexit_info - %returndatasize // Size of the code. - // stack: code_size, leftover_gas, success, address, kexit_info - DUP1 %gt_const(@MAX_CODE_SIZE) %jumpi(create_code_too_large) - // stack: code_size, leftover_gas, success, address, kexit_info - %mul_const(@GAS_CODEDEPOSIT) - // stack: code_size_cost, leftover_gas, success, address, kexit_info - DUP2 DUP2 GT %jumpi(create_oog) - SWAP1 SUB - // stack: leftover_gas, success, address, kexit_info - %pop_checkpoint - - // Store the code hash of the new contract. - %returndatasize - PUSH @SEGMENT_RETURNDATA GET_CONTEXT %build_address_no_offset - // stack: addr, len - KECCAK_GENERAL - // stack: codehash, leftover_gas, success, address, kexit_info - %observe_new_contract - DUP4 - // stack: address, codehash, leftover_gas, success, address, kexit_info - %set_codehash - - // Set the return data size to 0. - %mstore_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 0) - -after_constructor_contd: - // stack: leftover_gas, success, address, kexit_info - %shl_const(192) - // stack: leftover_gas << 192, success, address, kexit_info - SWAP2 - // stack: address, success, leftover_gas << 192, kexit_info - MUL - // stack: address_if_success, leftover_gas << 192, kexit_info - SWAP2 - // stack: kexit_info, leftover_gas << 192, address_if_success - SUB - // stack: kexit_info, address_if_success - EXIT_KERNEL - -after_constructor_failed: - %revert_checkpoint - %stack (success, leftover_gas, new_ctx, address, kexit_info) -> (leftover_gas, success, address, kexit_info) - %jump(after_constructor_contd) - -create_insufficient_balance: - %mstore_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 0) - %stack (address, value, code_offset, code_len, kexit_info) -> (kexit_info, 0) - EXIT_KERNEL - -nonce_overflow: - %mstore_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 0) - %stack (sender, address, value, code_offset, code_len, kexit_info) -> (kexit_info, 0) - EXIT_KERNEL - -create_collision: - %revert_checkpoint - %mstore_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 0) - %stack (new_ctx, address, kexit_info) -> (kexit_info, 0) - EXIT_KERNEL - -create_first_byte_ef: - %revert_checkpoint - %stack (leftover_gas, success, address, kexit_info) -> (kexit_info, 0) - EXIT_KERNEL - -create_code_too_large: - %revert_checkpoint - %stack (code_size, leftover_gas, success, address, kexit_info) -> (kexit_info, 0) - EXIT_KERNEL - -create_oog: - %revert_checkpoint - %mstore_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 0) - %stack (code_size_cost, leftover_gas, success, address, kexit_info) -> (kexit_info, 0) - EXIT_KERNEL - -create_too_deep: - %mstore_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 0) - %stack (address, value, code_offset, code_len, kexit_info) -> (kexit_info, 0) - // stack: kexit_info, 0 - EXIT_KERNEL - -%macro set_codehash - %stack (addr, codehash) -> (addr, codehash, %%after) - %jump(set_codehash) -%%after: - // stack: (empty) -%endmacro - -// Pre stack: addr, codehash, redest -// Post stack: (empty) -global set_codehash: - // stack: addr, codehash, retdest - DUP1 %insert_touched_addresses - DUP1 %mpt_read_state_trie - // stack: account_ptr, addr, codehash, retdest - %add_const(3) - // stack: codehash_ptr, addr, codehash, retdest - DUP1 %mload_trie_data - // stack: prev_codehash, codehash_ptr, addr, codehash, retdest - DUP3 %journal_add_code_change // Add the code change to the journal. - %stack (codehash_ptr, addr, codehash) -> (codehash_ptr, codehash) - %mstore_trie_data - // stack: retdest - JUMP - -// Check and charge gas cost for initcode size. See EIP-3860. -// Pre stack: code_size, kexit_info -// Post stack: kexit_info -%macro check_initcode_size - DUP1 %gt_const(@MAX_INITCODE_SIZE) %jumpi(fault_exception) - // stack: code_size, kexit_info - %num_bytes_to_num_words %mul_const(@INITCODE_WORD_COST) - %charge_gas -%endmacro - - -// This should be called whenever a new contract is created. -// It does nothing, but just provides a single hook where code can react to newly created contracts. -// When called, the code corresponding to `codehash` should be stored in the return data. -// Pre stack: codehash, retdest -// Post stack: codehash -global observe_new_contract: - // stack codehash, retdest - SWAP1 JUMP - -%macro observe_new_contract - %stack (codehash) -> (codehash, %%after) - %jump(observe_new_contract) -%%after: - // stack: codehash -%endmacro diff --git a/evm/src/cpu/kernel/asm/core/create_addresses.asm b/evm/src/cpu/kernel/asm/core/create_addresses.asm deleted file mode 100644 index 8c2de08bd2..0000000000 --- a/evm/src/cpu/kernel/asm/core/create_addresses.asm +++ /dev/null @@ -1,76 +0,0 @@ -// Computes the address of a contract based on the conventional scheme, i.e. -// address = KEC(RLP(sender, nonce))[12:] -// -// Pre stack: sender, nonce, retdest -// Post stack: address -global get_create_address: - // stack: sender, nonce, retdest - %alloc_rlp_block - // stack: rlp_start, sender, nonce, retdest - %stack (rlp_start, sender, nonce) -> (rlp_start, sender, nonce, rlp_start) - // stack: rlp_start, sender, nonce, rlp_start, retdest - %encode_rlp_160 // TODO: or encode_rlp_scalar? - // stack: rlp_pos, nonce, rlp_start, retdest - %encode_rlp_scalar - // stack: rlp_pos, rlp_start, retdest - %prepend_rlp_list_prefix - // stack: RLP_ADDR, rlp_len, retdest - KECCAK_GENERAL - // stack: hash, retdest - %u256_to_addr - // stack: address, retdest - %observe_new_address - SWAP1 - JUMP - -// Convenience macro to call get_create_address and return where we left off. -%macro get_create_address - %stack (sender, nonce) -> (sender, nonce, %%after) - %jump(get_create_address) -%%after: -%endmacro - -// Computes the address for a contract based on the CREATE2 rule, i.e. -// address = KEC(0xff || sender || salt || code_hash)[12:] -// Clobbers @SEGMENT_KERNEL_GENERAL. -// Pre stack: sender, code_hash, salt, retdest -// Post stack: address -global get_create2_address: - // stack: sender, code_hash, salt, retdest - PUSH @SEGMENT_KERNEL_GENERAL - DUP1 - PUSH 0xff - MSTORE_GENERAL - // stack: addr, sender, code_hash, salt, retdest - %increment - %stack (addr, sender, code_hash, salt, retdest) -> (addr, sender, salt, code_hash, retdest) - MSTORE_32BYTES_20 - // stack: addr, salt, code_hash, retdest - MSTORE_32BYTES_32 - // stack: addr, code_hash, retdest - MSTORE_32BYTES_32 - POP - %stack (retdest) -> (@SEGMENT_KERNEL_GENERAL, 85, retdest) // offset == context == 0 - // addr, len, retdest - KECCAK_GENERAL - // stack: hash, retdest - %u256_to_addr - // stack: address, retdest - %observe_new_address - SWAP1 - JUMP - -// This should be called whenever a new address is created. This is only for debugging. It does -// nothing, but just provides a single hook where code can react to newly created addresses. -global observe_new_address: - // stack: address, retdest - SWAP1 - // stack: retdest, address - JUMP - -// Convenience macro to call observe_new_address and return where we left off. -%macro observe_new_address - %stack (address) -> (address, %%after) - %jump(observe_new_address) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/core/create_contract_account.asm b/evm/src/cpu/kernel/asm/core/create_contract_account.asm deleted file mode 100644 index b45d45ca5c..0000000000 --- a/evm/src/cpu/kernel/asm/core/create_contract_account.asm +++ /dev/null @@ -1,62 +0,0 @@ -// Create a smart contract account with the given address and the given endowment value. -// Pre stack: address -// Post stack: status -%macro create_contract_account - // stack: address - DUP1 %insert_touched_addresses - DUP1 %mpt_read_state_trie - // stack: existing_account_ptr, address - // If the account doesn't exist, there's no need to check its balance or nonce, - // so we can skip ahead, setting existing_balance = existing_account_ptr = 0. - DUP1 ISZERO %jumpi(%%add_account) - - // Check that the nonce is 0. - // stack: existing_account_ptr, address - DUP1 %mload_trie_data // nonce = account[0] - // stack: nonce, existing_account_ptr, address - %jumpi(%%error_collision) - // stack: existing_account_ptr, address - // Check that the code is empty. - %add_const(3) - // stack: existing_codehash_ptr, address - DUP1 %mload_trie_data // codehash = account[3] - %eq_const(@EMPTY_STRING_HASH) ISZERO %jumpi(%%error_collision) - // stack: existing_codehash_ptr, address - %sub_const(2) %mload_trie_data // balance = account[1] - %jump(%%do_insert) - -%%add_account: - // stack: existing_balance, address - DUP2 %journal_add_account_created -%%do_insert: - // stack: new_acct_value, address - // Write the new account's data to MPT data, and get a pointer to it. - %get_trie_data_size - // stack: account_ptr, new_acct_value, address - PUSH 0 DUP4 %journal_add_nonce_change - PUSH 1 %append_to_trie_data // nonce = 1 - // stack: account_ptr, new_acct_value, address - SWAP1 %append_to_trie_data // balance = new_acct_value - // stack: account_ptr, address - PUSH 0 %append_to_trie_data // storage_root = nil - // stack: account_ptr, address - PUSH @EMPTY_STRING_HASH %append_to_trie_data // code_hash = keccak('') - // stack: account_ptr, address - SWAP1 - // stack: address, account_ptr - %addr_to_state_key - // stack: state_key, account_ptr - %mpt_insert_state_trie - // stack: (empty) - PUSH 0 // success - %jump(%%end) - -// If the nonce is nonzero or the code is non-empty, that means a contract has already been deployed to this address. -// (This should be impossible with contract creation transactions or CREATE, but possible with CREATE2.) -// So we return 1 to indicate an error. -%%error_collision: - %stack (existing_account_ptr, address) -> (1) - -%%end: - // stack: status -%endmacro diff --git a/evm/src/cpu/kernel/asm/core/create_receipt.asm b/evm/src/cpu/kernel/asm/core/create_receipt.asm deleted file mode 100644 index 60e9264739..0000000000 --- a/evm/src/cpu/kernel/asm/core/create_receipt.asm +++ /dev/null @@ -1,249 +0,0 @@ -// Pre-stack: status, leftover_gas, prev_cum_gas, txn_nb, num_nibbles, retdest -// Post stack: new_cum_gas, txn_nb -// A receipt is stored in MPT_TRIE_DATA as: -// [payload_len, status, cum_gas_used, bloom, logs_payload_len, num_logs, [logs]] -// -// In this function, we: -// - compute cum_gas, -// - check if the transaction failed and set number of logs to 0 if it is the case, -// - compute the bloom filter, -// - write the receipt in MPT_TRIE_DATA , -// - insert a new node in receipt_trie, -// - set the bloom filter back to 0 -global process_receipt: - // stack: status, leftover_gas, prev_cum_gas, txn_nb, num_nibbles, retdest - DUP2 DUP4 - // stack: prev_cum_gas, leftover_gas, status, leftover_gas, prev_cum_gas, txn_nb, num_nibbles, retdest - %compute_cumulative_gas - // stack: new_cum_gas, status, leftover_gas, prev_cum_gas, txn_nb, num_nibbles, retdest - SWAP3 POP - // stack: status, leftover_gas, new_cum_gas, txn_nb, num_nibbles, retdest - SWAP1 POP - // stack: status, new_cum_gas, txn_nb, num_nibbles, retdest - // Now, we need to check whether the transaction has failed. - DUP1 ISZERO %jumpi(failed_receipt) - -process_receipt_after_status: - // stack: status, new_cum_gas, txn_nb, num_nibbles, retdest - PUSH process_receipt_after_bloom - %jump(logs_bloom) - -process_receipt_after_bloom: - // stack: status, new_cum_gas, txn_nb, num_nibbles, retdest - DUP2 DUP4 - // stack: txn_nb, new_cum_gas, status, new_cum_gas, txn_nb, num_nibbles, retdest - SWAP2 - // stack: status, new_cum_gas, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - - // Compute the total RLP payload length of the receipt. - PUSH 1 // status is always 1 byte. - // stack: payload_len, status, new_cum_gas, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - DUP3 - %rlp_scalar_len // cum_gas is a simple scalar. - ADD - // stack: payload_len, status, new_cum_gas, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Next is the bloom_filter, which is a 256-byte array. Its RLP encoding is - // 1 + 2 + 256 bytes. - %add_const(259) - // stack: payload_len, status, new_cum_gas, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Last is the logs. - %mload_global_metadata(@GLOBAL_METADATA_LOGS_PAYLOAD_LEN) - %rlp_list_len - ADD - // stack: payload_len, status, new_cum_gas, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Now we can write the receipt in MPT_TRIE_DATA. - %get_trie_data_size - // stack: receipt_ptr, payload_len, status, new_cum_gas, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Write transaction type if necessary. RLP_RAW contains, at index 0, the current transaction type. - PUSH @SEGMENT_RLP_RAW // ctx == virt == 0 - MLOAD_GENERAL - // stack: first_txn_byte, receipt_ptr, payload_len, status, new_cum_gas, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - DUP1 %eq_const(1) %jumpi(receipt_nonzero_type) - DUP1 %eq_const(2) %jumpi(receipt_nonzero_type) - // If we are here, we are dealing with a legacy transaction, and we do not need to write the type. - POP - -process_receipt_after_type: - // stack: receipt_ptr, payload_len, status, new_cum_gas, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Write payload_len. - SWAP1 - %append_to_trie_data - // stack: receipt_ptr, status, new_cum_gas, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Write status. - SWAP1 - %append_to_trie_data - // stack: receipt_ptr, new_cum_gas, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Write cum_gas_used. - SWAP1 - %append_to_trie_data - // stack: receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Write Bloom filter. - PUSH 256 // Bloom length. - PUSH @SEGMENT_TXN_BLOOM // ctx == virt == 0 - // stack: bloom_addr, 256, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - %get_trie_data_size - PUSH @SEGMENT_TRIE_DATA ADD // MPT dest address. - // stack: DST, SRC, 256, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - %memcpy_bytes - // stack: receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Update trie data size. - %get_trie_data_size - %add_const(256) - %set_trie_data_size - - // Now we write logs. - // stack: receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // We start with the logs payload length. - %mload_global_metadata(@GLOBAL_METADATA_LOGS_PAYLOAD_LEN) - %append_to_trie_data - // stack: receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - %mload_global_metadata(@GLOBAL_METADATA_LOGS_LEN) - // Then the number of logs. - // stack: num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - DUP1 %append_to_trie_data - PUSH 0 - -// Each log is written in MPT_TRIE_DATA as: -// [payload_len, address, num_topics, [topics], data_len, [data]]. -process_receipt_logs_loop: - // stack: i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - DUP2 DUP2 - EQ - // stack: i == num_logs, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - %jumpi(process_receipt_after_write) - // stack: i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - DUP1 - %mload_kernel(@SEGMENT_LOGS) - // stack: log_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Write payload_len. - PUSH @SEGMENT_LOGS_DATA %build_kernel_address - DUP1 - MLOAD_GENERAL - %append_to_trie_data - // stack: log_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Write address. - %increment - // stack: addr_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - DUP1 - MLOAD_GENERAL - %append_to_trie_data - // stack: addr_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - //Write num_topics. - %increment - // stack: num_topics_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - DUP1 - MLOAD_GENERAL - // stack: num_topics, num_topics_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - DUP1 - %append_to_trie_data - // stack: num_topics, num_topics_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - SWAP1 %increment SWAP1 - // stack: num_topics, topics_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - PUSH 0 - -process_receipt_topics_loop: - // stack: j, num_topics, topics_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - DUP2 DUP2 - EQ - // stack: j == num_topics, j, num_topics, topics_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - %jumpi(process_receipt_topics_end) - // stack: j, num_topics, topics_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Write j-th topic. - DUP3 DUP2 - ADD - // stack: cur_topic_ptr, j, num_topics, topics_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - MLOAD_GENERAL - %append_to_trie_data - // stack: j, num_topics, topics_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - %increment - %jump(process_receipt_topics_loop) - -process_receipt_topics_end: - // stack: num_topics, num_topics, topics_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - POP - ADD - // stack: data_len_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Write data_len - DUP1 - MLOAD_GENERAL - // stack: data_len, data_len_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - DUP1 - %append_to_trie_data - // stack: data_len, data_len_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - SWAP1 %increment SWAP1 - // stack: data_len, data_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - PUSH 0 - -process_receipt_data_loop: - // stack: j, data_len, data_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - DUP2 DUP2 - EQ - // stack: j == data_len, j, data_len, data_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - %jumpi(process_receipt_data_end) - // stack: j, data_len, data_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - // Write j-th data byte. - DUP3 DUP2 - ADD - // stack: cur_data_ptr, j, data_len, data_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - MLOAD_GENERAL - %append_to_trie_data - // stack: j, data_len, data_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - %increment - %jump(process_receipt_data_loop) - -process_receipt_data_end: - // stack: data_len, data_len, data_ptr, i, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - %pop3 - %increment - %jump(process_receipt_logs_loop) - -process_receipt_after_write: - // stack: num_logs, num_logs, receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - %pop2 - // stack: receipt_ptr, txn_nb, new_cum_gas, txn_nb, num_nibbles, retdest - SWAP1 - // stack: txn_nb, receipt_ptr, new_cum_gas, txn_nb, num_nibbles, retdest - DUP5 - %mpt_insert_receipt_trie - // stack: new_cum_gas, txn_nb, num_nibbles, retdest - - // We don't need to reset the bloom filter segment as we only process a single transaction. - // TODO: Revert in case we add back support for multi-txn proofs. - - %stack (new_cum_gas, txn_nb, num_nibbles, retdest) -> (retdest, new_cum_gas) - JUMP - -receipt_nonzero_type: - // stack: txn_type, receipt_ptr, payload_len, status, new_cum_gas, txn_nb, new_cum_gas, txn_nb, retdest - %append_to_trie_data - %jump(process_receipt_after_type) - -failed_receipt: - // stack: status, new_cum_gas, num_nibbles, txn_nb - // It is the receipt of a failed transaction, so set num_logs to 0. This will also lead to Bloom filter = 0. - PUSH 0 - %mstore_global_metadata(@GLOBAL_METADATA_LOGS_LEN) - PUSH 0 %mstore_global_metadata(@GLOBAL_METADATA_LOGS_PAYLOAD_LEN) - // stack: status, new_cum_gas, num_nibbles, txn_nb - %jump(process_receipt_after_status) - -%macro process_receipt - // stack: success, leftover_gas, cur_cum_gas, txn_nb, num_nibbles - %stack (success, leftover_gas, cur_cum_gas, txn_nb, num_nibbles) -> (success, leftover_gas, cur_cum_gas, txn_nb, num_nibbles, %%after) - %jump(process_receipt) -%%after: -%endmacro - -%macro compute_cumulative_gas - // stack: cur_cum_gas, leftover_gas - DUP2 - // stack: leftover_gas, prev_cum_gas, leftover_gas - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - // stack: gas_limit, leftover_gas, prev_cum_gas, leftover_gas - DUP2 DUP2 LT %jumpi(panic) - // stack: gas_limit, leftover_gas, prev_cum_gas, leftover_gas - SUB - // stack: used_txn_gas, prev_cum_gas, leftover_gas - ADD SWAP1 POP - // stack: new_cum_gas -%endmacro diff --git a/evm/src/cpu/kernel/asm/core/exception.asm b/evm/src/cpu/kernel/asm/core/exception.asm deleted file mode 100644 index 6ce2d676d3..0000000000 --- a/evm/src/cpu/kernel/asm/core/exception.asm +++ /dev/null @@ -1,436 +0,0 @@ -// These exception codes are arbitrary and assigned by us. -// Note that exceptions can only be triggered in user mode. Triggering an exception -// in kernel mode wwill fail the constraints. -global exception_jumptable: - // exception 0: out of gas - JUMPTABLE exc_out_of_gas - - // exception 1: invalid opcode - JUMPTABLE exc_invalid_opcode - - // exception 2: stack underflow - JUMPTABLE exc_stack_underflow - - // exception 3: invalid jump destination - JUMPTABLE exc_invalid_jump_destination - - // exception 4: invalid jumpi destination - JUMPTABLE exc_invalid_jumpi_destination - - // exception 5: stack overflow - JUMPTABLE exc_stack_overflow - - // exceptions 6 and 7: unused - JUMPTABLE panic - JUMPTABLE panic - - -global exc_out_of_gas: - // stack: trap_info - %ctx_gas_limit - // stack: gas_limit, trap_info - DUP2 %shr_const(192) - // stack: gas_used, gas_limit, trap_info - DUP2 DUP2 - // stack: gas_used, gas_limit, gas_used, gas_limit, trap_info - // If gas_used is already over the limit, panic. The exception should have - // been raised earlier. - GT %jumpi(panic) - // stack: gas_used, gas_limit, trap_info - DUP3 %opcode_from_exp_trap_info - // stack: opcode, gas_used, gas_limit, trap_info - %add_const(gas_cost_for_opcode) - %mload_kernel_code - // stack: gas_cost, gas_used, gas_limit, trap_info - ADD - // stack: new_gas_used, gas_limit, trap_info - GT - // stack: is_oog, trap_info - SWAP1 POP - // stack: is_oog - %jumpi(fault_exception) - // If we didn't jump, we shouldn't have raised the exception. - PANIC - - -global exc_invalid_opcode: - // stack: trap_info - // check if the opcode that triggered this trap is _actually_ invalid - %opcode_from_exp_trap_info - PUSH @INVALID_OPCODES_USER - // stack: invalid_opcodes_user, opcode - SWAP1 - // stack: opcode, invalid_opcodes_user - SHR - %mod_const(2) - // stack: opcode_is_invalid - // if the opcode is indeed invalid, then perform an exceptional exit - %jumpi(fault_exception) - // otherwise, panic because this trap should not have been entered - PANIC - - -global exc_stack_underflow: - // stack: trap_info - %opcode_from_exp_trap_info - // stack: opcode - %add_const(min_stack_len_for_opcode) - %mload_kernel_code - // stack: min_stack_length - %stack_length - // stack: user_stack_length + 1, min_stack_length - GT - // stack: user_stack_length >= min_stack_length - %jumpi(panic) - %jump(fault_exception) - - -// Debugging note: this will underflow if entered without at least one item on the stack (in -// addition to trap_info). This is expected; it means that the exc_stack_underflow handler should -// have been used instead. -global exc_invalid_jump_destination: - // stack: trap_info, jump_dest - // check that the triggering opcode is indeed JUMP - %opcode_from_exp_trap_info - // stack: opcode, jump_dest - %eq_const(0x56) - // if it's JUMP, then verify that we're actually jumping to an invalid address - %jumpi(invalid_jump_jumpi_destination_common) - // otherwise, panic - PANIC - - -// Debugging note: this will underflow if entered without at least two items on the stack (in -// addition to trap_info). This is expected; it means that the exc_stack_underflow handler should -// have been used instead. -global exc_invalid_jumpi_destination: - // stack: trap_info, jump_dest, condition - // check that the triggering opcode is indeed JUMPI - %opcode_from_exp_trap_info - // stack: opcode, jump_dest, condition - %sub_const(0x57) - // if it's not JUMPI, then panic - %jumpi(panic) - // otherwise, verify that the condition is nonzero - // stack: jump_dest, condition - SWAP1 - // if it's nonzero, then verify that we're actually jumping to an invalid address - %jumpi(invalid_jump_jumpi_destination_common) - // otherwise, panic - PANIC - - -global invalid_jump_jumpi_destination_common: - // We have a jump destination on the stack. We want to `PANIC` if it is valid, and jump to - // `fault_exception` if it is not. An address is a valid jump destination if it points to a - // `JUMPDEST` instruction. In practice, since in this implementation memory addresses are - // limited to 32 bits, we check two things: - // 1. the address is no more than 32 bits long, and - // 2. it points to a `JUMPDEST` instruction. - // stack: jump_dest - DUP1 - %shr_const(32) - %jumpi(fault_exception) // This keeps one copy of jump_dest on the stack, but that's fine. - // jump_dest is a valid address; check if it points to a `JUMP_DEST`. - %mload_current(@SEGMENT_JUMPDEST_BITS) - // stack: is_valid_jumpdest - %jumpi(panic) // Trap should never have been entered. - %jump(fault_exception) - - -global exc_stack_overflow: - // stack: trap_info - // check that the triggering opcode _can_ overflow (i.e., it increases the stack size by 1) - %opcode_from_exp_trap_info - PUSH @STACK_LENGTH_INCREASING_OPCODES_USER - // stack: stack_length_increasing_opcodes_user, opcode - SWAP1 - // stack: opcode, stack_length_increasing_opcodes_user - SHR - %mod_const(2) - // stack: opcode_increases_stack_length - // if the opcode indeed increases the stack length, then check whether the stack size is at its - // maximum value - %jumpi(exc_stack_overflow_check_stack_length) - // otherwise, panic because this trap should not have been entered - PANIC -global exc_stack_overflow_check_stack_length: - // stack: (empty) - %stack_length - %eq_const(1024) - // if true, stack length is at its maximum allowed value, so the instruction would indeed cause - // an overflow. - %jumpi(fault_exception) - PANIC - - -// Given the exception trap info, load the opcode that caused the exception -%macro opcode_from_exp_trap_info - %mod_const(0x100000000) // get program counter from low 32 bits of trap_info - %mload_current_code -%endmacro - - -min_stack_len_for_opcode: - BYTES 0 // 0x00, STOP - BYTES 2 // 0x01, ADD - BYTES 2 // 0x02, MUL - BYTES 2 // 0x03, SUB - BYTES 2 // 0x04, DIV - BYTES 2 // 0x05, SDIV - BYTES 2 // 0x06, MOD - BYTES 2 // 0x07, SMOD - BYTES 3 // 0x08, ADDMOD - BYTES 3 // 0x09, MULMOD - BYTES 2 // 0x0a, EXP - BYTES 2 // 0x0b, SIGNEXTEND - %rep 4 // 0x0c-0x0f, invalid - BYTES 0 - %endrep - - BYTES 2 // 0x10, LT - BYTES 2 // 0x11, GT - BYTES 2 // 0x12, SLT - BYTES 2 // 0x13, SGT - BYTES 2 // 0x14, EQ - BYTES 1 // 0x15, ISZERO - BYTES 2 // 0x16, AND - BYTES 2 // 0x17, OR - BYTES 2 // 0x18, XOR - BYTES 1 // 0x19, NOT - BYTES 2 // 0x1a, BYTE - BYTES 2 // 0x1b, SHL - BYTES 2 // 0x1c, SHR - BYTES 2 // 0x1d, SAR - BYTES 0 // 0x1e, invalid - BYTES 0 // 0x1f, invalid - - BYTES 2 // 0x20, KECCAK256 - %rep 15 // 0x21-0x2f, invalid - BYTES 0 - %endrep - - BYTES 0 // 0x30, ADDRESS - BYTES 1 // 0x31, BALANCE - BYTES 0 // 0x32, ORIGIN - BYTES 0 // 0x33, CALLER - BYTES 0 // 0x34, CALLVALUE - BYTES 1 // 0x35, CALLDATALOAD - BYTES 0 // 0x36, CALLDATASIZE - BYTES 3 // 0x37, CALLDATACOPY - BYTES 0 // 0x38, CODESIZE - BYTES 3 // 0x39, CODECOPY - BYTES 0 // 0x3a, GASPRICE - BYTES 1 // 0x3b, EXTCODESIZE - BYTES 4 // 0x3c, EXTCODECOPY - BYTES 0 // 0x3d, RETURNDATASIZE - BYTES 3 // 0x3e, RETURNDATACOPY - BYTES 1 // 0x3f, EXTCODEHASH - - BYTES 1 // 0x40, BLOCKHASH - BYTES 0 // 0x41, COINBASE - BYTES 0 // 0x42, TIMESTAMP - BYTES 0 // 0x43, NUMBER - BYTES 0 // 0x44, DIFFICULTY - BYTES 0 // 0x45, GASLIMIT - BYTES 0 // 0x46, CHAINID - BYTES 0 // 0x47, SELFBALANCE - BYTES 0 // 0x48, BASEFEE - %rep 7 // 0x49-0x4f, invalid - BYTES 0 - %endrep - - BYTES 1 // 0x50, POP - BYTES 1 // 0x51, MLOAD - BYTES 2 // 0x52, MSTORE - BYTES 2 // 0x53, MSTORE8 - BYTES 1 // 0x54, SLOAD - BYTES 2 // 0x55, SSTORE - BYTES 1 // 0x56, JUMP - BYTES 2 // 0x57, JUMPI - BYTES 0 // 0x58, PC - BYTES 0 // 0x59, MSIZE - BYTES 0 // 0x5a, GAS - BYTES 0 // 0x5b, JUMPDEST - %rep 3 // 0x5c-0x5e, invalid - BYTES 0 - %endrep - - %rep 33 // 0x5f-0x7f, PUSH0-PUSH32 - BYTES 0 - %endrep - - BYTES 1 // 0x80, DUP1 - BYTES 2 // 0x81, DUP2 - BYTES 3 // 0x82, DUP3 - BYTES 4 // 0x83, DUP4 - BYTES 5 // 0x84, DUP5 - BYTES 6 // 0x85, DUP6 - BYTES 7 // 0x86, DUP7 - BYTES 8 // 0x87, DUP8 - BYTES 9 // 0x88, DUP9 - BYTES 10 // 0x89, DUP10 - BYTES 11 // 0x8a, DUP11 - BYTES 12 // 0x8b, DUP12 - BYTES 13 // 0x8c, DUP13 - BYTES 14 // 0x8d, DUP14 - BYTES 15 // 0x8e, DUP15 - BYTES 16 // 0x8f, DUP16 - - BYTES 2 // 0x90, SWAP1 - BYTES 3 // 0x91, SWAP2 - BYTES 4 // 0x92, SWAP3 - BYTES 5 // 0x93, SWAP4 - BYTES 6 // 0x94, SWAP5 - BYTES 7 // 0x95, SWAP6 - BYTES 8 // 0x96, SWAP7 - BYTES 9 // 0x97, SWAP8 - BYTES 10 // 0x98, SWAP9 - BYTES 11 // 0x99, SWAP10 - BYTES 12 // 0x9a, SWAP11 - BYTES 13 // 0x9b, SWAP12 - BYTES 14 // 0x9c, SWAP13 - BYTES 15 // 0x9d, SWAP14 - BYTES 16 // 0x9e, SWAP15 - BYTES 17 // 0x9f, SWAP16 - - BYTES 2 // 0xa0, LOG0 - BYTES 3 // 0xa1, LOG1 - BYTES 4 // 0xa2, LOG2 - BYTES 5 // 0xa3, LOG3 - BYTES 6 // 0xa4, LOG4 - - %rep 27 // 0xa5-0xbf, invalid - BYTES 0 - %endrep - - %rep 32 // 0xc0-0xdf, MSTORE_32BYTES - BYTES 4 - %endrep - - %rep 16 // 0xe0-0xef, invalid - BYTES 0 - %endrep - - BYTES 3 // 0xf0, CREATE - BYTES 7 // 0xf1, CALL - BYTES 7 // 0xf2, CALLCODE - BYTES 2 // 0xf3, RETURN - BYTES 6 // 0xf4, DELEGATECALL - BYTES 4 // 0xf5, CREATE2 - %rep 4 // 0xf6-0xf9, invalid - BYTES 0 - %endrep - BYTES 6 // 0xfa, STATICCALL - BYTES 0 // 0xfb, invalid - BYTES 0 // 0xfc, invalid - BYTES 2 // 0xfd, REVERT - BYTES 0 // 0xfe, invalid - BYTES 1 // 0xff, SELFDESTRUCT - -// A zero indicates either that the opcode is kernel-only, -// or that it's handled with a syscall. -gas_cost_for_opcode: - BYTES 0 // 0x00, STOP - BYTES @GAS_VERYLOW // 0x01, ADD - BYTES @GAS_LOW // 0x02, MUL - BYTES @GAS_VERYLOW // 0x03, SUB - BYTES @GAS_LOW // 0x04, DIV - BYTES @GAS_LOW // 0x05, SDIV - BYTES @GAS_LOW // 0x06, MOD - BYTES @GAS_LOW // 0x07, SMOD - BYTES @GAS_MID // 0x08, ADDMOD - BYTES @GAS_MID // 0x09, MULMOD - BYTES 0 // 0x0a, EXP - BYTES 0 // 0x0b, SIGNEXTEND - %rep 4 // 0x0c-0x0f, invalid - BYTES 0 - %endrep - - BYTES @GAS_VERYLOW // 0x10, LT - BYTES @GAS_VERYLOW // 0x11, GT - BYTES @GAS_VERYLOW // 0x12, SLT - BYTES @GAS_VERYLOW // 0x13, SGT - BYTES @GAS_VERYLOW // 0x14, EQ - BYTES @GAS_VERYLOW // 0x15, ISZERO - BYTES @GAS_VERYLOW // 0x16, AND - BYTES @GAS_VERYLOW // 0x17, OR - BYTES @GAS_VERYLOW // 0x18, XOR - BYTES @GAS_VERYLOW // 0x19, NOT - BYTES @GAS_VERYLOW // 0x1a, BYTE - BYTES @GAS_VERYLOW // 0x1b, SHL - BYTES @GAS_VERYLOW // 0x1c, SHR - BYTES @GAS_VERYLOW // 0x1d, SAR - BYTES 0 // 0x1e, invalid - BYTES 0 // 0x1f, invalid - - BYTES 0 // 0x20, KECCAK256 - %rep 15 // 0x21-0x2f, invalid - BYTES 0 - %endrep - - %rep 25 //0x30-0x48, only syscalls - BYTES 0 - %endrep - - %rep 7 // 0x49-0x4f, invalid - BYTES 0 - %endrep - - BYTES @GAS_BASE // 0x50, POP - BYTES 0 // 0x51, MLOAD - BYTES 0 // 0x52, MSTORE - BYTES 0 // 0x53, MSTORE8 - BYTES 0 // 0x54, SLOAD - BYTES 0 // 0x55, SSTORE - BYTES @GAS_MID // 0x56, JUMP - BYTES @GAS_HIGH // 0x57, JUMPI - BYTES @GAS_BASE // 0x58, PC - BYTES 0 // 0x59, MSIZE - BYTES 0 // 0x5a, GAS - BYTES @GAS_JUMPDEST // 0x5b, JUMPDEST - %rep 3 // 0x5c-0x5e, invalid - BYTES 0 - %endrep - - BYTES @GAS_BASE // 0x5f, PUSH0 - %rep 32 // 0x60-0x7f, PUSH1-PUSH32 - BYTES @GAS_VERYLOW - %endrep - - %rep 16 // 0x80-0x8f, DUP1-DUP16 - BYTES @GAS_VERYLOW - %endrep - - %rep 16 // 0x90-0x9f, SWAP1-SWAP16 - BYTES @GAS_VERYLOW - %endrep - - BYTES 0 // 0xa0, LOG0 - BYTES 0 // 0xa1, LOG1 - BYTES 0 // 0xa2, LOG2 - BYTES 0 // 0xa3, LOG3 - BYTES 0 // 0xa4, LOG4 - %rep 11 // 0xa5-0xaf, invalid - BYTES 0 - %endrep - - %rep 64 // 0xb0-0xef, invalid - BYTES 0 - %endrep - - BYTES 0 // 0xf0, CREATE - BYTES 0 // 0xf1, CALL - BYTES 0 // 0xf2, CALLCODE - BYTES 0 // 0xf3, RETURN - BYTES 0 // 0xf4, DELEGATECALL - BYTES 0 // 0xf5, CREATE2 - %rep 4 // 0xf6-0xf9, invalid - BYTES 0 - %endrep - BYTES 0 // 0xfa, STATICCALL - BYTES 0 // 0xfb, invalid - BYTES 0 // 0xfc, invalid - BYTES 0 // 0xfd, REVERT - BYTES 0 // 0xfe, invalid - BYTES 0 // 0xff, SELFDESTRUCT diff --git a/evm/src/cpu/kernel/asm/core/gas.asm b/evm/src/cpu/kernel/asm/core/gas.asm deleted file mode 100644 index 2e16c373e3..0000000000 --- a/evm/src/cpu/kernel/asm/core/gas.asm +++ /dev/null @@ -1,129 +0,0 @@ -global sys_gas: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - DUP1 %shr_const(192) - // stack: gas_used, kexit_info - %ctx_gas_limit - // stack: gas_limit, gas_used, kexit_info - SUB - // stack: gas_remaining, kexit_info - SWAP1 - EXIT_KERNEL - -%macro ctx_gas_limit - %mload_context_metadata(@CTX_METADATA_GAS_LIMIT) -%endmacro - - -// TODO: `%refund_gas` and `refund_gas_hook` are hooks used for debugging. They should be removed at some point and `refund_gas_original` renamed to `refund_gas`. -%macro refund_gas - PUSH %%after %jump(refund_gas_hook) -%%after: - %refund_gas_original -%endmacro - -global refund_gas_hook: - JUMP - -%macro refund_gas_original - // stack: amount - DUP1 %journal_refund - %mload_global_metadata(@GLOBAL_METADATA_REFUND_COUNTER) - ADD - %mstore_global_metadata(@GLOBAL_METADATA_REFUND_COUNTER) -%endmacro - -// TODO: `%charge_gas` and `charge_gas_hook` are hooks used for debugging. They should be removed at some point and `charge_gas_original` renamed to `charge_gas`. -%macro charge_gas - PUSH %%after %jump(charge_gas_hook) -%%after: - %charge_gas_original -%endmacro - -global charge_gas_hook: - JUMP - -// Charge gas. Faults if we exceed the limit for the current context. -%macro charge_gas_original - // stack: gas, kexit_info - %shl_const(192) - ADD - // stack: kexit_info' - %ctx_gas_limit - // stack: gas_limit, kexit_info' - DUP2 %shr_const(192) - // stack: gas_used, gas_limit, kexit_info' - GT - // stack: out_of_gas, kexit_info' - %jumpi(fault_exception) - // stack: kexit_info' -%endmacro - -// Charge a constant amount of gas. -%macro charge_gas_const(gas) - // stack: kexit_info - PUSH $gas - // stack: gas, kexit_info - %charge_gas - // stack: kexit_info' -%endmacro - -// Charge gas and exit kernel code. -%macro charge_gas_and_exit - // stack: gas, kexit_info - %charge_gas - // stack: kexit_info' - EXIT_KERNEL -%endmacro - -global sys_gasprice: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %mload_txn_field(@TXN_FIELD_COMPUTED_FEE_PER_GAS) - // stack: gas_price, kexit_info - SWAP1 - EXIT_KERNEL - -// Checks how much gas is remaining in this context, given the current kexit_info. -%macro leftover_gas - // stack: kexit_info - %shr_const(192) - // stack: gas_used - %mload_context_metadata(@CTX_METADATA_GAS_LIMIT) - // stack: gas_limit, gas_used - SWAP1 - // stack: gas_used, gas_limit - DUP2 DUP2 LT - // stack: gas_used < gas_limit, gas_used, gas_limit - SWAP2 - // stack: gas_limit, gas_used, gas_used < gas_limit - SUB - // stack: gas_limit - gas_used, gas_used < gas_limit - MUL - // stack: leftover_gas = (gas_limit - gas_used) * (gas_used < gas_limit) -%endmacro - -// Given the current kexit_info, drains all but one 64th of its remaining gas. -// Returns how much gas was drained. -%macro drain_all_but_one_64th_gas - // stack: kexit_info - DUP1 %leftover_gas - // stack: leftover_gas, kexit_info - %all_but_one_64th - // stack: all_but_one_64th, kexit_info - %stack (all_but_one_64th, kexit_info) -> (all_but_one_64th, kexit_info, all_but_one_64th) - %charge_gas - // stack: kexit_info, drained_gas -%endmacro - -// This is L(n), the "all but one 64th" function in the yellowpaper, i.e. -// L(n) = n - floor(n / 64) -%macro all_but_one_64th - // stack: n - DUP1 %shr_const(6) - // stack: floor(n / 64), n - SWAP1 SUB - // stack: n - floor(n / 64) -%endmacro diff --git a/evm/src/cpu/kernel/asm/core/intrinsic_gas.asm b/evm/src/cpu/kernel/asm/core/intrinsic_gas.asm deleted file mode 100644 index bb7a21b5d4..0000000000 --- a/evm/src/cpu/kernel/asm/core/intrinsic_gas.asm +++ /dev/null @@ -1,84 +0,0 @@ -global intrinsic_gas: - // stack: retdest - // Calculate the number of zero and nonzero bytes in the txn data. - PUSH 0 // zeros = 0 - PUSH 0 // i = 0 - -count_zeros_loop: - // stack: i, zeros, retdest - DUP1 - %mload_txn_field(@TXN_FIELD_DATA_LEN) - EQ - // stack: i == data.len, i, zeros, retdest - %jumpi(count_zeros_finish) - - // stack: i, zeros, retdest - DUP1 - %mload_kernel(@SEGMENT_TXN_DATA) - ISZERO - // stack: data[i] == 0, i, zeros - %stack (data_i_is_zero, i, zeros) -> (data_i_is_zero, zeros, i) - ADD - // stack: zeros', i, retdest - SWAP1 - // stack: i, zeros', retdest - %increment - // stack: i', zeros', retdest - %jump(count_zeros_loop) - -count_zeros_finish: - // stack: i, zeros, retdest - POP - // stack: zeros, retdest - DUP1 - // stack: zeros, zeros, retdest - %mload_txn_field(@TXN_FIELD_DATA_LEN) - // stack: data.len, zeros, zeros, retdest - SUB - // stack: nonzeros, zeros, retdest - %mul_const(@GAS_TXDATANONZERO) - // stack: gas_nonzeros, zeros, retdest - SWAP1 - %mul_const(@GAS_TXDATAZERO) - // stack: gas_zeros, gas_nonzeros, retdest - ADD - // stack: gas_txndata, retdest - - %is_contract_creation - DUP1 - %mul_const(@GAS_TXCREATE) - // stack: gas_creation, is_creation, gas_txndata, retdest - SWAP1 - // stack: is_creation, gas_creation, gas_txndata, retdest - DUP1 - // stack: is_creation, is_creation, gas_creation, gas_txndata, retdest - %mload_txn_field(@TXN_FIELD_DATA_LEN) %gt_const(@MAX_INITCODE_SIZE) - // stack: initcode_size > max, is_creation, is_creation, gas_creation, gas_txndata, retdest - MUL // Cheaper than AND - %assert_zero - // stack: is_creation, gas_creation, gas_txndata, retdest - %mload_txn_field(@TXN_FIELD_DATA_LEN) %num_bytes_to_num_words - // stack: initcode_words, is_creation, gas_creation, gas_txndata, retdest - %mul_const(@INITCODE_WORD_COST) MUL ADD - // stack: gas_creation, gas_txndata, retdest - - PUSH @GAS_TRANSACTION - // stack: gas_txn, gas_creation, gas_txndata, retdest - - ADD - ADD - // stack: total_gas, retdest - %mload_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_DATA_COST) - ADD - - SWAP1 - JUMP - -// Convenience macro to call intrinsic_gas and return where we left off. -%macro intrinsic_gas - // stack: (empty) - PUSH %%after - %jump(intrinsic_gas) -%%after: - // stack: (empty) -%endmacro diff --git a/evm/src/cpu/kernel/asm/core/jumpdest_analysis.asm b/evm/src/cpu/kernel/asm/core/jumpdest_analysis.asm deleted file mode 100644 index 934d1f6297..0000000000 --- a/evm/src/cpu/kernel/asm/core/jumpdest_analysis.asm +++ /dev/null @@ -1,344 +0,0 @@ -// Set @SEGMENT_JUMPDEST_BITS to one between positions [init_pos, final_pos], -// for the given context's code. -// Pre stack: init_pos, ctx, final_pos, retdest -// Post stack: (empty) -global verify_path_and_write_jumpdest_table: - SWAP2 - DUP2 - ADD // final_addr - // stack: final_addr, ctx, i, retdest - SWAP2 - ADD // init_addr -loop: - // stack: i, final_pos, retdest - DUP2 DUP2 EQ // i == final_pos - %jumpi(proof_ok) - DUP2 DUP2 GT // i > final_pos - %jumpi(proof_not_ok) - - // stack: i, final_pos, retdest - DUP1 - MLOAD_GENERAL // SEGMENT_CODE == 0 - // stack: opcode, i, final_pos, retdest - - DUP1 - // Slightly more efficient than `%eq_const(0x5b) ISZERO` - PUSH 0x5b - SUB - // stack: opcode != JUMPDEST, opcode, i, final_pos, retdest - %jumpi(continue) - - // stack: JUMPDEST, i, code_len, retdest - %stack (JUMPDEST, i) -> (@SEGMENT_JUMPDEST_BITS, i, JUMPDEST, i) - ADD // address to write jumpdest bit, i already contains the context - PUSH 1 - // stack: 1, addr, JUMPDEST, i - MSTORE_GENERAL - -continue: - // stack: opcode, i, final_pos, retdest - %add_const(code_bytes_to_skip) - %mload_kernel_code - // stack: bytes_to_skip, i, final_pos, retdest - ADD - // stack: i, final_pos, retdest - %jump(loop) - -proof_ok: - // stack: i, final_pos, retdest - // We already know final_pos is a jumpdest - %stack (i, final_pos) -> (@SEGMENT_JUMPDEST_BITS, final_pos) - ADD // final_pos already contains the context - PUSH 1 - MSTORE_GENERAL - JUMP -proof_not_ok: - %pop2 - JUMP - -// Determines how many bytes away is the next opcode, based on the opcode we read. -// If we read a PUSH opcode, next opcode is in n + 1 bytes, otherwise it's the next one. -// -// Note that the range of PUSH opcodes is [0x60, 0x80). I.e. PUSH1 is 0x60 -// and PUSH32 is 0x7f. -code_bytes_to_skip: - %rep 96 - BYTES 1 // 0x00-0x5f - %endrep - - BYTES 2 - BYTES 3 - BYTES 4 - BYTES 5 - BYTES 6 - BYTES 7 - BYTES 8 - BYTES 9 - BYTES 10 - BYTES 11 - BYTES 12 - BYTES 13 - BYTES 14 - BYTES 15 - BYTES 16 - BYTES 17 - BYTES 18 - BYTES 19 - BYTES 20 - BYTES 21 - BYTES 22 - BYTES 23 - BYTES 24 - BYTES 25 - BYTES 26 - BYTES 27 - BYTES 28 - BYTES 29 - BYTES 30 - BYTES 31 - BYTES 32 - BYTES 33 - - %rep 128 - BYTES 1 // 0x80-0xff - %endrep - - -// A proof attesting that jumpdest is a valid jump destination is -// either 0 or an index 0 < i <= jumpdest - 32. -// A proof is valid if: -// - i == 0 and we can go from the first opcode to jumpdest and code[jumpdest] = 0x5b -// - i > 0 and: -// a) for j in {i+0,..., i+31} code[j] != PUSHk for all k >= 32 - j - i, -// b) we can go from opcode i+32 to jumpdest, -// c) code[jumpdest] = 0x5b. -// To reduce the number of instructions, when i > 32 we load all the bytes code[j], ..., -// code[j + 31] in a single 32-byte word, and check a) directly on the packed bytes. -// We perform the "packed verification" computing a boolean formula evaluated on the bits of -// code[j],..., code[j+31] of the form p_1 AND p_2 AND p_3 AND p_4 AND p_5, where: -// - p_k is either TRUE, for one subset of the j's which depends on k (for example, -// for k = 1, it is TRUE for the first 15 positions), or has_prefix_k => bit_{k + 1}_is_0 -// for the j's not in the subset. -// - has_prefix_k is a predicate that is TRUE if and only if code[j] has the same prefix of size k + 2 -// as PUSH{32-(j-i)}. -// stack: proof_prefix_addr, jumpdest, ctx, retdest -// stack: (empty) -global write_table_if_jumpdest: - // stack: proof_prefix_addr, jumpdest, ctx, retdest - %stack - (proof_prefix_addr, jumpdest, ctx) -> - (ctx, jumpdest, jumpdest, ctx, proof_prefix_addr) - ADD // combine context and offset to make an address (SEGMENT_CODE == 0) - MLOAD_GENERAL - // stack: opcode, jumpdest, ctx, proof_prefix_addr, retdest - - %jump_neq_const(0x5b, return) - - //stack: jumpdest, ctx, proof_prefix_addr, retdest - SWAP2 DUP1 - // stack: proof_prefix_addr, proof_prefix_addr, ctx, jumpdest - ISZERO - %jumpi(verify_path_and_write_jumpdest_table) - - - // stack: proof_prefix_addr, ctx, jumpdest, retdest - // If we are here we need to check that the next 32 bytes are less - // than JUMPXX for XX < 32 - i <=> opcode < 0x7f - i = 127 - i, 0 <= i < 32, - // or larger than 127 - - %stack - (proof_prefix_addr, ctx) -> - (ctx, proof_prefix_addr, 32, proof_prefix_addr, ctx) - ADD // combine context and offset to make an address (SEGMENT_CODE == 0) - MLOAD_32BYTES - // packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - DUP1 %shl_const(1) - DUP2 %shl_const(2) - AND - // stack: (is_1_at_pos_2_and_3|(X)⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - // X denotes any value in {0,1} and Z^i is Z repeated i times - NOT - // stack: (is_0_at_2_or_3|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - DUP2 - OR - // stack: (is_1_at_1 or is_0_at_2_or_3|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - // stack: (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - - // Compute in_range and has_prefix' = - // - in_range = (0xFF|X⁷)³² and ~has_prefix' = ~has_prefix OR is_0_at_4, for the first 15 bytes - // - in_range = (has_prefix => is_0_at_4 |X⁷)³² and ~has_prefix' = ~has_prefix, for the next 15 bytes - // - in_range = (~has_prefix|X⁷)³² and ~has_prefix' = ~has_prefix, for the last byte. - DUP2 %shl_const(3) - NOT - // stack: (is_0_at_4|X⁷)³², (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - // pos 0102030405060708091011121314151617181920212223242526272829303132 - PUSH 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00 - AND - // stack: (is_0_at_4|X⁷)³¹|0⁸, (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - DUP1 - // pos 0102030405060708091011121314151617181920212223242526272829303132 - PUSH 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000 - AND - // stack: (is_0_at_4|X⁷)¹⁵|(0⁸)¹⁷, (is_0_at_4|X⁷)³¹|0⁸, (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - DUP3 - OR - // (~has_prefix'|X⁷)³², (is_0_at_4|X⁷)³¹|0⁸, (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - SWAP2 - OR - // pos 0102030405060708091011121314151617181920212223242526272829303132 - PUSH 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000 - OR - // stack: (in_range|X⁷)³², (~has_prefix'|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - - // Compute in_range' and ~has_prefix as - // - in_range' = in_range and has_prefix' = ~has_prefix OR is_0_at_5, for bytes in positions 1-7 and 16-23 - // - in_range' = in_range AND (has_prefix => is_0_at_5 |X⁷)³² and has_prefix' = ~has_prefix, for the rest. - - DUP3 %shl_const(4) - NOT - // stack: (is_0_at_5|X⁷)³², (in_range|X⁷)³², (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - DUP1 - // pos 0102030405060708091011121314151617181920212223242526272829303132 - PUSH 0xFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF000000000000000000 - AND - // stack: (is_0_at_5|X⁷)⁷|(0⁸)⁸|(is_0_at_5|X⁷)⁸|(0⁸)⁸, (is_0_at_5|X⁷)³², (in_range|X⁷)³², (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - DUP4 - OR - // stack: (~has_prefix'|X⁷)³², (is_0_at_5|X⁷)³², (in_range|X⁷)³², (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - SWAP3 - OR - // pos 0102030405060708091011121314151617181920212223242526272829303132 - PUSH 0xFFFFFFFFFFFFFF0000000000000000FFFFFFFFFFFFFFFF000000000000000000 - OR - AND - // stack: (in_range'|X⁷)³², (~has_prefix'|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - - // Compute in_range' and ~has_prefix' as - // - in_range' = in_range and ~has_prefix' = ~has_prefix OR is_0_at_6, for bytes in positions 1-3, 8-11, 16-19, and 24-27 - // - in_range' = in_range AND (has_prefix => is_0_at_6 |X⁷)³² and ~has_prefix' = has_prefix, for the rest. - DUP3 %shl_const(5) - NOT - // stack: (is_0_at_6|X⁷)³², (in_range|X⁷)³², (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - DUP1 - // pos 0102030405060708091011121314151617181920212223242526272829303132 - PUSH 0xFFFFFF00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF0000000000 - AND - // stack: (is_0_at_6|X⁷)³|(0⁸)⁴|((is_0_at_6|X⁷)⁴|(0⁸)⁴)³, (is_0_at_6|X⁷)³², (in_range|X⁷)³², (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - DUP4 - OR - // stack: (~has_prefix'|X⁷)³², (is_0_at_6|X⁷)³², (in_range|X⁷)³², (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - SWAP3 - OR - // pos 0102030405060708091011121314151617181920212223242526272829303132 - PUSH 0xFFFFFF00000000FFFFFFFF00000000FFFFFFFF00000000FFFFFFFF0000000000 - OR - AND - // stack: (in_range'|X⁷)³², (~has_prefix'|X⁷)³², (in_range|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - - // Compute in_range' and ~has_prefix' as - // - in_range' = in_range and ~has_prefix' = has_prefix OR is_0_at_7, for bytes in 1, 4-5, 8-9, 12-13, 16-17, 20-21, 24-25, 28-29 - // - in_range' = in_range AND (has_prefix => is_0_at_7 |X⁷)³² and ~has_prefix' = ~has_prefix, for the rest. - DUP3 %shl_const(6) - NOT - // stack: (is_0_at_7|X⁷)³², (in_range|X⁷)³², (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - DUP1 - // pos 0102030405060708091011121314151617181920212223242526272829303132 - PUSH 0xFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF000000 - AND - // stack: is_0_at_7|X⁷|(0⁸)²|((is_0_at_7|X⁷)²|(0⁸)²)⁷, (is_0_at_7|X⁷)³², (in_range|X⁷)³², (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - DUP4 - OR - // (~has_prefix'|X⁷)³², (is_0_at_7|X⁷)³², (in_range|X⁷)³², (~has_prefix|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - SWAP3 - OR - // pos 0102030405060708091011121314151617181920212223242526272829303132 - PUSH 0xFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF0000FFFF000000 - OR - AND - // stack: (in_range'|X⁷)³², (~has_prefix'|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - - // Compute in_range' as - // - in_range' = in_range, for odd positions - // - in_range' = in_range AND (has_prefix => is_0_at_8 |X⁷)³², for the rest - - SWAP1 - // stack: (~has_prefix|X⁷)³², (in_range|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - DUP3 %shl_const(7) - NOT - // stack: (is_0_at_8|X⁷)³², (~has_prefix|X⁷)³², (in_range|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - OR - // pos 0102030405060708091011121314151617181920212223242526272829303132 - PUSH 0x00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF00FF - OR - AND - // stack: (in_range|X⁷)³², packed_opcodes, proof_prefix_addr, ctx, jumpdest, retdest - - // Get rid of the irrelevant bits - // pos 0102030405060708091011121314151617181920212223242526272829303132 - PUSH 0x8080808080808080808080808080808080808080808080808080808080808080 - AND - %jump_neq_const(0x8080808080808080808080808080808080808080808080808080808080808080, return_pop_opcode) - POP - %add_const(32) - - // check the remaining path - %jump(verify_path_and_write_jumpdest_table) -return_pop_opcode: - POP -return: - // stack: proof_prefix_addr, ctx, jumpdest, retdest - // or - // stack: jumpdest, ctx, proof_prefix_addr, retdest - %pop3 - JUMP - -%macro write_table_if_jumpdest - %stack (proof_prefix_addr, jumpdest, ctx) -> (proof_prefix_addr, jumpdest, ctx, %%after) - %jump(write_table_if_jumpdest) -%%after: -%endmacro - -// Write the jumpdest table. This is done by -// non-deterministically guessing the sequence of jumpdest -// addresses used during program execution within the current context. -// For each jumpdest address we also non-deterministically guess -// a proof, which is another address in the code such that -// is_jumpdest doesn't abort, when the proof is at the top of the stack -// an the jumpdest address below. If that's the case we set the -// corresponding bit in @SEGMENT_JUMPDEST_BITS to 1. -// -// stack: ctx, code_len, retdest -// stack: (empty) -global jumpdest_analysis: - // If address > 0 then address is interpreted as address' + 1 - // and the next prover input should contain a proof for address'. - PROVER_INPUT(jumpdest_table::next_address) - DUP1 %jumpi(check_proof) - // If address == 0 there are no more jump destinations to check - POP -// This is just a hook used for avoiding verification of the jumpdest -// table in another context. It is useful during proof generation, -// allowing the avoidance of table verification when simulating user code. -global jumpdest_analysis_end: - %pop2 - JUMP -check_proof: - // stack: address, ctx, code_len, retdest - DUP3 DUP2 %assert_le - %decrement - // stack: proof, ctx, code_len, retdest - DUP2 SWAP1 - // stack: address, ctx, ctx, code_len, retdest - // We read the proof - PROVER_INPUT(jumpdest_table::next_proof) - // stack: proof, address, ctx, ctx, code_len, retdest - %write_table_if_jumpdest - // stack: ctx, code_len, retdest - - %jump(jumpdest_analysis) - -%macro jumpdest_analysis - %stack (ctx, code_len) -> (ctx, code_len, %%after) - %jump(jumpdest_analysis) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/core/log.asm b/evm/src/cpu/kernel/asm/core/log.asm deleted file mode 100644 index f23d5e174c..0000000000 --- a/evm/src/cpu/kernel/asm/core/log.asm +++ /dev/null @@ -1,272 +0,0 @@ -global sys_log0: - %check_static - // stack: kexit_info, offset, size - DUP3 ISZERO %jumpi(log0_after_mem_gas) - DUP3 DUP3 - %add_or_fault - // stack: offset+size, kexit_info, offset, size - DUP1 %ensure_reasonable_offset - %update_mem_bytes -log0_after_mem_gas: - // stack: kexit_info, offset, size - DUP3 %mul_const(@GAS_LOGDATA) %add_const(@GAS_LOG) - // stack: gas, kexit_info, offset, size - %charge_gas - %address - PUSH 0 - %stack (zero, address, kexit_info, offset, size) -> (address, zero, size, offset, finish_sys_log, kexit_info) - %jump(log_n_entry) - -global sys_log1: - %check_static - // stack: kexit_info, offset, size, topic - DUP3 ISZERO %jumpi(log1_after_mem_gas) - DUP3 DUP3 - %add_or_fault - // stack: offset+size, kexit_info, offset, size, topic - DUP1 %ensure_reasonable_offset - %update_mem_bytes -log1_after_mem_gas: - // stack: kexit_info, offset, size, topic - DUP3 %mul_const(@GAS_LOGDATA) %add_const(@GAS_LOG) %add_const(@GAS_LOGTOPIC) - // stack: gas, kexit_info, offset, size, topic - %charge_gas - %address - PUSH 1 - %stack (one, address, kexit_info, offset, size, topic) -> (address, one, topic, size, offset, finish_sys_log, kexit_info) - %jump(log_n_entry) - -global sys_log2: - %check_static - // stack: kexit_info, offset, size, topic1, topic2 - DUP3 ISZERO %jumpi(log2_after_mem_gas) - DUP3 DUP3 - %add_or_fault - // stack: offset+size, kexit_info, offset, size, topic1, topic2 - DUP1 %ensure_reasonable_offset - %update_mem_bytes -log2_after_mem_gas: - // stack: kexit_info, offset, size, topic1, topic2 - DUP3 %mul_const(@GAS_LOGDATA) %add_const(@GAS_LOG) %add_const(@GAS_LOGTOPIC) %add_const(@GAS_LOGTOPIC) - // stack: gas, kexit_info, offset, size, topic1, topic2 - %charge_gas - %address - PUSH 2 - %stack (two, address, kexit_info, offset, size, topic1, topic2) -> (address, two, topic1, topic2, size, offset, finish_sys_log, kexit_info) - %jump(log_n_entry) - -global sys_log3: - %check_static - // stack: kexit_info, offset, size, topic1, topic2, topic3 - DUP3 ISZERO %jumpi(log3_after_mem_gas) - DUP3 DUP3 - %add_or_fault - // stack: offset+size, kexit_info, offset, size, topic1, topic2, topic3 - DUP1 %ensure_reasonable_offset - %update_mem_bytes -log3_after_mem_gas: - // stack: kexit_info, offset, size, topic1, topic2, topic3 - DUP3 %mul_const(@GAS_LOGDATA) %add_const(@GAS_LOG) %add_const(@GAS_LOGTOPIC) %add_const(@GAS_LOGTOPIC) %add_const(@GAS_LOGTOPIC) - // stack: gas, kexit_info, offset, size, topic1, topic2, topic3 - %charge_gas - %address - PUSH 3 - %stack (three, address, kexit_info, offset, size, topic1, topic2, topic3) -> (address, three, topic1, topic2, topic3, size, offset, finish_sys_log, kexit_info) - %jump(log_n_entry) - -global sys_log4: - %check_static - // stack: kexit_info, offset, size, topic1, topic2, topic3, topic4 - DUP3 ISZERO %jumpi(log4_after_mem_gas) - DUP3 DUP3 - %add_or_fault - // stack: offset+size, kexit_info, offset, size, topic1, topic2, topic3, topic4 - DUP1 %ensure_reasonable_offset - %update_mem_bytes -log4_after_mem_gas: - // stack: kexit_info, offset, size, topic1, topic2, topic3, topic4 - DUP3 %mul_const(@GAS_LOGDATA) %add_const(@GAS_LOG) %add_const(@GAS_LOGTOPIC) %add_const(@GAS_LOGTOPIC) %add_const(@GAS_LOGTOPIC) %add_const(@GAS_LOGTOPIC) - // stack: gas, kexit_info, offset, size, topic1, topic2, topic3, topic4 - %charge_gas - %address - PUSH 4 - %stack (four, address, kexit_info, offset, size, topic1, topic2, topic3, topic4) -> (address, four, topic1, topic2, topic3, topic4, size, offset, finish_sys_log, kexit_info) - %jump(log_n_entry) - -finish_sys_log: - // stack: kexit_info - EXIT_KERNEL - -global log_n_entry: - // stack: address, num_topics, topics, data_len, data_offset, retdest - %mload_global_metadata(@GLOBAL_METADATA_LOGS_LEN) - %mload_global_metadata(@GLOBAL_METADATA_LOGS_DATA_LEN) - // stack: log_ptr, logs_len, address, num_topics, topics, data_len, data_offset, retdest - DUP1 DUP3 - // stack: log_ptr, logs_len, log_ptr, logs_len, address, num_topics, topics, data_len, data_offset, retdest - %mstore_kernel(@SEGMENT_LOGS) - // stack: log_ptr, logs_len, address, num_topics, topics, data_len, data_offset, retdest - SWAP1 %increment - %mstore_global_metadata(@GLOBAL_METADATA_LOGS_LEN) - // stack: log_ptr, address, num_topics, topics, data_len, data_offset, retdest - %increment - // stack: addr_ptr, address, num_topics, topics, data_len, data_offset, retdest - // Store the address. - DUP2 DUP2 - %mstore_kernel(@SEGMENT_LOGS_DATA) - %increment - // stack: num_topics_ptr, address, num_topics, topics, data_len, data_offset, retdest - SWAP1 POP - // stack: num_topics_ptr, num_topics, topics, data_len, data_offset, retdest - // Store num_topics. - DUP2 DUP2 - %mstore_kernel(@SEGMENT_LOGS_DATA) - %increment - // stack: topics_ptr, num_topics, topics, data_len, data_offset, retdest - DUP2 - // stack: num_topics, topics_ptr, num_topics, topics, data_len, data_offset, retdest - ISZERO - %jumpi(log_after_topics) - // stack: topics_ptr, num_topics, topics, data_len, data_offset, retdest - // Store the first topic. - DUP3 DUP2 - %mstore_kernel(@SEGMENT_LOGS_DATA) - %increment - %stack (curr_topic_ptr, num_topics, topic1) -> (curr_topic_ptr, num_topics) - DUP2 %eq_const(1) - %jumpi(log_after_topics) - // stack: curr_topic_ptr, num_topics, remaining_topics, data_len, data_offset, retdest - // Store the second topic. - DUP3 DUP2 - %mstore_kernel(@SEGMENT_LOGS_DATA) - %increment - %stack (curr_topic_ptr, num_topics, topic2) -> (curr_topic_ptr, num_topics) - DUP2 %eq_const(2) - %jumpi(log_after_topics) - // stack: curr_topic_ptr, num_topics, remaining_topics, data_len, data_offset, retdest - // Store the third topic. - DUP3 DUP2 - %mstore_kernel(@SEGMENT_LOGS_DATA) - %increment - %stack (curr_topic_ptr, num_topics, topic3) -> (curr_topic_ptr, num_topics) - DUP2 %eq_const(3) - %jumpi(log_after_topics) - // stack: curr_topic_ptr, num_topics, remaining_topic, data_len, data_offset, retdest - // Store the fourth topic. - DUP3 DUP2 - %mstore_kernel(@SEGMENT_LOGS_DATA) - %increment - %stack (data_len_ptr, num_topics, topic4) -> (data_len_ptr, num_topics) - DUP2 %eq_const(4) - %jumpi(log_after_topics) - // Invalid num_topics. - PANIC - -log_after_topics: - // stack: data_len_ptr, num_topics, data_len, data_offset, retdest - // Compute RLP length of the log. - DUP3 - // stack: data_len, data_len_ptr, num_topics, data_len, data_offset, retdest - DUP5 SWAP1 - %rlp_data_len - // stack: rlp_data_len, data_len_ptr, num_topics, data_len, data_offset, retdest - DUP3 - // stack: num_topics, rlp_data_len, data_len_ptr, num_topics, data_len, data_offset, retdest - // Each topic is encoded with 1+32 bytes. - %mul_const(33) - %rlp_list_len - // stack: rlp_topics_len, rlp_data_len, data_len_ptr, num_topics, data_len, data_offset, retdest - ADD - // The address is encoded with 1+20 bytes. - %add_const(21) - // stack: log_payload_len, data_len_ptr, num_topics, data_len, data_offset, retdest - %mload_global_metadata(@GLOBAL_METADATA_LOGS_DATA_LEN) - DUP2 SWAP1 - // stack: log_ptr, log_payload_len, log_payload_len, data_len_ptr, num_topics, data_len, data_offset, retdest - %mstore_kernel(@SEGMENT_LOGS_DATA) - // stack: log_payload_len, data_len_ptr, num_topics, data_len, data_offset, retdest - %rlp_list_len - // stack: rlp_log_len, data_len_ptr, num_topics, data_len, data_offset, retdest - %mload_global_metadata(@GLOBAL_METADATA_LOGS_PAYLOAD_LEN) - // Add payload length and logs_data_len to journal. - DUP1 %mload_global_metadata(@GLOBAL_METADATA_LOGS_DATA_LEN) %journal_add_log - ADD - %mstore_global_metadata(@GLOBAL_METADATA_LOGS_PAYLOAD_LEN) - // stack: data_len_ptr, num_topics, data_len, data_offset, retdest - // Store data_len. - DUP3 DUP2 - %mstore_kernel(@SEGMENT_LOGS_DATA) - %increment - // stack: data_ptr, num_topics, data_len, data_offset, retdest - SWAP1 POP - // stack: data_ptr, data_len, data_offset, retdest - DUP1 SWAP2 - // stack: data_len, data_ptr, data_ptr, data_offset, retdest - ADD - // stack: next_log_ptr, data_ptr, data_offset, retdest - SWAP1 - // stack: data_ptr, next_log_ptr, data_offset, retdest - SWAP2 - PUSH @SEGMENT_MAIN_MEMORY GET_CONTEXT %build_address - SWAP2 - // stack: data_ptr, next_log_ptr, data_addr, retdest - - -store_log_data_loop: - // stack: cur_data_ptr, next_log_ptr, cur_data_addr, retdest - DUP2 DUP2 EQ - // stack: cur_data_ptr == next_log_ptr, cur_data_ptr, next_log_ptr, cur_data_addr, retdest - %jumpi(store_log_data_loop_end) - // stack: cur_data_ptr, next_log_ptr, cur_data_addr, retdest - DUP3 - MLOAD_GENERAL - // stack: cur_data, cur_data_ptr, next_log_ptr, cur_data_addr, retdest - // Store current data byte. - DUP2 - %mstore_kernel(@SEGMENT_LOGS_DATA) - // stack: cur_data_ptr, next_log_ptr, cur_data_addr, retdest - SWAP2 %increment SWAP2 - // stack: cur_data_ptr, next_log_ptr, next_data_addr, retdest - %increment - %jump(store_log_data_loop) - -store_log_data_loop_end: - // stack: cur_data_ptr, next_log_ptr, cur_data_offset, retdest - POP - %mstore_global_metadata(@GLOBAL_METADATA_LOGS_DATA_LEN) - POP - JUMP - -rlp_data_len: - // stack: data_len, data_ptr, retdest - DUP1 ISZERO %jumpi(data_single_byte) // data will be encoded with a single byte - DUP1 PUSH 1 EQ %jumpi(one_byte_data) // data is encoded with either 1 or 2 bytes - // If we are here, data_len >= 2, and we can use rlp_list_len to determine the encoding length - %rlp_list_len - // stack: rlp_data_len, data_ptr, retdest - SWAP1 POP SWAP1 - JUMP - -data_single_byte: - // stack: data_len, data_ptr, retdest - %pop2 - PUSH 1 - SWAP1 - JUMP - -one_byte_data: - // stack: data_len, data_ptr, retdest - DUP2 - %mload_current(@SEGMENT_MAIN_MEMORY) - // stack: data_byte, data_len, data_ptr, retdest - %lt_const(0x80) %jumpi(data_single_byte) // special byte that only requires one byte to be encoded - %pop2 - PUSH 2 SWAP1 - JUMP - -%macro rlp_data_len - // stack: data_len, data_ptr - %stack (data_len, data_ptr) -> (data_len, data_ptr, %%after) - %jump(rlp_data_len) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/core/nonce.asm b/evm/src/cpu/kernel/asm/core/nonce.asm deleted file mode 100644 index 48486be9e2..0000000000 --- a/evm/src/cpu/kernel/asm/core/nonce.asm +++ /dev/null @@ -1,49 +0,0 @@ -// Get the nonce of the given account. -// Pre stack: address, retdest -// Post stack: (empty) -global nonce: - // stack: address, retdest - %mpt_read_state_trie - // stack: account_ptr, retdest - // The nonce is the first account field, so we deref the account pointer itself. - // Note: We don't need to handle account_ptr=0, as trie_data[0] = 0, - // so the deref will give 0 (the default nonce) as desired. - %mload_trie_data - // stack: nonce, retdest - SWAP1 JUMP - -// Convenience macro to call nonce and return where we left off. -%macro nonce - %stack (address) -> (address, %%after) - %jump(nonce) -%%after: -%endmacro - -// Increment the given account's nonce. Assumes the account already exists; panics otherwise. -global increment_nonce: - // stack: address, retdest - DUP1 - %mpt_read_state_trie - // stack: account_ptr, address, retdest - DUP1 ISZERO %jumpi(increment_nonce_no_such_account) - // stack: nonce_ptr, address, retdest - DUP1 %mload_trie_data - // stack: nonce, nonce_ptr, address, retdest - DUP1 DUP4 %journal_add_nonce_change - // stack: nonce, nonce_ptr, address, retdest - %increment - SWAP1 - // stack: nonce_ptr, nonce', address, retdest - %mstore_trie_data - // stack: address, retdest - POP - JUMP -global increment_nonce_no_such_account: - PANIC - -// Convenience macro to call increment_nonce and return where we left off. -%macro increment_nonce - %stack (address) -> (address, %%after) - %jump(increment_nonce) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/core/precompiles/blake2_f.asm b/evm/src/cpu/kernel/asm/core/precompiles/blake2_f.asm deleted file mode 100644 index 91d4b3960f..0000000000 --- a/evm/src/cpu/kernel/asm/core/precompiles/blake2_f.asm +++ /dev/null @@ -1,139 +0,0 @@ -global precompile_blake2_f: - // stack: retdest, new_ctx, (old stack) - POP - // stack: new_ctx, (old stack) - %set_new_ctx_parent_pc(after_precompile) - // stack: new_ctx, (old stack) - DUP1 - SET_CONTEXT - %checkpoint // Checkpoint - %increment_call_depth - // stack: (empty) - PUSH 0x100000000 // = 2^32 (is_kernel = true) - // stack: kexit_info - - PUSH blake2_f_contd - // stack: blake2_f_contd, kexit_info - - // Load inputs from calldata memory into stack. - - %calldatasize - // stack: calldatasize, blake2_f_contd, kexit_info - DUP1 - // stack: calldatasize, calldatasize, blake2_f_contd, kexit_info - %eq_const(213) ISZERO %jumpi(fault_exception) - // stack: calldatasize, blake2_f_contd, kexit_info - %decrement - // stack: flag_addr=212, blake2_f_contd, kexit_info - DUP1 - // stack: flag_addr, flag_addr, blake2_f_contd, kexit_info - PUSH @SEGMENT_CALLDATA - GET_CONTEXT - %build_address - // stack: addr, flag_addr, blake2_f_contd, kexit_info - MLOAD_GENERAL - // stack: flag, flag_addr, blake2_f_contd, kexit_info - DUP1 - // stack: flag, flag, flag_addr, blake2_f_contd, kexit_info - %gt_const(1) %jumpi(fault_exception) // Check flag < 2 (flag = 0 or flag = 1) - // stack: flag, flag_addr, blake2_f_contd, kexit_info - SWAP1 - // stack: flag_addr, flag, blake2_f_contd, kexit_info - %sub_const(8) - // stack: t1_addr=flag_addr-8, flag, blake2_f_contd, kexit_info - - %stack (t1_addr) -> (@SEGMENT_CALLDATA, t1_addr, t1_addr) - // stack: @SEGMENT_CALLDATA, t1_addr, t1_addr, flag, blake2_f_contd, kexit_info - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, t1_addr, t1_addr, flag, blake2_f_contd, kexit_info - %build_address - %mload_packing_u64_LE - // stack: t_1, t1_addr, flag, blake2_f_contd, kexit_info - SWAP1 - // stack: t1_addr, t_1, flag, blake2_f_contd, kexit_info - %sub_const(8) - // stack: t0_addr=t1_addr-8, t_1, flag, blake2_f_contd, kexit_info - - %stack (t0_addr) -> (@SEGMENT_CALLDATA, t0_addr, t0_addr) - // stack: @SEGMENT_CALLDATA, t0_addr, t0_addr, t_1, flag, blake2_f_contd, kexit_info - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, t0_addr, t0_addr, t_1, flag, blake2_f_contd, kexit_info - %build_address - %mload_packing_u64_LE - // stack: t_0, t0_addr, t_1, flag, blake2_f_contd, kexit_info - SWAP1 - // stack: t0_addr = m0_addr + 8 * 16, t_0, t_1, flag, blake2_f_contd, kexit_info - - %rep 16 - // stack: m0_addr + 8 * (16 - i), m_(i+1), ..., m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - %sub_const(8) - // stack: m0_addr + 8 * (16 - i - 1), m_(i+1), ..., m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - DUP1 - // stack: m0_addr + 8 * (16 - i - 1), m0_addr + 8 * (16 - i - 1), m_(i+1), ..., m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - PUSH @SEGMENT_CALLDATA - // stack: @SEGMENT_CALLDATA, m0_addr + 8 * (16 - i - 1), m0_addr + 8 * (16 - i - 1), m_(i+1), ..., m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, m0_addr + 8 * (16 - i - 1), m0_addr + 8 * (16 - i - 1), m_(i+1), ..., m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - %build_address - %mload_packing_u64_LE - // stack: m_i, m0_addr + 8 * (16 - i - 1), m_(i+1), ..., m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - SWAP1 - // stack: m0_addr + 8 * (16 - i - 1), m_i, m_(i+1), ..., m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - %endrep - // stack: m0_addr = h0_addr + 8 * 8, m_0, ..., m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - - %rep 8 - // stack: h0_addr + 8 * (8 - i), h_(i+1), ..., h_7, m_0..m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - %sub_const(8) - // stack: h0_addr + 8 * (8 - i - 1), h_(i+1), ..., h_7, m_0..m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - DUP1 - // stack: h0_addr + 8 * (8 - i), h0_addr + 8 * (8 - i), h_(i+1), ..., h_7, m_0..m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - PUSH @SEGMENT_CALLDATA - // stack: @SEGMENT_CALLDATA, h0_addr + 8 * (8 - i), h0_addr + 8 * (8 - i), h_(i+1), ..., h_7, m_0..m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, h0_addr + 8 * (8 - i), h0_addr + 8 * (8 - i), h_(i+1), ..., h_7, m_0..m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - %build_address - %mload_packing_u64_LE - // stack: h_i, h0_addr + 8 * (8 - i), h_(i+1), ..., h_7, m_0..m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - SWAP1 - // stack: h0_addr + 8 * (8 - i), h_i, h_(i+1), ..., h_7, m_0..m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - %endrep - // stack: h0_addr + 8 * 8 = 68, h_0, ..., h_7, m_0..m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - POP - - %stack () -> (@SEGMENT_CALLDATA, 4) - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 4, h_0..h_7, m_0..m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - %build_address_no_offset - MLOAD_32BYTES - // stack: rounds, h_0..h_7, m_0..m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - - DUP1 - // stack: rounds, rounds, h_0..h_7, m_0..m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - %charge_gas - - // stack: rounds, h_0..h_7, m_0..m_15, t_0, t_1, flag, blake2_f_contd, kexit_info - %jump(blake2_f) -blake2_f_contd: - // stack: h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7', kexit_info - // Store the result hash to the parent's return data using `mstore_unpacking_u64_LE`. - - %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 64) - // stack: h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7', kexit_info - PUSH @SEGMENT_RETURNDATA - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - // stack: parent_ctx, segment, h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7', kexit_info - %build_address_no_offset - // stack: addr0=0, h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7', kexit_info - - %rep 8 - // stack: addri, h_i', ..., h_7', kexit_info - %stack (addr, h_i) -> (addr, h_i, addr) - %mstore_unpacking_u64_LE - // stack: addr_i, h_(i+1)', ..., h_7', kexit_info - %add_const(8) - // stack: addr_(i+1), h_(i+1)', ..., h_7', kexit_info - %endrep - - // stack: kexit_info - %jump(pop_and_return_success) diff --git a/evm/src/cpu/kernel/asm/core/precompiles/bn_add.asm b/evm/src/cpu/kernel/asm/core/precompiles/bn_add.asm deleted file mode 100644 index 9554044eff..0000000000 --- a/evm/src/cpu/kernel/asm/core/precompiles/bn_add.asm +++ /dev/null @@ -1,63 +0,0 @@ -global precompile_bn_add: - // stack: address, retdest, new_ctx, (old stack) - %pop2 - // stack: new_ctx, (old stack) - %set_new_ctx_parent_pc(after_precompile) - // stack: new_ctx, (old stack) - DUP1 - SET_CONTEXT - %checkpoint // Checkpoint - %increment_call_depth - // stack: (empty) - PUSH 0x100000000 // = 2^32 (is_kernel = true) - // stack: kexit_info - - %charge_gas_const(@BN_ADD_GAS) - - // Load x0, y0, x1, y1 from the call data using `MLOAD_32BYTES`. - PUSH bn_add_return - // stack: bn_add_return, kexit_info - %stack () -> (@SEGMENT_CALLDATA, 96, 32) - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 96, 32, bn_add_return, kexit_info - %build_address - MLOAD_32BYTES - // stack: y1, bn_add_return, kexit_info - %stack () -> (@SEGMENT_CALLDATA, 64, 32) - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 64, 32, y1, bn_add_return, kexit_info - %build_address - MLOAD_32BYTES - // stack: x1, y1, bn_add_return, kexit_info - %stack () -> (@SEGMENT_CALLDATA, 32, 32) - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 32, 32, x1, y1, bn_add_return, kexit_info - %build_address - MLOAD_32BYTES - // stack: y0, x1, y1, bn_add_return, kexit_info - %stack () -> (@SEGMENT_CALLDATA, 32) - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 32, y0, x1, y1, bn_add_return, kexit_info - %build_address_no_offset - MLOAD_32BYTES - // stack: x0, y0, x1, y1, bn_add_return, kexit_info - %jump(bn_add) -bn_add_return: - // stack: x, y, kexit_info - DUP2 %eq_const(@U256_MAX) // bn_add returns (U256_MAX, U256_MAX) on bad input. - DUP2 %eq_const(@U256_MAX) // bn_add returns (U256_MAX, U256_MAX) on bad input. - MUL // Cheaper than AND - %jumpi(fault_exception) - // stack: x, y, kexit_info - - // Store the result (x, y) to the parent's return data using `mstore_unpacking`. - %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 64) - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - %stack (parent_ctx, x, y) -> (parent_ctx, @SEGMENT_RETURNDATA, x, parent_ctx, y) - %build_address_no_offset - MSTORE_32BYTES_32 - POP - %stack (parent_ctx, y) -> (parent_ctx, @SEGMENT_RETURNDATA, 32, y) - %build_address - MSTORE_32BYTES_32 - %jump(pop_and_return_success) diff --git a/evm/src/cpu/kernel/asm/core/precompiles/bn_mul.asm b/evm/src/cpu/kernel/asm/core/precompiles/bn_mul.asm deleted file mode 100644 index 5872e17f26..0000000000 --- a/evm/src/cpu/kernel/asm/core/precompiles/bn_mul.asm +++ /dev/null @@ -1,58 +0,0 @@ -global precompile_bn_mul: - // stack: address, retdest, new_ctx, (old stack) - %pop2 - // stack: new_ctx, (old stack) - %set_new_ctx_parent_pc(after_precompile) - // stack: new_ctx, (old stack) - DUP1 - SET_CONTEXT - %checkpoint // Checkpoint - %increment_call_depth - // stack: (empty) - PUSH 0x100000000 // = 2^32 (is_kernel = true) - // stack: kexit_info - - %charge_gas_const(@BN_MUL_GAS) - - // Load x, y, n from the call data using `MLOAD_32BYTES`. - PUSH bn_mul_return - // stack: bn_mul_return, kexit_info - %stack () -> (@SEGMENT_CALLDATA, 64, 32) - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 64, 32, bn_mul_return, kexit_info - %build_address - MLOAD_32BYTES - // stack: n, bn_mul_return, kexit_info - %stack () -> (@SEGMENT_CALLDATA, 32, 32) - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 32, 32, n, bn_mul_return, kexit_info - %build_address - MLOAD_32BYTES - // stack: y, n, bn_mul_return, kexit_info - %stack () -> (@SEGMENT_CALLDATA, 32) - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 32, y, n, bn_mul_return, kexit_info - %build_address_no_offset - MLOAD_32BYTES - // stack: x, y, n, bn_mul_return, kexit_info - %jump(bn_mul) -bn_mul_return: - // stack: Px, Py, kexit_info - DUP2 %eq_const(@U256_MAX) // bn_mul returns (U256_MAX, U256_MAX) on bad input. - DUP2 %eq_const(@U256_MAX) // bn_mul returns (U256_MAX, U256_MAX) on bad input. - MUL // Cheaper than AND - %jumpi(fault_exception) - // stack: Px, Py, kexit_info - - // Store the result (Px, Py) to the parent's return data using `mstore_unpacking`. - %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 64) - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - %stack (parent_ctx, Px, Py) -> (parent_ctx, @SEGMENT_RETURNDATA, Px, parent_ctx, Py) - %build_address_no_offset - MSTORE_32BYTES_32 -bn_mul_contd6: - POP - %stack (parent_ctx, Py) -> (parent_ctx, @SEGMENT_RETURNDATA, 32, Py) - %build_address - MSTORE_32BYTES_32 - %jump(pop_and_return_success) diff --git a/evm/src/cpu/kernel/asm/core/precompiles/ecrec.asm b/evm/src/cpu/kernel/asm/core/precompiles/ecrec.asm deleted file mode 100644 index 6c141aabc5..0000000000 --- a/evm/src/cpu/kernel/asm/core/precompiles/ecrec.asm +++ /dev/null @@ -1,60 +0,0 @@ -global precompile_ecrec: - // stack: address, retdest, new_ctx, (old stack) - %pop2 - // stack: new_ctx, (old stack) - %set_new_ctx_parent_pc(after_precompile) - // stack: new_ctx, (old stack) - DUP1 - SET_CONTEXT - %checkpoint // Checkpoint - %increment_call_depth - // stack: (empty) - PUSH 0x100000000 // = 2^32 (is_kernel = true) - // stack: kexit_info - - %charge_gas_const(@ECREC_GAS) - - // Load hash, v, r, s from the call data using `MLOAD_32BYTES`. - PUSH ecrec_return - // stack: ecrec_return, kexit_info - %stack () -> (@SEGMENT_CALLDATA, 96, 32) - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 96, 32, ecrec_return, kexit_info - %build_address - MLOAD_32BYTES - // stack: s, ecrec_return, kexit_info - %stack () -> (@SEGMENT_CALLDATA, 64, 32) - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 64, 32, s, ecrec_return, kexit_info - %build_address - MLOAD_32BYTES - // stack: r, s, ecrec_return, kexit_info - %stack () -> (@SEGMENT_CALLDATA, 32, 32) - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 32, 32, r, s, ecrec_return, kexit_info - %build_address - MLOAD_32BYTES - // stack: v, r, s, ecrec_return, kexit_info - %stack () -> (@SEGMENT_CALLDATA, 32) - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 32, v, r, s, ecrec_return, kexit_info - %build_address_no_offset - MLOAD_32BYTES - // stack: hash, v, r, s, ecrec_return, kexit_info - %jump(ecrecover) -ecrec_return: - // stack: address, kexit_info - DUP1 %eq_const(@U256_MAX) %jumpi(ecrec_bad_input) // ecrecover returns U256_MAX on bad input. - - // Store the result address to the parent's return data using `mstore_unpacking`. - %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 32) - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - %stack (parent_ctx, address) -> (parent_ctx, @SEGMENT_RETURNDATA, address) - %build_address_no_offset - MSTORE_32BYTES_32 - %jump(pop_and_return_success) - -// On bad input, return empty return data but still return success. -ecrec_bad_input: - %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 0) - %jump(pop_and_return_success) diff --git a/evm/src/cpu/kernel/asm/core/precompiles/expmod.asm b/evm/src/cpu/kernel/asm/core/precompiles/expmod.asm deleted file mode 100644 index 6bff54ea4e..0000000000 --- a/evm/src/cpu/kernel/asm/core/precompiles/expmod.asm +++ /dev/null @@ -1,470 +0,0 @@ -// Mod 16 to the range [1, 16]. -%macro mod_16 - // stack: x - %mod_const(16) - DUP1 %jumpi(%%after) - POP PUSH 16 -%%after: -%endmacro - -// Load bytes, packing 16 bytes into each limb, and store limbs on the stack. -// We pass around total_num_limbs and len for conveience, because we can't access them from the stack -// if they're hidden behind the variable number of limbs. -mload_bytes_as_limbs: - // stack: addr, num_bytes, retdest, total_num_limbs, len, ..limbs - DUP2 - // stack: num_bytes, addr, num_bytes, retdest, total_num_limbs, len, ..limbs - %mod_16 - // stack: min(16, num_bytes), addr, num_bytes, retdest, total_num_limbs, len, ..limbs - DUP2 - // stack: addr, min(16, num_bytes), addr, num_bytes, retdest, total_num_limbs, len, ..limbs - MLOAD_32BYTES - // stack: new_limb, addr, num_bytes, retdest, total_num_limbs, len, ..limbs - %stack (new, addr, numb, ret, tot, len) -> (numb, addr, ret, tot, len, new) - // stack: num_bytes, addr, retdest, total_num_limbs, len, new_limb, ..limbs - DUP1 - %mod_16 - // stack: num_bytes%16, num_bytes, addr, retdest, total_num_limbs, len, new_limb, ..limbs - DUP1 SWAP2 - SUB - // stack: num_bytes_new, num_bytes%16, addr, retdest, total_num_limbs, len, new_limb, ..limbs - DUP1 - ISZERO - %jumpi(mload_bytes_return) - SWAP1 - // stack: num_bytes%16, num_bytes_new, addr, retdest, total_num_limbs, len, new_limb, ..limbs - DUP3 // addr - ADD // increment offset - // stack: addr_new, num_bytes_new, addr, retdest, total_num_limbs, len, new_limb, ..limbs - SWAP2 POP - // stack: num_bytes_new, addr_new, retdest, total_num_limbs, len, new_limb, ..limbs - SWAP1 - %jump(mload_bytes_as_limbs) -mload_bytes_return: - // stack: num_bytes_new, num_bytes%16, addr, retdest, total_num_limbs, len, new_limb, ..limbs - %pop3 - // stack: retdest, total_num_limbs, len, ..limbs - JUMP - -%macro mload_bytes_as_limbs - %stack (addr, num_bytes, total_num_limbs) -> (addr, num_bytes, %%after, total_num_limbs) - %jump(mload_bytes_as_limbs) -%%after: -%endmacro - -store_limbs: - // stack: offset, retdest, num_limbs, limb[num_limbs - 1], ..limb[0] - DUP3 - // stack: num_limbs, offset, retdest, num_limbs, limb[num_limbs - 1], ..limb[0] - ISZERO - %jumpi(store_limbs_return) - // stack: offset, retdest, num_limbs, limb[num_limbs - 1], ..limb[0] - %stack (offset, ret, num, limb) -> (offset, limb, offset, ret, num) - // stack: offset, limb[num_limbs - 1], offset, retdest, num_limbs, limb[num_limbs - 2], ..limb[0] - %mstore_current_general - // stack: offset, retdest, num_limbs, limb[num_limbs - 2], ..limb[0] - %increment - SWAP2 - %decrement - SWAP2 - // stack: offset + 1, retdest, num_limbs - 1, limb[num_limbs - 2], ..limb[0] - %jump(store_limbs) -store_limbs_return: - // stack: offset, retdest, num_limbs=0 - POP - SWAP1 - POP - JUMP - -%macro store_limbs - %stack (offset, num_limbs) -> (offset, %%after, num_limbs) - %jump(store_limbs) -%%after: -%endmacro - -%macro expmod_gas_f - // stack: x - // Overflow check - DUP1 %ge_const(0x800000000000000000000000000000007) %jumpi(fault_exception) - // stack: x - %ceil_div_const(8) - // stack: ceil(x/8) - %square - // stack: ceil(x/8)^2 -%endmacro - -calculate_l_E_prime: - // stack: l_E, l_B, retdest - // Throw a fault early if the lengths are too large. - DUP2 %gt_const(0x100000000000000000000000000000000) %jumpi(fault_exception) - DUP1 %gt_const(0x100000000000000000000000000000000) %jumpi(fault_exception) - DUP1 ISZERO %jumpi(case_le_zero) - // stack: l_E, l_B, retdest - DUP1 %le_const(32) - // stack: l_E <= 32, l_E, l_B, retdest - %jumpi(case_le_32) - // stack: l_E, l_B, retdest - PUSH 32 - // stack: 32, l_E, l_B, retdest - DUP3 - // stack: l_B, 32, l_E, l_B, retdest - %add_const(96) - // stack: 96 + l_B, 32, l_E, l_B, retdest - PUSH @SEGMENT_CALLDATA - GET_CONTEXT - %build_address - MLOAD_32BYTES - // stack: i[96 + l_B..128 + l_B], l_E, l_B, retdest - %log2_floor - // stack: log2(i[96 + l_B..128 + l_B]), l_E, l_B, retdest - SWAP1 - // stack: l_E, log2(i[96 + l_B..128 + l_B]), l_B, retdest - %sub_const(32) - // Overflow check - DUP1 %ge_const(0x2000000000000000000000000000000000000000000000000000000000000000) %jumpi(fault_exception) - %mul_const(8) - // stack: 8 * (l_E - 32), log2(i[96 + l_B..128 + l_B]), l_B, retdest - ADD - // stack: 8 * (l_E - 32) + log2(i[96 + l_B..128 + l_B]), l_B, retdest - SWAP1 - POP - // stack: 8 * (l_E - 32) + log2(i[96 + l_B..128 + l_B]), retdest - SWAP1 - // stack: retdest, 8 * (l_E - 32) + log2(i[96 + l_B..128 + l_B]) - JUMP -case_le_zero: - %stack (l_E, l_B, retdest) -> (retdest, 0) - JUMP -case_le_32: - // stack: l_E, l_B, retdest - SWAP1 - // stack: l_B, l_E, retdest - %add_const(96) - // stack: 96 + l_B, l_E, retdest - PUSH @SEGMENT_CALLDATA - GET_CONTEXT - %build_address - MLOAD_32BYTES - // stack: E, retdest - %log2_floor - // stack: log2(E), retdest - SWAP1 - // stack: retdest, log2(E) - JUMP - -global precompile_expmod: - // stack: address, retdest, new_ctx, (old stack) - %pop2 - // stack: new_ctx, (old stack) - %set_new_ctx_parent_pc(after_precompile) - // stack: new_ctx, (old stack) - DUP1 - SET_CONTEXT - %checkpoint // Checkpoint - %increment_call_depth - // stack: (empty) - PUSH 0x100000000 // = 2^32 (is_kernel = true) - // stack: kexit_info - - // Load l_B from i[0..32]. - %stack () -> (@SEGMENT_CALLDATA, 32) - // stack: @SEGMENT_CALLDATA, 32, kexit_info - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 32, kexit_info - %build_address_no_offset - MLOAD_32BYTES - // stack: l_B, kexit_info - - // Load l_E from i[32..64]. - %stack () -> (@SEGMENT_CALLDATA, 32, 32) - GET_CONTEXT - %build_address - MLOAD_32BYTES - // stack: l_E, l_B, kexit_info - - // Load l_M from i[64..96]. - %stack () -> (@SEGMENT_CALLDATA, 64, 32) - GET_CONTEXT - %build_address - MLOAD_32BYTES - // stack: l_M, l_E, l_B, kexit_info - DUP3 ISZERO DUP2 ISZERO - MUL // AND - // stack: l_M==0 && l_B==0, l_M, l_E, l_B, kexit_info - %jumpi(zero_base_zero_mod) - %stack (l: 3) -> (l, l) - // stack: l_M, l_E, l_B, l_M, l_E, l_B, kexit_info - %max_3 - // stack: max_len, l_M, l_E, l_B, kexit_info - - %ceil_div_const(16) - // stack: len=ceil(max_len/16), l_M, l_E, l_B, kexit_info - - // Calculate gas costs. - - PUSH l_E_prime_return - // stack: l_E_prime_return, len, l_M, l_E, l_B, kexit_info - DUP5 - DUP5 - // stack: l_E, l_B, l_E_prime_return, len, l_M, l_E, l_B, kexit_info - %jump(calculate_l_E_prime) -l_E_prime_return: - // stack: l_E_prime, len, l_M, l_E, l_B, kexit_info - DUP5 - // stack: l_B, l_E_prime, len, l_M, l_E, l_B, kexit_info - DUP4 - // stack: l_M, l_B, l_E_prime, len, l_M, l_E, l_B, kexit_info - %max - // stack: max(l_M, l_B), l_E_prime, len, l_M, l_E, l_B, kexit_info - %expmod_gas_f - // stack: f(max(l_M, l_B)), l_E_prime, len, l_M, l_E, l_B, kexit_info - SWAP1 - // stack: l_E_prime, f(max(l_M, l_B)), len, l_M, l_E, l_B, kexit_info - %max_const(1) - // stack: max(1, l_E_prime), f(max(l_M, l_B)), len, l_M, l_E, l_B, kexit_info - MUL - // stack: max(1, l_E_prime) * f(max(l_M, l_B)), len, l_M, l_E, l_B, kexit_info - %div_const(3) // G_quaddivisor - // stack: (max(1, l_E_prime) * f(max(l_M, l_B))) / G_quaddivisor, len, l_M, l_E, l_B, kexit_info - %max_const(200) - // stack: g_r, len, l_M, l_E, l_B, kexit_info - %stack (g_r, l: 4, kexit_info) -> (g_r, kexit_info, l) - // stack: g_r, kexit_info, len, l_M, l_E, l_B - %charge_gas - // stack: kexit_info, len, l_M, l_E, l_B - %stack (kexit_info, l: 4) -> (l, kexit_info) - // stack: len, l_M, l_E, l_B, kexit_info - - // Copy B to memory. - // stack: len, l_M, l_E, l_B, kexit_info - DUP1 - // stack: len, len, l_M, l_E, l_B, kexit_info - DUP5 - // stack: num_bytes=l_B, len, len, l_M, l_E, l_B, kexit_info - DUP1 - %ceil_div_const(16) - // stack: num_limbs, num_bytes, len, len, l_M, l_E, l_B, kexit_info - DUP2 - ISZERO - %jumpi(copy_b_len_zero) - SWAP1 - // stack: num_bytes, num_limbs, len, len, l_M, l_E, l_B, kexit_info - %stack () -> (@SEGMENT_CALLDATA, 96) - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 96, num_bytes, num_limbs, len, len, l_M, l_E, l_B, kexit_info - %build_address - %mload_bytes_as_limbs - // stack: num_limbs, len, limbs[num_limbs-1], .., limbs[0], len, l_M, l_E, l_B, kexit_info - SWAP1 - POP - // stack: num_limbs, limbs[num_limbs-1], .., limbs[0], len, l_M, l_E, l_B, kexit_info - PUSH 0 - // stack: b_loc=0, num_limbs, limbs[num_limbs-1], .., limbs[0], len, l_M, l_E, l_B, kexit_info - %store_limbs - // stack: len, l_M, l_E, l_B, kexit_info - %jump(copy_b_end) -copy_b_len_zero: - // stack: num_limbs, num_bytes, len, len, l_M, l_E, l_B, kexit_info - %pop3 -copy_b_end: - - // Copy E to memory. - // stack: len, l_M, l_E, l_B, kexit_info - DUP1 - // stack: len, len, l_M, l_E, l_B, kexit_info - DUP4 - // stack: num_bytes=l_E, len, len, l_M, l_E, l_B, kexit_info - DUP1 - %ceil_div_const(16) - // stack: num_limbs, num_bytes, len, len, l_M, l_E, l_B, kexit_info - DUP2 - ISZERO - %jumpi(copy_e_len_zero) - SWAP1 - // stack: num_bytes, num_limbs, len, len, l_M, l_E, l_B, kexit_info - DUP7 - %add_const(96) - // stack: 96 + l_B, num_bytes, num_limbs, len, len, l_M, l_E, l_B, kexit_info - PUSH @SEGMENT_CALLDATA - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 96 + l_B, num_bytes, num_limbs, len, len, l_M, l_E, l_B, kexit_info - %build_address - %mload_bytes_as_limbs - // stack: num_limbs, len, limbs[num_limbs-1], .., limbs[0], len, l_M, l_E, l_B, kexit_info - SWAP1 - // stack: e_loc=len, num_limbs, limbs[num_limbs-1], .., limbs[0], len, l_M, l_E, l_B, kexit_info - %store_limbs - // stack: len, l_M, l_E, l_B, kexit_info - %jump(copy_e_end) -copy_e_len_zero: - // stack: num_limbs, num_bytes, len, len, l_M, l_E, l_B, kexit_info - %pop3 -copy_e_end: - - // Copy M to memory. - // stack: len, l_M, l_E, l_B, kexit_info - DUP1 - // stack: len, len, l_M, l_E, l_B, kexit_info - DUP3 - // stack: num_bytes=l_M, len, len, l_M, l_E, l_B, kexit_info - DUP1 - %ceil_div_const(16) - // stack: num_limbs, num_bytes, len, len, l_M, l_E, l_B, kexit_info - DUP2 - ISZERO - %jumpi(copy_m_len_zero) - SWAP1 - // stack: num_bytes, num_limbs, len, len, l_M, l_E, l_B, kexit_info - DUP7 - DUP7 - ADD - %add_const(96) - // stack: 96 + l_B + l_E, num_bytes, num_limbs, len, len, l_M, l_E, l_B, kexit_info - PUSH @SEGMENT_CALLDATA - GET_CONTEXT - // stack: ctx, @SEGMENT_CALLDATA, 96 + l_B + l_E, num_bytes, num_limbs, len, len, l_M, l_E, l_B, kexit_info - %build_address - %mload_bytes_as_limbs - // stack: num_limbs, len, limbs[num_limbs-1], .., limbs[0], len, l_M, l_E, l_B, kexit_info - SWAP1 - %mul_const(2) - // stack: m_loc=2*len, num_limbs, limbs[num_limbs-1], .., limbs[0], len, l_M, l_E, l_B, kexit_info - %store_limbs - // stack: len, l_M, l_E, l_B, kexit_info - %jump(copy_m_end) -copy_m_len_zero: - // stack: num_limbs, num_bytes, len, len, l_M, l_E, l_B, kexit_info - %pop3 -copy_m_end: - - %stack (len, l_M, ls: 2) -> (len, l_M) - // stack: len, l_M, kexit_info - - PUSH expmod_contd - // stack: expmod_contd, len, l_M, kexit_info - DUP2 - // stack: len, expmod_contd, len, l_M, kexit_info - - DUP1 - %mul_const(11) - // stack: s5=11*len, len, expmod_contd, len, l_M, kexit_info - SWAP1 - // stack: len, s5, expmod_contd, len, l_M, kexit_info - - DUP1 - %mul_const(9) - // stack: s4=9*len, len, s5, expmod_contd, len, l_M, kexit_info - SWAP1 - // stack: len, s4, s5, expmod_contd, len, l_M, kexit_info - - DUP1 - %mul_const(7) - // stack: s3=7*len, len, s4, s5, expmod_contd, len, l_M, kexit_info - SWAP1 - // stack: len, s3, s4, s5, expmod_contd, len, l_M, kexit_info - - DUP1 - %mul_const(5) - // stack: s2=5*len, len, s3, s4, s5, expmod_contd, len, l_M, kexit_info - SWAP1 - // stack: len, s2, s3, s4, s5, expmod_contd, len, l_M, kexit_info - - DUP1 - %mul_const(4) - // stack: s1=4*len, len, s2, s3, s4, s5, expmod_contd, len, l_M, kexit_info - SWAP1 - // stack: len, s1, s2, s3, s4, s5, expmod_contd, len, l_M, kexit_info - - DUP1 - %mul_const(3) - // stack: out=3*len, len, s1, s2, s3, s4, s5, expmod_contd, len, l_M, kexit_info - SWAP1 - // stack: len, out, s1, s2, s3, s4, s5, expmod_contd, len, l_M, kexit_info - - DUP1 - %mul_const(2) - // stack: m_loc=2*len, len, out, s1, s2, s3, s4, s5, expmod_contd, len, l_M, kexit_info - SWAP1 - // stack: len, m_loc, out, s1, s2, s3, s4, s5, expmod_contd, len, l_M, kexit_info - - PUSH 0 - // stack: b_loc=0, e_loc=len, m_loc, out, s1, s2, s3, s4, s5, expmod_contd, len, l_M, kexit_info - DUP2 - // stack: len, b_loc, e_loc, m_loc, out, s1, s2, s3, s4, s5, expmod_contd, len, l_M, kexit_info - - %jump(modexp_bignum) - -expmod_contd: - // stack: len, l_M, kexit_info - - // Copy the result value from memory to the parent's return data. - - // Store return data size: l_M (number of bytes). - SWAP1 - // stack: l_M, len, kexit_info - DUP1 %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE) - // stack: l_M, len, kexit_info - DUP1 ISZERO %jumpi(zero_modulus) - // stack: l_M, len, kexit_info - DUP1 %ceil_div_const(16) - // stack: l_M_128, l_M, len, kexit_info - SWAP1 %mod_16 - // stack: l_M%16, l_M_128, len, kexit_info - SWAP2 - // stack: len, l_M_128, l_M%16, kexit_info - %mul_const(3) - // stack: out=3*len, l_M_128, l_M%16, kexit_info - %decrement - DUP2 - DUP2 - ADD - // stack: cur_offset=out+l_M_128-1, end_offset=out-1, l_M_128, l_M%16, kexit_info - DUP1 %mload_current_general - %stack (cur_limb, cur_offset, end_offset, l_M_128, l_M_mod16, kexit_info) -> - (@SEGMENT_RETURNDATA, cur_limb, l_M_mod16, cur_offset, end_offset, l_M_128, kexit_info) - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - %build_address_no_offset - %mstore_unpacking - // stack: address, cur_offset, end_offset, l_M_128, kexit_info - SWAP1 - %decrement - // stack: cur_offset, address, end_offset, l_M_128, kexit_info - // Store in big-endian format. -expmod_store_loop: - // stack: cur_offset, address, end_offset, l_M_128, kexit_info - DUP3 DUP2 EQ %jumpi(expmod_store_end) - // stack: cur_offset, address, end_offset, l_M_128, kexit_info - DUP1 %mload_current_general - %stack (cur_limb, cur_offset, address, end_offset, l_M_128, kexit_info) -> - (address, cur_limb, cur_offset, end_offset, l_M_128, kexit_info) - %stack (address, cur_limb) -> (address, cur_limb, 16) - %mstore_unpacking - // stack: address', cur_offset, end_offset, l_M_128, kexit_info) - SWAP1 %decrement - // stack: cur_offset-1, address', end_offset, l_M_128, kexit_info) - %jump(expmod_store_loop) -expmod_store_end: - // stack: cur_offset, address, end_offset, l_M_128, kexit_info - %pop4 -the_end: - // stack: kexit_info - %leftover_gas - // stack: leftover_gas - PUSH 1 // success - %jump(terminate_common) - -zero_modulus: - // stack: l_M, len, kexit_info - %pop2 - %jump(the_end) - -zero_base_zero_mod: - // stack: l_M, l_E, l_B, kexit_info - %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE) - // stack: l_E, l_B, kexit_info - %pop2 - // stack: kexit_info - PUSH 200 - %charge_gas - // stack: kexit_info - %jump(the_end) diff --git a/evm/src/cpu/kernel/asm/core/precompiles/id.asm b/evm/src/cpu/kernel/asm/core/precompiles/id.asm deleted file mode 100644 index a606ef4a85..0000000000 --- a/evm/src/cpu/kernel/asm/core/precompiles/id.asm +++ /dev/null @@ -1,47 +0,0 @@ -global precompile_id: - // stack: address, retdest, new_ctx, (old stack) - %pop2 - // stack: new_ctx, (old stack) - %set_new_ctx_parent_pc(after_precompile) - // stack: new_ctx, (old stack) - DUP1 - SET_CONTEXT - %checkpoint // Checkpoint - %increment_call_depth - // stack: (empty) - PUSH 0x100000000 // = 2^32 (is_kernel = true) - // stack: kexit_info - - %calldatasize - %num_bytes_to_num_words - // stack: data_words_len, kexit_info - %mul_const(@ID_DYNAMIC_GAS) - PUSH @ID_STATIC_GAS - ADD - // stack: gas, kexit_info - %charge_gas - - // Simply copy the call data to the parent's return data. - %calldatasize - DUP1 %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE) - - PUSH id_contd SWAP1 - - PUSH @SEGMENT_CALLDATA - GET_CONTEXT - %build_address_no_offset - // stack: SRC, size, id_contd - - PUSH @SEGMENT_RETURNDATA - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - %build_address_no_offset - - // stack: DST, SRC, size, id_contd - %jump(memcpy_bytes) - -id_contd: - // stack: kexit_info - %leftover_gas - // stack: leftover_gas - PUSH 1 // success - %jump(terminate_common) diff --git a/evm/src/cpu/kernel/asm/core/precompiles/main.asm b/evm/src/cpu/kernel/asm/core/precompiles/main.asm deleted file mode 100644 index b7c916e9c4..0000000000 --- a/evm/src/cpu/kernel/asm/core/precompiles/main.asm +++ /dev/null @@ -1,69 +0,0 @@ -%macro handle_precompiles - // stack: address, new_ctx, (old stack) - PUSH %%after - SWAP1 - // stack: address, %%after, new_ctx, (old stack) - %jump(handle_precompiles) -%%after: - // stack: new_ctx, (old stack) -%endmacro - -global handle_precompiles: - // stack: address, retdest, new_ctx, (old stack) - DUP1 %eq_const(@ECREC) %jumpi(precompile_ecrec) - DUP1 %eq_const(@SHA256) %jumpi(precompile_sha256) - DUP1 %eq_const(@RIP160) %jumpi(precompile_rip160) - DUP1 %eq_const(@ID) %jumpi(precompile_id) - DUP1 %eq_const(@EXPMOD) %jumpi(precompile_expmod) - DUP1 %eq_const(@BN_ADD) %jumpi(precompile_bn_add) - DUP1 %eq_const(@BN_MUL) %jumpi(precompile_bn_mul) - DUP1 %eq_const(@SNARKV) %jumpi(precompile_snarkv) - %eq_const(@BLAKE2_F) %jumpi(precompile_blake2_f) - // stack: retdest - JUMP - -global pop_and_return_success: - // stack: _unused, kexit_info - POP - %leftover_gas - // stack: leftover_gas - PUSH 1 // success - %jump(terminate_common) - -global after_precompile: - %mload_global_metadata(@GLOBAL_METADATA_IS_PRECOMPILE_FROM_EOA) %jumpi(process_message_txn_after_call) - %stack (success, leftover_gas, new_ctx, kexit_info, callgas, address, value, args_offset, args_size, ret_offset, ret_size) -> - (success, leftover_gas, new_ctx, kexit_info, ret_offset, ret_size) - %jump(after_call_instruction) - -%macro handle_precompiles_from_eoa - // stack: retdest - %mload_txn_field(@TXN_FIELD_TO) - // stack: addr, retdest - DUP1 %is_precompile - %jumpi(handle_precompiles_from_eoa) - // stack: addr, retdest - POP -%endmacro - -global handle_precompiles_from_eoa: - PUSH 1 %mstore_global_metadata(@GLOBAL_METADATA_IS_PRECOMPILE_FROM_EOA) - // stack: addr, retdest - %create_context - // stack: new_ctx, addr, retdest - %non_intrinisic_gas %set_new_ctx_gas_limit - // stack: new_ctx, addr, retdest - - // Set calldatasize and copy txn data to calldata. - %mload_txn_field(@TXN_FIELD_DATA_LEN) - %stack (calldata_size, new_ctx) -> (calldata_size, new_ctx, calldata_size) - %set_new_ctx_calldata_size - %stack (new_ctx, calldata_size) -> (@SEGMENT_TXN_DATA, @SEGMENT_CALLDATA, new_ctx, calldata_size, handle_precompiles_from_eoa_finish, new_ctx) - SWAP2 %build_address_no_offset // DST - // stack: DST, SRC, calldata_size, handle_precompiles_from_eoa_finish, new_ctx - %jump(memcpy_bytes) - -handle_precompiles_from_eoa_finish: - %stack (new_ctx, addr, retdest) -> (addr, new_ctx, retdest) - %handle_precompiles - PANIC // We already checked that a precompile is called, so this should be unreachable. diff --git a/evm/src/cpu/kernel/asm/core/precompiles/rip160.asm b/evm/src/cpu/kernel/asm/core/precompiles/rip160.asm deleted file mode 100644 index e57504961b..0000000000 --- a/evm/src/cpu/kernel/asm/core/precompiles/rip160.asm +++ /dev/null @@ -1,50 +0,0 @@ -global precompile_rip160: - // stack: address, retdest, new_ctx, (old stack) - %pop2 - // stack: new_ctx, (old stack) - %set_new_ctx_parent_pc(after_precompile) - // stack: new_ctx, (old stack) - DUP1 - SET_CONTEXT - %checkpoint // Checkpoint - %increment_call_depth - // stack: (empty) - PUSH 0x100000000 // = 2^32 (is_kernel = true) - // stack: kexit_info - - %calldatasize - %num_bytes_to_num_words - // stack: data_words_len, kexit_info - %mul_const(@RIP160_DYNAMIC_GAS) - PUSH @RIP160_STATIC_GAS - ADD - // stack: gas, kexit_info - %charge_gas - - // Copy the call data to the kernel general segment (ripemd expects it there) and call ripemd. - %calldatasize - GET_CONTEXT - - %stack (ctx, size) -> - ( - ctx, @SEGMENT_CALLDATA, // SRC - ctx, - size, ripemd, // count, retdest - 200, size, rip160_contd // ripemd input: virt, num_bytes, retdest - ) - %build_address_no_offset - %stack(addr, ctx) -> (ctx, @SEGMENT_KERNEL_GENERAL, 200, addr) - %build_address - // stack: DST, SRC, count, retdest, virt, num_bytes, retdest - - %jump(memcpy_bytes) - -rip160_contd: - // stack: hash, kexit_info - // Store the result hash to the parent's return data using `mstore_unpacking`. - %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 32) - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - %stack (parent_ctx, hash) -> (parent_ctx, @SEGMENT_RETURNDATA, hash) - %build_address_no_offset - MSTORE_32BYTES_32 - %jump(pop_and_return_success) diff --git a/evm/src/cpu/kernel/asm/core/precompiles/sha256.asm b/evm/src/cpu/kernel/asm/core/precompiles/sha256.asm deleted file mode 100644 index 3c926f0bbd..0000000000 --- a/evm/src/cpu/kernel/asm/core/precompiles/sha256.asm +++ /dev/null @@ -1,50 +0,0 @@ -global precompile_sha256: - // stack: address, retdest, new_ctx, (old stack) - %pop2 - // stack: new_ctx, (old stack) - %set_new_ctx_parent_pc(after_precompile) - // stack: new_ctx, (old stack) - DUP1 - SET_CONTEXT - %checkpoint // Checkpoint - %increment_call_depth - // stack: (empty) - PUSH 0x100000000 // = 2^32 (is_kernel = true) - // stack: kexit_info - - %calldatasize - %num_bytes_to_num_words - // stack: data_words_len, kexit_info - %mul_const(@SHA256_DYNAMIC_GAS) - PUSH @SHA256_STATIC_GAS - ADD - // stack: gas, kexit_info - %charge_gas - - // Copy the call data to the kernel general segment (sha2 expects it there) and call sha2. - %calldatasize - GET_CONTEXT - - %stack (ctx, size) -> - ( - ctx, @SEGMENT_CALLDATA, // SRC - ctx, - size, sha2, // count, retdest - 0, size, sha256_contd // sha2 input: virt, num_bytes, retdest - ) - %build_address_no_offset - %stack(addr, ctx) -> (ctx, @SEGMENT_KERNEL_GENERAL, 1, addr) - %build_address - // stack: DST, SRC, count, retdest, virt, num_bytes, retdest - - %jump(memcpy_bytes) - -sha256_contd: - // stack: hash, kexit_info - // Store the result hash to the parent's return data using `mstore_unpacking`. - %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 32) - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - %stack (parent_ctx, hash) -> (parent_ctx, @SEGMENT_RETURNDATA, hash) - %build_address_no_offset - MSTORE_32BYTES_32 - %jump(pop_and_return_success) diff --git a/evm/src/cpu/kernel/asm/core/precompiles/snarkv.asm b/evm/src/cpu/kernel/asm/core/precompiles/snarkv.asm deleted file mode 100644 index 23ad9eb17d..0000000000 --- a/evm/src/cpu/kernel/asm/core/precompiles/snarkv.asm +++ /dev/null @@ -1,130 +0,0 @@ -global precompile_snarkv: - // stack: address, retdest, new_ctx, (old stack) - %pop2 - // stack: new_ctx, (old stack) - %set_new_ctx_parent_pc(after_precompile) - // stack: new_ctx, (old stack) - DUP1 - SET_CONTEXT - %checkpoint // Checkpoint - %increment_call_depth - // stack: (empty) - PUSH 0x100000000 // = 2^32 (is_kernel = true) - // stack: kexit_info - - PUSH 192 %calldatasize DUP2 DUP2 - // stack: calldata_size, 192, calldata_size, 192, kexit_info - MOD %jumpi(fault_exception) // calldata_size should be a multiple of 192 - DIV - // stack: k, kexit_info - DUP1 %mul_const(@SNARKV_DYNAMIC_GAS) %add_const(@SNARKV_STATIC_GAS) - %stack (gas, k, kexit_info) -> (gas, kexit_info, k) - %charge_gas - SWAP1 - // stack: k, kexit_info - PUSH 0 -loading_loop: - // stack: i, k, kexit_info - DUP2 DUP2 EQ %jumpi(loading_done) - // stack: i, k, kexit_info - DUP1 %mul_const(192) - // stack: px, i, k, kexit_info - GET_CONTEXT - %stack (ctx, px) -> (ctx, @SEGMENT_CALLDATA, px, 32, px) - %build_address - MLOAD_32BYTES -loading_loop_contd: - // stack: x, px, i, k, kexit_info - SWAP1 %add_const(32) - GET_CONTEXT - %stack (ctx, py) -> (ctx, @SEGMENT_CALLDATA, py, 32, py) - %build_address - MLOAD_32BYTES -loading_loop_contd2: - // stack: y, py, x, i, k, kexit_info - SWAP1 %add_const(32) - GET_CONTEXT - %stack (ctx, px_im) -> (ctx, @SEGMENT_CALLDATA, px_im, 32, px_im) - %build_address - MLOAD_32BYTES -loading_loop_contd3: - // stack: x_im, px_im, y, x, i, k, kexit_info - SWAP1 %add_const(32) - // stack: px_re, x_im, y, x, i, k, kexit_info - GET_CONTEXT - %stack (ctx, px_re) -> (ctx, @SEGMENT_CALLDATA, px_re, 32, px_re) - %build_address - MLOAD_32BYTES -loading_loop_contd4: - // stack: x_re, px_re, x_im, y, x, i, k, kexit_info - SWAP1 %add_const(32) - // stack: py_im, x_re, x_im, y, x, i, k, kexit_info - GET_CONTEXT - %stack (ctx, py_im) -> (ctx, @SEGMENT_CALLDATA, py_im, 32, py_im) - %build_address - MLOAD_32BYTES -loading_loop_contd5: - // stack: y_im, py_im, x_re, x_im, y, x, i, k, kexit_info - SWAP1 %add_const(32) - // stack: py_re, y_im, x_re, x_im, y, x, i, k, kexit_info - GET_CONTEXT - %stack (ctx, py_re) -> (ctx, @SEGMENT_CALLDATA, py_re, 32) - %build_address - MLOAD_32BYTES -loading_loop_contd6: - // stack: y_re, y_im, x_re, x_im, y, x, i, k, kexit_info - SWAP1 // the EVM serializes the imaginary part first - // stack: y_im, y_re, x_re, x_im, y, x, i, k, kexit_info - DUP7 - // stack: i, y_im, y_re, x_re, x_im, y, x, i, k, kexit_info - %mul_const(6) %add_const(@SNARKV_INP) - %add_const(5) - %mstore_bn254_pairing - // stack: y_re, x_re, x_im, y, x, i, k, kexit_info - DUP6 - // stack: i, y_re, x_re, x_im, y, x, i, k, kexit_info - %mul_const(6) %add_const(@SNARKV_INP) - %add_const(4) - %mstore_bn254_pairing - SWAP1 // the EVM serializes the imaginary part first - // stack: x_im, x_re, y, x, i, k, kexit_info - DUP5 - // stack: i, x_im, x_re, y, x, i, k, kexit_info - %mul_const(6) %add_const(@SNARKV_INP) - %add_const(3) - %mstore_bn254_pairing - // stack: x_re, y, x, i, k, kexit_info - DUP4 - // stack: i, x_re, y, x, i, k, kexit_info - %mul_const(6) %add_const(@SNARKV_INP) - %add_const(2) - %mstore_bn254_pairing - // stack: y, x, i, k, kexit_info - DUP3 - // stack: i, y, x, i, k, kexit_info - %mul_const(6) %add_const(@SNARKV_INP) - %add_const(1) - %mstore_bn254_pairing - // stack: x, i, k, kexit_info - DUP2 - // stack: i, x, i, k, kexit_info - %mul_const(6) %add_const(@SNARKV_INP) - %mstore_bn254_pairing - // stack: i, k, kexit_info - %increment - %jump(loading_loop) - -loading_done: - %stack (i, k) -> (k, @SNARKV_INP, @SNARKV_OUT, got_result) - %jump(bn254_pairing) -got_result: - // stack: result, kexit_info - DUP1 %eq_const(@U256_MAX) %jumpi(fault_exception) - // stack: result, kexit_info - // Store the result bool (repr. by a U256) to the parent's return data using `mstore_unpacking`. - %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 32) - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - %stack (parent_ctx, address) -> (parent_ctx, @SEGMENT_RETURNDATA, address) - %build_address_no_offset - MSTORE_32BYTES_32 - %jump(pop_and_return_success) diff --git a/evm/src/cpu/kernel/asm/core/process_txn.asm b/evm/src/cpu/kernel/asm/core/process_txn.asm deleted file mode 100644 index c70287a6f9..0000000000 --- a/evm/src/cpu/kernel/asm/core/process_txn.asm +++ /dev/null @@ -1,472 +0,0 @@ -// After the transaction data has been parsed into a normalized set of fields -// (see NormalizedTxnField), this routine processes the transaction. - -// TODO: Save checkpoints in @CTX_METADATA_STATE_TRIE_CHECKPOINT_PTR and @SEGMENT_STORAGE_TRIE_CHECKPOINT_PTRS. - -// Pre stack: retdest -// Post stack: success, leftover_gas -global process_normalized_txn: - // stack: retdest - %compute_fees - // stack: retdest - - // Compute this transaction's intrinsic gas and store it. - %intrinsic_gas - DUP1 - %mstore_txn_field(@TXN_FIELD_INTRINSIC_GAS) - // stack: intrinsic_gas, retdest - - // Assert gas_limit >= intrinsic_gas. - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - %assert_ge(invalid_txn) - - // Assert block gas limit >= txn gas limit. - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_GAS_LIMIT) - %assert_ge(invalid_txn) - - %mload_txn_field(@TXN_FIELD_ORIGIN) - // stack: sender, retdest - - // Check that txn nonce matches account nonce. - DUP1 %nonce - DUP1 %eq_const(@MAX_NONCE) %assert_zero(invalid_txn_2) // EIP-2681 - // stack: sender_nonce, sender, retdest - %mload_txn_field(@TXN_FIELD_NONCE) - // stack: tx_nonce, sender_nonce, sender, retdest - %assert_eq(invalid_txn_1) - // stack: sender, retdest - - // Assert sender has no code. - DUP1 %ext_code_empty %assert_nonzero(invalid_txn_1) - // stack: sender, retdest - - // Assert sender balance >= gas_limit * gas_price + value. - %balance - // stack: sender_balance, retdest - %mload_txn_field(@TXN_FIELD_COMPUTED_FEE_PER_GAS) - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - MUL - %mload_txn_field(@TXN_FIELD_VALUE) - ADD - %assert_le(invalid_txn) - // stack: retdest - - // Assert chain ID matches block metadata - %mload_txn_field(@TXN_FIELD_CHAIN_ID_PRESENT) - // stack: chain_id_present, retdest - DUP1 - %mload_txn_field(@TXN_FIELD_CHAIN_ID) - // stack: tx_chain_id, chain_id_present, chain_id_present, retdest - MUL SWAP1 - // stack: chain_id_present, filtered_tx_chain_id, retdest - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_CHAIN_ID) - MUL - // stack: filtered_block_chain_id, filtered_tx_chain_id, retdest - %assert_eq(invalid_txn) - // stack: retdest - -global buy_gas: - %mload_txn_field(@TXN_FIELD_COMPUTED_FEE_PER_GAS) - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - MUL - // stack: gas_cost, retdest - %mload_txn_field(@TXN_FIELD_ORIGIN) - // stack: sender_addr, gas_cost, retdest - %deduct_eth - // stack: deduct_eth_status, retdest - %jumpi(panic) - // stack: retdest - -global increment_sender_nonce: - %mload_txn_field(@TXN_FIELD_ORIGIN) - DUP1 %increment_nonce - -global warm_origin: - // stack: origin, retdest - %insert_accessed_addresses_no_return - -global warm_precompiles: - // Add precompiles to accessed addresses. - PUSH @ECREC %insert_accessed_addresses_no_return - PUSH @SHA256 %insert_accessed_addresses_no_return - PUSH @RIP160 %insert_accessed_addresses_no_return - PUSH @ID %insert_accessed_addresses_no_return - PUSH @EXPMOD %insert_accessed_addresses_no_return - PUSH @BN_ADD %insert_accessed_addresses_no_return - PUSH @BN_MUL %insert_accessed_addresses_no_return - PUSH @SNARKV %insert_accessed_addresses_no_return - PUSH @BLAKE2_F %insert_accessed_addresses_no_return - -// EIP-3651 -global warm_coinbase: - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_BENEFICIARY) - %insert_accessed_addresses_no_return - -global process_based_on_type: - %is_contract_creation - %jumpi(process_contract_creation_txn) - %jump(process_message_txn) - -global process_contract_creation_txn: - // stack: retdest - - %mload_txn_field(@TXN_FIELD_ORIGIN) - // stack: origin, retdest - DUP1 %nonce - // stack: origin_nonce, origin, retdest - %decrement // Need the non-incremented nonce - SWAP1 - // stack: origin, origin_nonce, retdest - %get_create_address - // stack: address, retdest - DUP1 %insert_accessed_addresses_no_return - - %checkpoint - - // Create the new contract account in the state trie. - DUP1 - // stack: address, address, retdest - %create_contract_account - // stack: status, address, retdest - %jumpi(create_contract_account_fault) - - // stack: address, retdest - // Transfer value to new contract - DUP1 %mload_txn_field(@TXN_FIELD_VALUE) - SWAP1 - %mload_txn_field(@TXN_FIELD_ORIGIN) - DUP3 DUP3 DUP3 - %transfer_eth %jumpi(panic) - %journal_add_balance_transfer - // stack: address, retdest - - %create_context - // stack: new_ctx, address, retdest - - // Store constructor code length - PUSH @CTX_METADATA_CODE_SIZE - // stack: offset, new_ctx, address, retdest - DUP2 // new_ctx - ADD // CTX_METADATA_CODE_SIZE is already scaled by its segment - // stack: addr, new_ctx, address, retdest - %mload_txn_field(@TXN_FIELD_DATA_LEN) - // stack: data_len, addr, new_ctx, address, retdest - MSTORE_GENERAL - // stack: new_ctx, address, retdest - - // Copy the code from txdata to the new context's code segment. - PUSH process_contract_creation_txn_after_code_loaded - %mload_txn_field(@TXN_FIELD_DATA_LEN) - PUSH @SEGMENT_TXN_DATA // SRC (context == offset == 0) - DUP4 // DST (segment == 0 (i.e. CODE), and offset == 0) - %jump(memcpy_bytes) - -global process_contract_creation_txn_after_code_loaded: - // stack: new_ctx, address, retdest - - // Each line in the block below does not change the stack. - DUP2 %set_new_ctx_addr - %mload_txn_field(@TXN_FIELD_ORIGIN) %set_new_ctx_caller - %mload_txn_field(@TXN_FIELD_VALUE) %set_new_ctx_value - %set_new_ctx_parent_ctx - %set_new_ctx_parent_pc(process_contract_creation_txn_after_constructor) - %non_intrinisic_gas %set_new_ctx_gas_limit - // stack: new_ctx, address, retdest - - %enter_new_ctx - // (Old context) stack: new_ctx, address, retdest - -global process_contract_creation_txn_after_constructor: - // stack: success, leftover_gas, new_ctx, address, retdest - // We eventually return leftover_gas and success. - %stack (success, leftover_gas, new_ctx, address, retdest) -> (success, leftover_gas, new_ctx, address, retdest, success) - - ISZERO %jumpi(contract_creation_fault_3) - - // EIP-3541: Reject new contract code starting with the 0xEF byte - PUSH 0 %mload_current(@SEGMENT_RETURNDATA) %eq_const(0xEF) %jumpi(contract_creation_fault_3_zero_leftover) - - // stack: leftover_gas, new_ctx, address, retdest, success - %returndatasize // Size of the code. - // stack: code_size, leftover_gas, new_ctx, address, retdest, success - DUP1 %gt_const(@MAX_CODE_SIZE) %jumpi(contract_creation_fault_4) - // stack: code_size, leftover_gas, new_ctx, address, retdest, success - %mul_const(@GAS_CODEDEPOSIT) SWAP1 - // stack: leftover_gas, codedeposit_cost, new_ctx, address, retdest, success - DUP2 DUP2 LT %jumpi(contract_creation_fault_4) - // stack: leftover_gas, codedeposit_cost, new_ctx, address, retdest, success - SUB - - // Store the code hash of the new contract. - // stack: leftover_gas, new_ctx, address, retdest, success - %returndatasize - PUSH @SEGMENT_RETURNDATA - GET_CONTEXT - %build_address_no_offset - // stack: addr, len - KECCAK_GENERAL - // stack: codehash, leftover_gas, new_ctx, address, retdest, success - %observe_new_contract - DUP4 - // stack: address, codehash, leftover_gas, new_ctx, address, retdest, success - %set_codehash - - %stack (leftover_gas, new_ctx, address, retdest, success) -> (leftover_gas, new_ctx, address, retdest, success, leftover_gas) - %pay_coinbase_and_refund_sender - // stack: leftover_gas', new_ctx, address, retdest, success, leftover_gas - SWAP5 POP - %delete_all_touched_addresses - %delete_all_selfdestructed_addresses - // stack: new_ctx, address, retdest, success, leftover_gas - POP - POP - JUMP - -global process_message_txn: - // stack: retdest - %mload_txn_field(@TXN_FIELD_VALUE) - %mload_txn_field(@TXN_FIELD_TO) - DUP1 %insert_accessed_addresses_no_return - %mload_txn_field(@TXN_FIELD_ORIGIN) - // stack: from, to, amount, retdest - %transfer_eth - // stack: transfer_eth_status, retdest - %jumpi(process_message_txn_insufficient_balance) - // stack: retdest - - %handle_precompiles_from_eoa - - // If to's code is empty, return. - %mload_txn_field(@TXN_FIELD_TO) %ext_code_empty - // stack: code_empty, retdest - %jumpi(process_message_txn_return) - - // Otherwise, load to's code and execute it in a new context. - // stack: retdest - %create_context - // stack: new_ctx, retdest - PUSH process_message_txn_code_loaded - DUP2 // new_ctx - %mload_txn_field(@TXN_FIELD_TO) - // stack: address, new_ctx, process_message_txn_code_loaded, new_ctx, retdest - %jump(load_code_padded) - -global process_message_txn_insufficient_balance: - // stack: retdest - PANIC // TODO - -global process_message_txn_return: - // stack: retdest - // Since no code was executed, the leftover gas is the non-intrinsic gas. - %non_intrinisic_gas - DUP1 - // stack: leftover_gas, leftover_gas, retdest - %pay_coinbase_and_refund_sender - // stack: leftover_gas', leftover_gas, retdest - SWAP1 POP - %delete_all_touched_addresses - // stack: leftover_gas', retdest - SWAP1 - PUSH 1 // success - SWAP1 - // stack: retdest, success, leftover_gas - JUMP - -global process_message_txn_code_loaded: - // stack: code_size, new_ctx, retdest - %set_new_ctx_code_size - // stack: new_ctx, retdest - - // Each line in the block below does not change the stack. - %mload_txn_field(@TXN_FIELD_TO) %set_new_ctx_addr - %mload_txn_field(@TXN_FIELD_ORIGIN) %set_new_ctx_caller - %mload_txn_field(@TXN_FIELD_VALUE) %set_new_ctx_value - %set_new_ctx_parent_ctx - %set_new_ctx_parent_pc(process_message_txn_after_call) - %non_intrinisic_gas %set_new_ctx_gas_limit - // stack: new_ctx, retdest - - // Set calldatasize and copy txn data to calldata. - %mload_txn_field(@TXN_FIELD_DATA_LEN) - %stack (calldata_size, new_ctx, retdest) -> (calldata_size, new_ctx, calldata_size, retdest) - %set_new_ctx_calldata_size - %stack (new_ctx, calldata_size, retdest) -> (new_ctx, @SEGMENT_CALLDATA, @SEGMENT_TXN_DATA, calldata_size, process_message_txn_code_loaded_finish, new_ctx, retdest) - %build_address_no_offset // DST - %jump(memcpy_bytes) - -process_message_txn_code_loaded_finish: - %enter_new_ctx - // (Old context) stack: new_ctx, retdest - -global process_message_txn_after_call: - // stack: success, leftover_gas, new_ctx, retdest - // We will return leftover_gas and success. - %stack (success, leftover_gas, new_ctx, retdest) -> (success, leftover_gas, new_ctx, retdest, success, leftover_gas) - ISZERO %jumpi(process_message_txn_fail) -process_message_txn_after_call_contd: - // stack: leftover_gas, new_ctx, retdest, success, leftover_gas - %pay_coinbase_and_refund_sender - // stack: leftover_gas', new_ctx, retdest, success, leftover_gas - SWAP4 POP - %delete_all_touched_addresses - %delete_all_selfdestructed_addresses - // stack: new_ctx, retdest, success, leftover_gas - POP - JUMP - -process_message_txn_fail: - // stack: leftover_gas, new_ctx, retdest, success, leftover_gas - // Transfer value back to the caller. - %mload_txn_field(@TXN_FIELD_VALUE) ISZERO %jumpi(process_message_txn_after_call_contd) - %mload_txn_field(@TXN_FIELD_VALUE) - %mload_txn_field(@TXN_FIELD_ORIGIN) - %mload_txn_field(@TXN_FIELD_TO) - %transfer_eth %jumpi(panic) - %jump(process_message_txn_after_call_contd) - -%macro pay_coinbase_and_refund_sender - // stack: leftover_gas - DUP1 - // stack: leftover_gas, leftover_gas - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - SUB - // stack: used_gas, leftover_gas - %mload_global_metadata(@GLOBAL_METADATA_REFUND_COUNTER) - // stack: refund, used_gas, leftover_gas - DUP2 %div_const(@MAX_REFUND_QUOTIENT) // max_refund = used_gas/5 - // stack: max_refund, refund, used_gas, leftover_gas - %min - %stack (refund, used_gas, leftover_gas) -> (leftover_gas, refund, refund, used_gas) - ADD - // stack: leftover_gas', refund, used_gas - SWAP2 - // stack: used_gas, refund, leftover_gas' - SUB - // stack: used_gas', leftover_gas' - - // Pay the coinbase. - %mload_txn_field(@TXN_FIELD_COMPUTED_PRIORITY_FEE_PER_GAS) - MUL - // stack: used_gas_tip, leftover_gas' - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_BENEFICIARY) - // stack: coinbase, used_gas_tip, leftover_gas' - %add_eth - // stack: leftover_gas' - DUP1 - - // Refund gas to the origin. - %mload_txn_field(@TXN_FIELD_COMPUTED_FEE_PER_GAS) - MUL - // stack: leftover_gas_cost, leftover_gas' - %mload_txn_field(@TXN_FIELD_ORIGIN) - // stack: origin, leftover_gas_cost, leftover_gas' - %add_eth - // stack: leftover_gas' -%endmacro - -// Sets @TXN_FIELD_MAX_FEE_PER_GAS and @TXN_FIELD_MAX_PRIORITY_FEE_PER_GAS. -%macro compute_fees - // stack: (empty) - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_BASE_FEE) - %mload_txn_field(@TXN_FIELD_MAX_PRIORITY_FEE_PER_GAS) - %mload_txn_field(@TXN_FIELD_MAX_FEE_PER_GAS) - // stack: max_fee, max_priority_fee, base_fee - DUP3 DUP2 %assert_ge(invalid_txn_3) // Assert max_fee >= base_fee - // stack: max_fee, max_priority_fee, base_fee - DUP2 DUP2 %assert_ge(invalid_txn_3) // Assert max_fee >= max_priority_fee - %stack (max_fee, max_priority_fee, base_fee) -> (max_fee, base_fee, max_priority_fee, base_fee) - SUB - // stack: max_fee - base_fee, max_priority_fee, base_fee - %min - // stack: computed_priority_fee, base_fee - %stack (computed_priority_fee, base_fee) -> (computed_priority_fee, base_fee, computed_priority_fee) - ADD - // stack: computed_fee, computed_priority_fee - %mstore_txn_field(@TXN_FIELD_COMPUTED_FEE_PER_GAS) - %mstore_txn_field(@TXN_FIELD_COMPUTED_PRIORITY_FEE_PER_GAS) - // stack: (empty) -%endmacro - -%macro non_intrinisic_gas - // stack: (empty) - %mload_txn_field(@TXN_FIELD_INTRINSIC_GAS) - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - SUB - // stack: gas_limit - intrinsic_gas -%endmacro - -create_contract_account_fault: - %revert_checkpoint - // stack: address, retdest - POP - PUSH 0 // leftover_gas - // stack: leftover_gas, retdest - %pay_coinbase_and_refund_sender - // stack: leftover_gas', retdest - %delete_all_touched_addresses - %delete_all_selfdestructed_addresses - // stack: leftover_gas', retdest - SWAP1 PUSH 0 // success - // stack: success, retdest, leftover_gas - SWAP1 - JUMP - -contract_creation_fault_3: - %revert_checkpoint - %stack (leftover_gas, new_ctx, address, retdest, success) -> (leftover_gas, retdest, success) - %pay_coinbase_and_refund_sender - // stack: leftover_gas', retdest, success - %delete_all_touched_addresses - %delete_all_selfdestructed_addresses - %stack (leftover_gas, retdest, success) -> (retdest, 0, leftover_gas) - JUMP - -contract_creation_fault_3_zero_leftover: - %revert_checkpoint - // stack: leftover_gas, new_ctx, address, retdest, success - %pop3 - PUSH 0 // leftover gas - // stack: leftover_gas, retdest, success - %pay_coinbase_and_refund_sender - %delete_all_touched_addresses - %delete_all_selfdestructed_addresses - %stack (leftover_gas, retdest, success) -> (retdest, 0, leftover_gas) - JUMP - -contract_creation_fault_4: - %revert_checkpoint - // stack: code_size/leftover_gas, leftover_gas/codedeposit_cost, new_ctx, address, retdest, success - %pop4 - PUSH 0 // leftover gas - // stack: leftover_gas, retdest, success - %pay_coinbase_and_refund_sender - %delete_all_touched_addresses - %delete_all_selfdestructed_addresses - %stack (leftover_gas, retdest, success) -> (retdest, 0, leftover_gas) - JUMP - - -global invalid_txn: - POP - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - PUSH 0 - %jump(txn_after) - -global invalid_txn_1: - %pop2 - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - PUSH 0 - %jump(txn_after) - -global invalid_txn_2: - %pop3 - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - PUSH 0 - %jump(txn_after) - -global invalid_txn_3: - %pop4 - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - PUSH 0 - %jump(txn_after) diff --git a/evm/src/cpu/kernel/asm/core/selfdestruct_list.asm b/evm/src/cpu/kernel/asm/core/selfdestruct_list.asm deleted file mode 100644 index 258f794054..0000000000 --- a/evm/src/cpu/kernel/asm/core/selfdestruct_list.asm +++ /dev/null @@ -1,78 +0,0 @@ -/// Self-destruct list. -/// Implemented as an array, with the length stored in the global metadata. -/// Note: This array allows duplicates. - -%macro insert_selfdestruct_list - // stack: addr - %mload_global_metadata(@GLOBAL_METADATA_SELFDESTRUCT_LIST_LEN) - DUP1 PUSH @SEGMENT_SELFDESTRUCT_LIST %build_kernel_address - %stack (write_addr, len, addr) -> (addr, write_addr, len) - MSTORE_GENERAL // Store new address at the end of the array. - // stack: len - %increment - %mstore_global_metadata(@GLOBAL_METADATA_SELFDESTRUCT_LIST_LEN) // Store new length. -%endmacro - -/// Remove one occurrence of the address from the list. -/// Panics if the address is not in the list. -global remove_selfdestruct_list: - // stack: addr, retdest - %mload_global_metadata(@GLOBAL_METADATA_SELFDESTRUCT_LIST_LEN) - // stack: len, addr, retdest - PUSH @SEGMENT_SELFDESTRUCT_LIST ADD - PUSH @SEGMENT_SELFDESTRUCT_LIST -remove_selfdestruct_list_loop: - // `i` and `len` are both scaled by SEGMENT_SELFDESTRUCT_LIST - %stack (i, len, addr, retdest) -> (i, len, i, len, addr, retdest) - EQ %jumpi(panic) - // stack: i, len, addr, retdest - DUP1 MLOAD_GENERAL - // stack: loaded_addr, i, len, addr, retdest - DUP4 - // stack: addr, loaded_addr, i, len, addr, retdest - EQ %jumpi(remove_selfdestruct_list_found) - // stack: i, len, addr, retdest - %increment - %jump(remove_selfdestruct_list_loop) -remove_selfdestruct_list_found: - %stack (i, len, addr, retdest) -> (len, 1, i, retdest) - SUB - PUSH @SEGMENT_SELFDESTRUCT_LIST - DUP2 SUB // unscale - %mstore_global_metadata(@GLOBAL_METADATA_SELFDESTRUCT_LIST_LEN) // Decrement the list length. - // stack: len-1, i, retdest - MLOAD_GENERAL // Load the last address in the list. - // stack: last_addr, i, retdest - MSTORE_GENERAL // Store the last address at the position of the removed address. - JUMP - -global delete_all_selfdestructed_addresses: - // stack: retdest - %mload_global_metadata(@GLOBAL_METADATA_SELFDESTRUCT_LIST_LEN) - // stack: len, retdest - PUSH @SEGMENT_SELFDESTRUCT_LIST ADD - PUSH @SEGMENT_SELFDESTRUCT_LIST -delete_all_selfdestructed_addresses_loop: - // `i` and `len` are both scaled by SEGMENT_SELFDESTRUCT_LIST - // stack: i, len, retdest - DUP2 DUP2 EQ %jumpi(delete_all_selfdestructed_addresses_done) - // stack: i, len, retdest - DUP1 MLOAD_GENERAL - // stack: loaded_addr, i, len, retdest - DUP1 %is_non_existent ISZERO %jumpi(bingo) - // stack: loaded_addr, i, len, retdest - POP %increment %jump(delete_all_selfdestructed_addresses_loop) -bingo: - // stack: loaded_addr, i, len, retdest - %delete_account - %increment %jump(delete_all_selfdestructed_addresses_loop) -delete_all_selfdestructed_addresses_done: - // stack: i, len, retdest - %pop2 JUMP - -%macro delete_all_selfdestructed_addresses - %stack () -> (%%after) - %jump(delete_all_selfdestructed_addresses) -%%after: - // stack: (empty) -%endmacro diff --git a/evm/src/cpu/kernel/asm/core/syscall.asm b/evm/src/cpu/kernel/asm/core/syscall.asm deleted file mode 100644 index 5d1a6c95c0..0000000000 --- a/evm/src/cpu/kernel/asm/core/syscall.asm +++ /dev/null @@ -1,155 +0,0 @@ -global syscall_jumptable: - // 0x00-0x0f - JUMPTABLE sys_stop - JUMPTABLE panic // add is implemented natively - JUMPTABLE panic // mul is implemented natively - JUMPTABLE panic // sub is implemented natively - JUMPTABLE panic // div is implemented natively - JUMPTABLE sys_sdiv - JUMPTABLE panic // mod is implemented natively - JUMPTABLE sys_smod - JUMPTABLE panic // addmod is implemented natively - JUMPTABLE panic // mulmod is implemented natively - JUMPTABLE sys_exp - JUMPTABLE sys_signextend - JUMPTABLE panic // 0x0c is an invalid opcode - JUMPTABLE panic // 0x0d is an invalid opcode - JUMPTABLE panic // 0x0e is an invalid opcode - JUMPTABLE panic // 0x0f is an invalid opcode - - // 0x10-0x1f - JUMPTABLE panic // lt is implemented natively - JUMPTABLE panic // gt is implemented natively - JUMPTABLE sys_slt - JUMPTABLE sys_sgt - JUMPTABLE panic // eq is implemented natively - JUMPTABLE panic // iszero is implemented natively - JUMPTABLE panic // and is implemented natively - JUMPTABLE panic // or is implemented natively - JUMPTABLE panic // xor is implemented natively - JUMPTABLE panic // not is implemented natively - JUMPTABLE panic // byte is implemented natively - JUMPTABLE panic // shl is implemented natively - JUMPTABLE panic // shr is implemented natively - JUMPTABLE sys_sar - JUMPTABLE panic // 0x1e is an invalid opcode - JUMPTABLE panic // 0x1f is an invalid opcode - - // 0x20-0x2f - JUMPTABLE sys_keccak256 - %rep 15 - JUMPTABLE panic // 0x21-0x2f are invalid opcodes - %endrep - - // 0x30-0x3f - JUMPTABLE sys_address - JUMPTABLE sys_balance - JUMPTABLE sys_origin - JUMPTABLE sys_caller - JUMPTABLE sys_callvalue - JUMPTABLE sys_calldataload - JUMPTABLE sys_calldatasize - JUMPTABLE sys_calldatacopy - JUMPTABLE sys_codesize - JUMPTABLE sys_codecopy - JUMPTABLE sys_gasprice - JUMPTABLE sys_extcodesize - JUMPTABLE sys_extcodecopy - JUMPTABLE sys_returndatasize - JUMPTABLE sys_returndatacopy - JUMPTABLE sys_extcodehash - - // 0x40-0x4f - JUMPTABLE sys_blockhash - JUMPTABLE sys_coinbase - JUMPTABLE sys_timestamp - JUMPTABLE sys_number - JUMPTABLE sys_prevrandao - JUMPTABLE sys_gaslimit - JUMPTABLE sys_chainid - JUMPTABLE sys_selfbalance - JUMPTABLE sys_basefee - %rep 7 - JUMPTABLE panic // 0x49-0x4f are invalid opcodes - %endrep - - // 0x50-0x5f - JUMPTABLE panic // pop is implemented natively - JUMPTABLE sys_mload - JUMPTABLE sys_mstore - JUMPTABLE sys_mstore8 - JUMPTABLE sys_sload - JUMPTABLE sys_sstore - JUMPTABLE panic // jump is implemented natively - JUMPTABLE panic // jumpi is implemented natively - JUMPTABLE panic // pc is implemented natively - JUMPTABLE sys_msize - JUMPTABLE sys_gas - JUMPTABLE panic // jumpdest is implemented natively - JUMPTABLE panic // 0x5c is an invalid opcode - JUMPTABLE panic // 0x5d is an invalid opcode - JUMPTABLE panic // 0x5e is an invalid opcode - JUMPTABLE panic // 0x5f is an invalid opcode - - // 0x60-0x6f - %rep 16 - JUMPTABLE panic // push1-push16 are implemented natively - %endrep - - // 0x70-0x7f - %rep 16 - JUMPTABLE panic // push17-push32 are implemented natively - %endrep - - // 0x80-0x8f - %rep 16 - JUMPTABLE panic // dup1-dup16 are implemented natively - %endrep - - // 0x90-0x9f - %rep 16 - JUMPTABLE panic // swap1-swap16 are implemented natively - %endrep - - // 0xa0-0xaf - JUMPTABLE sys_log0 - JUMPTABLE sys_log1 - JUMPTABLE sys_log2 - JUMPTABLE sys_log3 - JUMPTABLE sys_log4 - %rep 11 - JUMPTABLE panic // 0xa5-0xaf are invalid opcodes - %endrep - - // 0xb0-0xbf - %rep 16 - JUMPTABLE panic // 0xb0-0xbf are invalid opcodes - %endrep - - // 0xc0-0xdf - %rep 32 - JUMPTABLE panic // mstore_32bytes_1-32 are implemented natively - %endrep - - // 0xe0-0xef - %rep 16 - JUMPTABLE panic // 0xe0-0xef are invalid opcodes - %endrep - - // 0xf0-0xff - JUMPTABLE sys_create - JUMPTABLE sys_call - JUMPTABLE sys_callcode - JUMPTABLE sys_return - JUMPTABLE sys_delegatecall - JUMPTABLE sys_create2 - JUMPTABLE panic // 0xf6 is an invalid opcode - JUMPTABLE panic // 0xf7 is an invalid opcode - JUMPTABLE panic // 0xf8 is an invalid opcode - JUMPTABLE panic // 0xf9 is an invalid opcode - JUMPTABLE sys_staticcall - JUMPTABLE panic // 0xfb is an invalid opcode - JUMPTABLE panic // 0xfc is an invalid opcode - JUMPTABLE sys_revert - JUMPTABLE panic // 0xfe is an invalid opcode - JUMPTABLE sys_selfdestruct diff --git a/evm/src/cpu/kernel/asm/core/terminate.asm b/evm/src/cpu/kernel/asm/core/terminate.asm deleted file mode 100644 index 8572f34f28..0000000000 --- a/evm/src/cpu/kernel/asm/core/terminate.asm +++ /dev/null @@ -1,225 +0,0 @@ -// Handlers for operations which terminate the current context, namely STOP, -// RETURN, SELFDESTRUCT, REVERT, and exceptions such as stack underflow. - -global sys_stop: - // stack: kexit_info - // Set the parent context's return data size to 0. - %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 0) - - %leftover_gas - // stack: leftover_gas - PUSH 1 // success - %jump(terminate_common) - -global sys_return: - // stack: kexit_info, offset, size - %stack (kexit_info, offset, size) -> (offset, size, kexit_info, offset, size) - %add_or_fault - // stack: offset+size, kexit_info, offset, size - DUP4 ISZERO %jumpi(return_zero_size) - // stack: offset+size, kexit_info, offset, size - DUP1 %ensure_reasonable_offset - %update_mem_bytes - %jump(return_after_gas) -return_zero_size: - POP -return_after_gas: - // Load the parent's context. - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - - // Store the return data size in the parent context's metadata. - %stack (parent_ctx, kexit_info, offset, size) -> - (parent_ctx, @CTX_METADATA_RETURNDATA_SIZE, size, offset, size, parent_ctx, kexit_info) - ADD // addr (CTX offsets are already scaled by their segment) - SWAP1 - // stack: size, addr, offset, size, parent_ctx, kexit_info - MSTORE_GENERAL - // stack: offset, size, parent_ctx, kexit_info - - // Store the return data in the parent context's returndata segment. - PUSH @SEGMENT_MAIN_MEMORY - GET_CONTEXT - %build_address - - %stack (addr, size, parent_ctx, kexit_info) -> - ( - parent_ctx, @SEGMENT_RETURNDATA, // DST - addr, // SRC - size, sys_return_finish, kexit_info // count, retdest, ... - ) - %build_address_no_offset - // stack: DST, SRC, size, sys_return_finish, kexit_info - %jump(memcpy_bytes) - -sys_return_finish: - // stack: kexit_info - %leftover_gas - // stack: leftover_gas - PUSH 1 // success - %jump(terminate_common) - -global sys_selfdestruct: - %check_static - // stack: kexit_info, recipient - SWAP1 %u256_to_addr - %address DUP1 %balance - - // Insert recipient into the accessed addresses list. - // stack: balance, address, recipient, kexit_info - DUP3 %insert_accessed_addresses - - // Set the parent context's return data size to 0. - %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 0) - - // Compute gas. - // stack: cold_access, balance, address, recipient, kexit_info - %mul_const(@GAS_COLDACCOUNTACCESS) - DUP2 - // stack: balance, gas_coldaccess, balance, address, recipient, kexit_info - ISZERO %not_bit - // stack: balance!=0, gas_coldaccess, balance, address, recipient, kexit_info - DUP5 %is_dead MUL %mul_const(@GAS_NEWACCOUNT) - // stack: gas_newaccount, gas_coldaccess, balance, address, recipient, kexit_info - ADD %add_const(@GAS_SELFDESTRUCT) - %stack (gas, balance, address, recipient, kexit_info) -> (gas, kexit_info, balance, address, recipient) - %charge_gas - %stack (kexit_info, balance, address, recipient) -> (balance, address, recipient, kexit_info) - - // Insert address into the selfdestruct set. - // stack: balance, address, recipient, kexit_info - DUP2 %insert_selfdestruct_list - - // Set the balance of the address to 0. - // stack: balance, address, recipient, kexit_info - PUSH 0 - // stack: 0, balance, address, recipient, kexit_info - DUP3 %mpt_read_state_trie - // stack: account_ptr, 0, balance, address, recipient, kexit_info - %add_const(1) - // stack: balance_ptr, 0, balance, address, recipient, kexit_info - %mstore_trie_data - - %stack (balance, address, recipient, kexit_info) -> - (address, recipient, address, recipient, balance, kexit_info) - - // If the recipient is the same as the address, then we're done. - // Otherwise, send the balance to the recipient. - // stack: address, recipient, address, recipient, balance, kexit_info - EQ %jumpi(sys_selfdestruct_journal_add) - %stack (address, recipient, balance, kexit_info) -> (recipient, balance, address, recipient, balance, kexit_info) - %add_eth - -sys_selfdestruct_journal_add: - // stack: address, recipient, balance, kexit_info - %journal_add_account_destroyed - - // stack: kexit_info - %leftover_gas - // stack: leftover_gas - PUSH 1 // success - %jump(terminate_common) - -global sys_revert: - // stack: kexit_info, offset, size - %stack (kexit_info, offset, size) -> (offset, size, kexit_info, offset, size) - %add_or_fault - // stack: offset+size, kexit_info, offset, size - DUP4 ISZERO %jumpi(revert_zero_size) - // stack: offset+size, kexit_info, offset, size - DUP1 %ensure_reasonable_offset - %update_mem_bytes - %jump(revert_after_gas) -revert_zero_size: - POP -revert_after_gas: - // Load the parent's context. - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - - // Store the return data size in the parent context's metadata. - %stack (parent_ctx, kexit_info, offset, size) -> - (parent_ctx, @CTX_METADATA_RETURNDATA_SIZE, size, offset, size, parent_ctx, kexit_info) - ADD // addr (CTX offsets are already scaled by their segment) - SWAP1 - // stack: size, addr, offset, size, parent_ctx, kexit_info - MSTORE_GENERAL - // stack: offset, size, parent_ctx, kexit_info - - // Store the return data in the parent context's returndata segment. - PUSH @SEGMENT_MAIN_MEMORY - GET_CONTEXT - %build_address - - %stack (addr, size, parent_ctx, kexit_info) -> - ( - parent_ctx, @SEGMENT_RETURNDATA, // DST - addr, // SRC - size, sys_revert_finish, kexit_info // count, retdest, ... - ) - %build_address_no_offset - // stack: DST, SRC, size, sys_revert_finish, kexit_info - %jump(memcpy_bytes) - -sys_revert_finish: - %leftover_gas - // stack: leftover_gas - %revert_checkpoint - PUSH 0 // success - %jump(terminate_common) - -// The execution is in an exceptional halting state if -// - there is insufficient gas -// - the instruction is invalid -// - there are insufficient stack items -// - a JUMP/JUMPI destination is invalid -// - the new stack size would be larger than 1024, or -// - state modification is attempted during a static call -global fault_exception: - // stack: (empty) - %revert_checkpoint - PUSH 0 // leftover_gas - // Set the parent context's return data size to 0. - %mstore_parent_context_metadata(@CTX_METADATA_RETURNDATA_SIZE, 0) - PUSH 0 // success - %jump(terminate_common) - -global terminate_common: - // stack: success, leftover_gas - // TODO: Panic if we exceeded our gas limit? - - // We want to move the success flag from our (child) context's stack to the - // parent context's stack. We will write it to memory, specifically - // SEGMENT_KERNEL_GENERAL[0], then load it after the context switch. - PUSH 0 - // stack: 0, success, leftover_gas - %mstore_kernel_general - // stack: leftover_gas - - // Similarly, we write leftover_gas to SEGMENT_KERNEL_GENERAL[1] so that - // we can later read it after switching to the parent context. - PUSH 1 - // stack: 1, leftover_gas - %mstore_kernel_general - // stack: (empty) - - // Similarly, we write the parent PC to SEGMENT_KERNEL_GENERAL[2] so that - // we can later read it after switching to the parent context. - PUSH 2 - PUSH @SEGMENT_KERNEL_GENERAL - %build_kernel_address - %mload_context_metadata(@CTX_METADATA_PARENT_PC) - MSTORE_GENERAL - // stack: (empty) - - // Go back to the parent context. - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - SET_CONTEXT - %decrement_call_depth - // stack: (empty) - - // Load the fields that we stored in SEGMENT_KERNEL_GENERAL. - PUSH 1 %mload_kernel_general // leftover_gas - PUSH 0 %mload_kernel_general // success - PUSH 2 %mload_kernel_general // parent_pc - - // stack: parent_pc, success, leftover_gas - JUMP diff --git a/evm/src/cpu/kernel/asm/core/touched_addresses.asm b/evm/src/cpu/kernel/asm/core/touched_addresses.asm deleted file mode 100644 index d9c70f47ac..0000000000 --- a/evm/src/cpu/kernel/asm/core/touched_addresses.asm +++ /dev/null @@ -1,112 +0,0 @@ -%macro insert_touched_addresses - %stack (addr) -> (addr, %%after) - %jump(insert_touched_addresses) -%%after: - // stack: (empty) -%endmacro - -%macro insert_touched_addresses_no_return - %insert_touched_addresses - POP -%endmacro - -/// Inserts the address into the list if it is not already present. -global insert_touched_addresses: - // stack: addr, retdest - %mload_global_metadata(@GLOBAL_METADATA_TOUCHED_ADDRESSES_LEN) - // stack: len, addr, retdest - PUSH @SEGMENT_TOUCHED_ADDRESSES ADD - PUSH @SEGMENT_TOUCHED_ADDRESSES -insert_touched_addresses_loop: - // `i` and `len` are both scaled by SEGMENT_TOUCHED_ADDRESSES - %stack (i, len, addr, retdest) -> (i, len, i, len, addr, retdest) - EQ %jumpi(insert_address) - // stack: i, len, addr, retdest - DUP1 MLOAD_GENERAL - // stack: loaded_addr, i, len, addr, retdest - DUP4 - // stack: addr, loaded_addr, i, len, addr, retdest - EQ %jumpi(insert_touched_addresses_found) - // stack: i, len, addr, retdest - %increment - %jump(insert_touched_addresses_loop) - -insert_address: - %stack (i, len, addr, retdest) -> (i, addr, len, @SEGMENT_TOUCHED_ADDRESSES, retdest) - DUP2 %journal_add_account_touched // Add a journal entry for the touched account. - %swap_mstore // Store new address at the end of the array. - // stack: len, segment, retdest - SUB // unscale - %increment - %mstore_global_metadata(@GLOBAL_METADATA_TOUCHED_ADDRESSES_LEN) // Store new length. - JUMP - -insert_touched_addresses_found: - %stack (i, len, addr, retdest) -> (retdest) - JUMP - -/// Remove the address from the list. -/// Panics if the address is not in the list. -/// TODO: Unused? -global remove_touched_addresses: - // stack: addr, retdest - %mload_global_metadata(@GLOBAL_METADATA_TOUCHED_ADDRESSES_LEN) - // stack: len, addr, retdest - PUSH @SEGMENT_TOUCHED_ADDRESSES ADD - PUSH @SEGMENT_TOUCHED_ADDRESSES -remove_touched_addresses_loop: - // `i` and `len` are both scaled by SEGMENT_TOUCHED_ADDRESSES - %stack (i, len, addr, retdest) -> (i, len, i, len, addr, retdest) - EQ %jumpi(panic) - // stack: i, len, addr, retdest - DUP1 MLOAD_GENERAL - // stack: loaded_addr, i, len, addr, retdest - DUP4 - // stack: addr, loaded_addr, i, len, addr, retdest - EQ %jumpi(remove_touched_addresses_found) - // stack: i, len, addr, retdest - %increment - %jump(remove_touched_addresses_loop) -remove_touched_addresses_found: - %stack (i, len, addr, retdest) -> (len, 1, i, retdest) - SUB - PUSH @SEGMENT_TOUCHED_ADDRESSES DUP2 - SUB // unscale - %mstore_global_metadata(@GLOBAL_METADATA_TOUCHED_ADDRESSES_LEN) // Decrement the list length. - // stack: len-1, i, retdest - MLOAD_GENERAL // Load the last address in the list. - // stack: last_addr, i, retdest - MSTORE_GENERAL // Store the last address at the position of the removed address. - JUMP - - -global delete_all_touched_addresses: - // stack: retdest - %mload_global_metadata(@GLOBAL_METADATA_TOUCHED_ADDRESSES_LEN) - // stack: len, retdest - PUSH @SEGMENT_TOUCHED_ADDRESSES ADD - PUSH @SEGMENT_TOUCHED_ADDRESSES -delete_all_touched_addresses_loop: - // `i` and `len` are both scaled by SEGMENT_TOUCHED_ADDRESSES - // stack: i, len, retdest - DUP2 DUP2 EQ %jumpi(delete_all_touched_addresses_done) - // stack: i, len, retdest - DUP1 MLOAD_GENERAL - // stack: loaded_addr, i, len, retdest - DUP1 %is_empty %jumpi(bingo) - // stack: loaded_addr, i, len, retdest - POP %increment %jump(delete_all_touched_addresses_loop) -bingo: - // stack: loaded_addr, i, len, retdest - %delete_account - %increment %jump(delete_all_touched_addresses_loop) -delete_all_touched_addresses_done: - // stack: i, len, retdest - %pop2 JUMP - -%macro delete_all_touched_addresses - %stack () -> (%%after) - %jump(delete_all_touched_addresses) -%%after: - // stack: (empty) -%endmacro \ No newline at end of file diff --git a/evm/src/cpu/kernel/asm/core/transfer.asm b/evm/src/cpu/kernel/asm/core/transfer.asm deleted file mode 100644 index 0517cf3a8f..0000000000 --- a/evm/src/cpu/kernel/asm/core/transfer.asm +++ /dev/null @@ -1,112 +0,0 @@ -// Transfers some ETH from one address to another. The amount is given in wei. -// Pre stack: from, to, amount, retdest -// Post stack: status (0 indicates success) -global transfer_eth: - // stack: from, to, amount, retdest - %stack (from, to, amount, retdest) - -> (from, amount, to, amount, retdest) - %deduct_eth - // stack: deduct_eth_status, to, amount, retdest - %jumpi(transfer_eth_failure) - // stack: to, amount, retdest - %add_eth - %stack (retdest) -> (retdest, 0) - JUMP -global transfer_eth_failure: - %stack (to, amount, retdest) -> (retdest, 1) - JUMP - -// Convenience macro to call transfer_eth and return where we left off. -%macro transfer_eth - %stack (from, to, amount) -> (from, to, amount, %%after) - %jump(transfer_eth) -%%after: -%endmacro - -// Returns 0 on success, or 1 if addr has insufficient balance. Panics if addr isn't found in the trie. -// Pre stack: addr, amount, retdest -// Post stack: status (0 indicates success) -global deduct_eth: - // stack: addr, amount, retdest - DUP1 %insert_touched_addresses - %mpt_read_state_trie - // stack: account_ptr, amount, retdest - DUP1 ISZERO %jumpi(deduct_eth_no_such_account) // If the account pointer is null, return 1. - %add_const(1) - // stack: balance_ptr, amount, retdest - DUP1 %mload_trie_data - // stack: balance, balance_ptr, amount, retdest - DUP1 DUP4 GT - // stack: amount > balance, balance, balance_ptr, amount, retdest - %jumpi(deduct_eth_insufficient_balance) - %stack (balance, balance_ptr, amount, retdest) -> (balance, amount, balance_ptr, retdest, 0) - SUB - SWAP1 - // stack: balance_ptr, balance - amount, retdest, 0 - %mstore_trie_data - // stack: retdest, 0 - JUMP -global deduct_eth_no_such_account: - %stack (account_ptr, amount, retdest) -> (retdest, 1) - JUMP -global deduct_eth_insufficient_balance: - %stack (balance, balance_ptr, amount, retdest) -> (retdest, 1) - JUMP - -// Convenience macro to call deduct_eth and return where we left off. -%macro deduct_eth - %stack (addr, amount) -> (addr, amount, %%after) - %jump(deduct_eth) -%%after: -%endmacro - -// Pre stack: addr, amount, redest -// Post stack: (empty) -global add_eth: - // stack: addr, amount, retdest - DUP1 %insert_touched_addresses - DUP1 %mpt_read_state_trie - // stack: account_ptr, addr, amount, retdest - DUP1 ISZERO %jumpi(add_eth_new_account) // If the account pointer is null, we need to create the account. - %add_const(1) - // stack: balance_ptr, addr, amount, retdest - DUP1 %mload_trie_data - // stack: balance, balance_ptr, addr, amount, retdest - %stack (balance, balance_ptr, addr, amount) -> (amount, balance, balance_ptr) - ADD - // stack: new_balance, balance_ptr, retdest - SWAP1 - // stack: balance_ptr, new_balance, retdest - %mstore_trie_data - // stack: retdest - JUMP -global add_eth_new_account: - // stack: null_account_ptr, addr, amount, retdest - POP - // stack: addr, amount, retdest - DUP2 ISZERO %jumpi(add_eth_new_account_zero) - DUP1 %journal_add_account_created - %get_trie_data_size // pointer to new account we're about to create - // stack: new_account_ptr, addr, amount, retdest - SWAP2 - // stack: amount, addr, new_account_ptr, retdest - PUSH 0 %append_to_trie_data // nonce - %append_to_trie_data // balance - // stack: addr, new_account_ptr, retdest - PUSH 0 %append_to_trie_data // storage root pointer - PUSH @EMPTY_STRING_HASH %append_to_trie_data // code hash - // stack: addr, new_account_ptr, retdest - %addr_to_state_key - // stack: key, new_account_ptr, retdest - %jump(mpt_insert_state_trie) - -add_eth_new_account_zero: - // stack: addr, amount, retdest - %pop2 JUMP - -// Convenience macro to call add_eth and return where we left off. -%macro add_eth - %stack (addr, amount) -> (addr, amount, %%after) - %jump(add_eth) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/core/util.asm b/evm/src/cpu/kernel/asm/core/util.asm deleted file mode 100644 index a77329bd8c..0000000000 --- a/evm/src/cpu/kernel/asm/core/util.asm +++ /dev/null @@ -1,88 +0,0 @@ -// Return the next context ID, and record the old context ID in the new one's -// @CTX_METADATA_PARENT_CONTEXT field. Does not actually enter the new context. -%macro create_context - // stack: (empty) - %next_context_id - %set_new_ctx_parent_ctx - // stack: new_ctx -%endmacro - -// Get and increment @GLOBAL_METADATA_LARGEST_CONTEXT to determine the next context ID. -%macro next_context_id - // stack: (empty) - %mload_global_metadata(@GLOBAL_METADATA_LARGEST_CONTEXT) - %add_const(0x10000000000000000) // scale each context by 2^64 - // stack: new_ctx - DUP1 - %mstore_global_metadata(@GLOBAL_METADATA_LARGEST_CONTEXT) - // stack: new_ctx -%endmacro - -// Returns whether the current transaction is a contract creation transaction. -%macro is_contract_creation - // stack: (empty) - %mload_global_metadata(@GLOBAL_METADATA_CONTRACT_CREATION) -%endmacro - -%macro is_precompile - // stack: addr - DUP1 %ge_const(@ECREC) SWAP1 %le_const(@BLAKE2_F) - // stack: addr>=1, addr<=9 - MUL // Cheaper than AND -%endmacro - -// Returns 1 if the account is non-existent, 0 otherwise. -%macro is_non_existent - // stack: addr - %mpt_read_state_trie ISZERO -%endmacro - -// Returns 1 if the account is empty, 0 otherwise. -%macro is_empty - // stack: addr - %mpt_read_state_trie - // stack: account_ptr - DUP1 ISZERO %jumpi(%%false) - // stack: account_ptr - DUP1 %mload_trie_data - // stack: nonce, account_ptr - ISZERO %not_bit %jumpi(%%false) - %increment DUP1 %mload_trie_data - // stack: balance, balance_ptr - ISZERO %not_bit %jumpi(%%false) - %add_const(2) %mload_trie_data - // stack: code_hash - PUSH @EMPTY_STRING_HASH - EQ - %jump(%%after) -%%false: - // stack: account_ptr - POP - PUSH 0 -%%after: -%endmacro - -// Returns 1 if the account is dead (i.e., empty or non-existent), 0 otherwise. -%macro is_dead - // stack: addr - DUP1 %is_non_existent - SWAP1 %is_empty - OR -%endmacro - -// Gets the size of the stack _before_ the macro is run -// WARNING: this macro is side-effecting. It writes the current stack length to offset -// `CTX_METADATA_STACK_SIZE`, segment `SEGMENT_CONTEXT_METADATA` in the current context. But I can't -// imagine it being an issue unless someone's doing something dumb. -%macro stack_length - // stack: (empty) - GET_CONTEXT - // stack: current_ctx - // It seems odd to switch to the context that we are already in. We do this because SET_CONTEXT - // saves the stack length of the context we are leaving in its metadata segment. - SET_CONTEXT - // stack: (empty) - // We can now read this stack length from memory. - %mload_context_metadata(@CTX_METADATA_STACK_SIZE) - // stack: stack_length -%endmacro diff --git a/evm/src/cpu/kernel/asm/core/withdrawals.asm b/evm/src/cpu/kernel/asm/core/withdrawals.asm deleted file mode 100644 index 3be05d880c..0000000000 --- a/evm/src/cpu/kernel/asm/core/withdrawals.asm +++ /dev/null @@ -1,25 +0,0 @@ -%macro withdrawals - // stack: (empty) - PUSH %%after - %jump(withdrawals) -%%after: - // stack: (empty) -%endmacro - -global withdrawals: - // stack: retdest - PROVER_INPUT(withdrawal) - // stack: address, retdest - PROVER_INPUT(withdrawal) - // stack: amount, address, retdest - DUP2 %eq_const(@U256_MAX) %jumpi(withdrawals_end) - SWAP1 - // stack: address, amount, retdest - %add_eth - // stack: retdest - %jump(withdrawals) - -withdrawals_end: - // stack: amount, address, retdest - %pop2 - JUMP diff --git a/evm/src/cpu/kernel/asm/curve/bls381/util.asm b/evm/src/cpu/kernel/asm/curve/bls381/util.asm deleted file mode 100644 index 13943be7d9..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bls381/util.asm +++ /dev/null @@ -1,101 +0,0 @@ -%macro add_fp381 - // stack: x0, x1, y0, y1 - PROVER_INPUT(sf::bls381_base::add_hi) - // stack: z1, x0, x1, y0, y1 - SWAP4 - // stack: y1, x0, x1, y0, z1 - PROVER_INPUT(sf::bls381_base::add_lo) - // stack: z0, y1, x0, x1, y0, z1 - SWAP4 - // stack: y0, y1, x0, x1, z0, z1 - %pop4 - // stack: z0, z1 -%endmacro - -%macro sub_fp381 - // stack: x0, x1, y0, y1 - PROVER_INPUT(sf::bls381_base::sub_hi) - // stack: z1, x0, x1, y0, y1 - SWAP4 - // stack: y1, x0, x1, y0, z1 - PROVER_INPUT(sf::bls381_base::sub_lo) - // stack: z0, y1, x0, x1, y0, z1 - SWAP4 - // stack: y0, y1, x0, x1, z0, z1 - %pop4 - // stack: z0, z1 -%endmacro - -%macro mul_fp381 - // stack: x0, x1, y0, y1 - PROVER_INPUT(sf::bls381_base::mul_hi) - // stack: z1, x0, x1, y0, y1 - SWAP4 - // stack: y1, x0, x1, y0, z1 - PROVER_INPUT(sf::bls381_base::mul_lo) - // stack: z0, y1, x0, x1, y0, z1 - SWAP4 - // stack: y0, y1, x0, x1, z0, z1 - %pop4 - // stack: z0, z1 -%endmacro - -%macro add_fp381_2 - // stack: x_re, x_im, y_re, y_im - %stack (x_re: 2, x_im: 2, y_re: 2, y_im: 2) -> (y_im, x_im, y_re, x_re) - // stack: y_im, x_im, y_re, x_re - %add_fp381 - // stack: z_im, y_re, x_re - %stack (z_im: 2, y_re: 2, x_re: 2) -> (x_re, y_re, z_im) - // stack: x_re, y_re, z_im - %add_fp381 - // stack: z_re, z_im -%endmacro - -%macro sub_fp381_2 - // stack: x_re, x_im, y_re, y_im - %stack (x_re: 2, x_im: 2, y_re: 2, y_im: 2) -> (x_im, y_im, y_re, x_re) - // stack: x_im, y_im, y_re, x_re - %sub_fp381 - // stack: z_im, y_re, x_re - %stack (z_im: 2, y_re: 2, x_re: 2) -> (x_re, y_re, z_im) - // stack: x_re, y_re, z_im - %sub_fp381 - // stack: z_re, z_im -%endmacro - -// note that {x,y}_{re,im} all take up two stack terms -global mul_fp381_2: - // stack: x_re, x_im, y_re, y_im, jumpdest - DUP4 - DUP4 - // stack: x_im, x_re, x_im, y_re, y_im, jumpdest - DUP8 - DUP8 - // stack: y_re, x_im, x_re, x_im, y_re, y_im, jumpdest - DUP12 - DUP12 - // stack: y_im, y_re, x_im, x_re, x_im, y_re, y_im, jumpdest - DUP8 - DUP8 - // stack: x_re , y_im, y_re, x_im, x_re, x_im, y_re, y_im, jumpdest - %mul_fp381 - // stack: x_re * y_im, y_re, x_im, x_re, x_im, y_re, y_im, jumpdest - %stack (v: 2, y_re: 2, x_im: 2) -> (x_im, y_re, v) - // stack: x_im , y_re, x_re*y_im, x_re, x_im, y_re, y_im, jumpdest - %mul_fp381 - // stack: x_im * y_re, x_re*y_im, x_re, x_im, y_re, y_im, jumpdest - %add_fp381 - // stack: z_im, x_re, x_im, y_re, y_im, jumpdest - %stack (z_im: 2, x_re: 2, x_im: 2, y_re: 2, y_im: 2) -> (x_im, y_im, y_re, x_re, z_im) - // stack: x_im , y_im, y_re, x_re, z_im, jumpdest - %mul_fp381 - // stack: x_im * y_im, y_re, x_re, z_im, jumpdest - %stack (v: 2, y_re: 2, x_re: 2) -> (x_re, y_re, v) - // stack: x_re , y_re, x_im*y_im, z_im, jumpdest - %mul_fp381 - // stack: x_re * y_re, x_im*y_im, z_im, jumpdest - %sub_fp381 - // stack: z_re, z_im, jumpdest - %stack (z_re: 2, z_im: 2, jumpdest) -> (jumpdest, z_re, z_im) - JUMP diff --git a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/constants.asm b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/constants.asm deleted file mode 100644 index 20882c0530..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/constants.asm +++ /dev/null @@ -1,88 +0,0 @@ -/// miller_data is defined by -/// (1) taking the binary expansion of N254, the order of the elliptic curve group -/// (2) popping the first and last elements, then appending a 0: -/// exp = bin(N254)[1:-1] + [0] -/// (3) counting the lengths of runs of 1s then 0s in exp, e.g. -/// if exp = 1100010011110, then EXP = [(2,3), (1,2), (4,1)] -/// (4) byte encoding each pair (n,m) as follows: -/// miller_data = [(0x20)n + m for (n,m) in EXP] - -global miller_data: - BYTES 0xdc, 0x22, 0x42, 0x21 - BYTES 0xa1, 0xa4, 0x24, 0x21 - BYTES 0x23, 0x22, 0x64, 0x21 - BYTES 0x62, 0x41, 0x82, 0x24 - BYTES 0x22, 0x24, 0xa1, 0x42 - BYTES 0x25, 0x21, 0x22, 0x61 - BYTES 0x21, 0x44, 0x21, 0x21 - BYTES 0x46, 0x26, 0x41, 0x41 - BYTES 0x41, 0x21, 0x23, 0x25 - BYTES 0x21, 0x64, 0x41, 0x22 - BYTES 0x21, 0x27, 0x41, 0x43 - BYTES 0x22, 0x64, 0x21, 0x62 - BYTES 0x62, 0x22, 0x23, 0x42 - BYTES 0x25 - - -/// final_exp first computes y^a4, y^a2, y^a0 -/// representing a4, a2, a0 in *little endian* binary, define -/// EXPS4 = [(a4[i], a2[i], a0[i]) for i in 0..len(a4)] -/// EXPS2 = [ (a2[i], a0[i]) for i in len(a4)..len(a2)] -/// EXPS0 = [ a0[i] for i in len(a2)..len(a0)] -/// power_data_n is simply a reverse-order byte encoding of EXPSn -/// where (i,j,k) is sent to (100)i + (10)j + k - -global power_data_4: - BYTES 111, 010, 011, 111 - BYTES 110, 101, 001, 100 - BYTES 001, 100, 110, 110 - BYTES 110, 011, 011, 101 - BYTES 011, 101, 101, 111 - BYTES 000, 011, 011, 001 - BYTES 011, 001, 101, 100 - BYTES 100, 000, 010, 100 - BYTES 110, 010, 110, 100 - BYTES 110, 101, 101, 001 - BYTES 001, 110, 110, 110 - BYTES 010, 110, 101, 001 - BYTES 010, 010, 110, 110 - BYTES 110, 010, 101, 110 - BYTES 101, 010, 101, 001 - BYTES 000, 111, 111, 110 - -global power_data_2: - BYTES 11, 01, 11, 10 - BYTES 11, 10, 01, 10 - BYTES 00, 01, 10, 11 - BYTES 01, 11, 10, 01 - BYTES 00, 00, 00, 01 - BYTES 10, 01, 01, 10 - BYTES 00, 01, 11, 00 - BYTES 01, 00, 10, 11 - BYTES 11, 00, 11, 10 - BYTES 11, 00, 11, 01 - BYTES 11, 11, 11, 01 - BYTES 01, 00, 00, 11 - BYTES 00, 11, 11, 01 - BYTES 01, 10, 11, 10 - BYTES 11, 10, 10, 00 - BYTES 11, 10 - -global power_data_0: - BYTES 0, 1, 1, 0 - BYTES 0, 1, 1, 1 - BYTES 1, 0, 0, 0 - BYTES 1, 0, 0, 1 - BYTES 1, 0, 1, 0 - BYTES 1, 1, 1, 1 - BYTES 0, 0, 1, 1 - BYTES 1, 0, 1, 0 - BYTES 1, 0, 0, 0 - BYTES 0, 0, 1, 1 - BYTES 0, 1, 0, 1 - BYTES 0, 0, 1, 0 - BYTES 0, 0, 1, 0 - BYTES 1, 1, 1, 0 - BYTES 1, 0, 1, 1 - BYTES 0, 0, 1, 0 - BYTES 0 diff --git a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/curve_add.asm b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/curve_add.asm deleted file mode 100644 index a43c4047d3..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/curve_add.asm +++ /dev/null @@ -1,268 +0,0 @@ -// BN254 elliptic curve addition. -// Uses the standard affine addition formula. -global bn_add: - // stack: x0, y0, x1, y1, retdest - // Check if points are valid BN254 points. - DUP2 - // stack: y0, x0, y0, x1, y1, retdest - DUP2 - // stack: x0, y0, x0, y0, x1, y1, retdest - %bn_check - // stack: isValid(x0, y0), x0, y0, x1, y1, retdest - DUP5 - // stack: x1, isValid(x0, y0), x0, y0, x1, y1, retdest - DUP5 - // stack: x1, y1, isValid(x0, y0), x0, y0, x1, y1, retdest - %bn_check - // stack: isValid(x1, y1), isValid(x0, y0), x0, y0, x1, y1, retdest - AND - // stack: isValid(x1, y1) & isValid(x0, y0), x0, y0, x1, y1, retdest - %jumpi(bn_add_valid_points) - // stack: x0, y0, x1, y1, retdest - - // Otherwise return - %pop4 - // stack: retdest - %bn_invalid_input - -// BN254 elliptic curve addition. -// Assumption: (x0,y0) and (x1,y1) are valid points. -global bn_add_valid_points: - // stack: x0, y0, x1, y1, retdest - - // Check if the first point is the identity. - DUP2 - // stack: y0, x0, y0, x1, y1, retdest - DUP2 - // stack: x0, y0, x0, y0, x1, y1, retdest - %ec_isidentity - // stack: (x0,y0)==(0,0), x0, y0, x1, y1, retdest - %jumpi(bn_add_fst_zero) - // stack: x0, y0, x1, y1, retdest - - // Check if the second point is the identity. - DUP4 - // stack: y1, x0, y0, x1, y1, retdest - DUP4 - // stack: x1, y1, x0, y0, x1, y1, retdest - %ec_isidentity - // stack: (x1,y1)==(0,0), x0, y0, x1, y1, retdest - %jumpi(bn_add_snd_zero) - // stack: x0, y0, x1, y1, retdest - - // Check if both points have the same x-coordinate. - DUP3 - // stack: x1, x0, y0, x1, y1, retdest - DUP2 - // stack: x0, x1, x0, y0, x1, y1, retdest - EQ - // stack: x0 == x1, x0, y0, x1, y1, retdest - %jumpi(bn_add_equal_first_coord) - // stack: x0, y0, x1, y1, retdest - - // Otherwise, we can use the standard formula. - // Compute lambda = (y0 - y1)/(x0 - x1) - DUP4 - // stack: y1, x0, y0, x1, y1, retdest - DUP3 - // stack: y0, y1, x0, y0, x1, y1, retdest - SUBFP254 - // stack: y0 - y1, x0, y0, x1, y1, retdest - DUP4 - // stack: x1, y0 - y1, x0, y0, x1, y1, retdest - DUP3 - // stack: x0, x1, y0 - y1, x0, y0, x1, y1, retdest - SUBFP254 - // stack: x0 - x1, y0 - y1, x0, y0, x1, y1, retdest - %divr_fp254 - // stack: lambda, x0, y0, x1, y1, retdest - %jump(bn_add_valid_points_with_lambda) - -// BN254 elliptic curve addition. -// Assumption: (x0,y0) == (0,0) -bn_add_fst_zero: - // stack: x0, y0, x1, y1, retdest - // Just return (x1,y1) - %stack (x0, y0, x1, y1, retdest) -> (retdest, x1, y1) - JUMP - -// BN254 elliptic curve addition. -// Assumption: (x1,y1) == (0,0) -bn_add_snd_zero: - // stack: x0, y0, x1, y1, retdest - - // Just return (x0,y0) - %stack (x0, y0, x1, y1, retdest) -> (retdest, x0, y0) - JUMP - -// BN254 elliptic curve addition. -// Assumption: lambda = (y0 - y1)/(x0 - x1) -bn_add_valid_points_with_lambda: - // stack: lambda, x0, y0, x1, y1, retdest - - // Compute x2 = lambda^2 - x1 - x0 - DUP2 - // stack: x0, lambda, x0, y0, x1, y1, retdest - DUP5 - // stack: x1, x0, lambda, x0, y0, x1, y1, retdest - DUP3 - // stack: lambda, x1, x0, lambda, x0, y0, x1, y1, retdest - DUP1 - // stack: lambda, lambda, x1, x0, lambda, x0, y0, x1, y1, retdest - MULFP254 - // stack: lambda^2, x1, x0, lambda, x0, y0, x1, y1, retdest - SUBFP254 - // stack: lambda^2 - x1, x0, lambda, x0, y0, x1, y1, retdest - SUBFP254 - // stack: x2, lambda, x0, y0, x1, y1, retdest - - // Compute y2 = lambda*(x1 - x2) - y1 - DUP1 - // stack: x2, x2, lambda, x0, y0, x1, y1, retdest - DUP6 - // stack: x1, x2, x2, lambda, x0, y0, x1, y1, retdest - SUBFP254 - // stack: x1 - x2, x2, lambda, x0, y0, x1, y1, retdest - DUP3 - // stack: lambda, x1 - x2, x2, lambda, x0, y0, x1, y1, retdest - MULFP254 - // stack: lambda * (x1 - x2), x2, lambda, x0, y0, x1, y1, retdest - DUP7 - // stack: y1, lambda * (x1 - x2), x2, lambda, x0, y0, x1, y1, retdest - SWAP1 - // stack: lambda * (x1 - x2), y1, x2, lambda, x0, y0, x1, y1, retdest - SUBFP254 - // stack: y2, x2, lambda, x0, y0, x1, y1, retdest - - // Return x2,y2 - %stack (y2, x2, lambda, x0, y0, x1, y1, retdest) -> (retdest, x2, y2) - JUMP - -// BN254 elliptic curve addition. -// Assumption: (x0,y0) and (x1,y1) are valid points and x0 == x1 -bn_add_equal_first_coord: - // stack: x0, y0, x1, y1, retdest with x0 == x1 - - // Check if the points are equal - DUP2 - // stack: y0, x0, y0, x1, y1, retdest - DUP5 - // stack: y1, y0, x0, y0, x1, y1, retdest - EQ - // stack: y1 == y0, x0, y0, x1, y1, retdest - %jumpi(bn_add_equal_points) - // stack: x0, y0, x1, y1, retdest - - // Otherwise, one is the negation of the other so we can return (0,0). - %pop4 - // stack: retdest - PUSH 0 - // stack: 0, retdest - PUSH 0 - // stack: 0, 0, retdest - SWAP2 - // stack: retdest, 0, 0 - JUMP - - -// BN254 elliptic curve addition. -// Assumption: x0 == x1 and y0 == y1 -// Standard doubling formula. -bn_add_equal_points: - // stack: x0, y0, x1, y1, retdest - - // Compute lambda = 3/2 * x0^2 / y0 - DUP1 - // stack: x0, x0, y0, x1, y1, retdest - DUP1 - // stack: x0, x0, x0, y0, x1, y1, retdest - MULFP254 - // stack: x0^2, x0, y0, x1, y1, retdest with - PUSH 0x183227397098d014dc2822db40c0ac2ecbc0b548b438e5469e10460b6c3e7ea5 // 3/2 in the base field - // stack: 3/2, x0^2, x0, y0, x1, y1, retdest - MULFP254 - // stack: 3/2 * x0^2, x0, y0, x1, y1, retdest - DUP3 - // stack: y0, 3/2 * x0^2, x0, y0, x1, y1, retdest - %divr_fp254 - // stack: lambda, x0, y0, x1, y1, retdest - %jump(bn_add_valid_points_with_lambda) - -// BN254 elliptic curve doubling. -// Assumption: (x0,y0) is a valid point. -// Standard doubling formula. -global bn_double: - // stack: x, y, retdest - DUP2 DUP2 %ec_isidentity - // stack: (x,y)==(0,0), x, y, retdest - %jumpi(ec_double_retself) - DUP2 DUP2 - // stack: x, y, x, y, retdest - %jump(bn_add_equal_points) - -// Check if (x,y) is a valid curve point. -// Returns (range & curve) || ident -// where -// range = (x < N) & (y < N) -// curve = y^2 == (x^3 + 3) -// ident = (x,y) == (0,0) -%macro bn_check - // stack: x, y - DUP1 - // stack: x, x, y - PUSH @BN_BASE - // stack: N , x, x, y - DUP1 - // stack: N, N , x, x, y - DUP5 - // stack: y , N, N , x, x, y - LT - // stack: y < N, N , x, x, y - SWAP2 - // stack: x , N, y < N, x, y - LT - // stack: x < N, y < N, x, y - AND - // stack: range, x, y - SWAP2 - // stack: y, x, range - DUP2 - // stack: x , y, x, range - DUP1 - DUP1 - MULFP254 - MULFP254 - // stack: x^3, y, x, range - PUSH 3 - ADDFP254 - // stack: 3 + x^3, y, x, range - DUP2 - // stack: y , 3 + x^3, y, x, range - DUP1 - MULFP254 - // stack: y^2, 3 + x^3, y, x, range - EQ - // stack: curve, y, x, range - SWAP2 - // stack: x, y, curve, range - %ec_isidentity - // stack: ident , curve, range - SWAP2 - // stack: range , curve, ident - AND - // stack: range & curve, ident - OR - // stack: is_valid -%endmacro - -// Return (u256::MAX, u256::MAX) which is used to indicate the input was invalid. -%macro bn_invalid_input - // stack: retdest - PUSH @U256_MAX - // stack: u256::MAX, retdest - DUP1 - // stack: u256::MAX, u256::MAX, retdest - SWAP2 - // stack: retdest, u256::MAX, u256::MAX - JUMP -%endmacro diff --git a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/curve_mul.asm b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/curve_mul.asm deleted file mode 100644 index 93864c5519..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/curve_mul.asm +++ /dev/null @@ -1,41 +0,0 @@ -// BN254 elliptic curve scalar multiplication. -// Uses GLV, wNAF with w=5, and a MSM algorithm. -global bn_mul: - // stack: x, y, s, retdest - DUP2 - // stack: y, x, y, s, retdest - DUP2 - // stack: x, y, x, y, s, retdest - %ec_isidentity - // stack: (x,y)==(0,0), x, y, s, retdest - %jumpi(ret_zero_ec_mul) - // stack: x, y, s, retdest - DUP2 - // stack: y, x, y, s, retdest - DUP2 - // stack: x, y, x, y, s, retdest - %bn_check - // stack: isValid(x, y), x, y, s, retdest - %jumpi(bn_mul_valid_point) - // stack: x, y, s, retdest - %pop3 - %bn_invalid_input - -bn_mul_valid_point: - %stack (x, y, s, retdest) -> (s, bn_mul_after_glv, x, y, bn_msm, bn_mul_end, retdest) - %jump(bn_glv_decompose) -bn_mul_after_glv: - // stack: bneg, a, b, x, y, bn_msm, bn_mul_end, retdest - // Store bneg at this (otherwise unused) location. Will be used later in the MSM. - %mstore_current(@SEGMENT_BN_TABLE_Q, @BN_BNEG_LOC) - // stack: a, b, x, y, bn_msm, bn_mul_end, retdest - PUSH bn_mul_after_a SWAP1 PUSH @SEGMENT_BN_WNAF_A PUSH @BN_SCALAR %jump(wnaf) -bn_mul_after_a: - // stack: b, x, y, bn_msm, bn_mul_end, retdest - PUSH bn_mul_after_b SWAP1 PUSH @SEGMENT_BN_WNAF_B PUSH @BN_SCALAR %jump(wnaf) -bn_mul_after_b: - // stack: x, y, bn_msm, bn_mul_end, retdest - %jump(bn_precompute_table) -bn_mul_end: - %stack (Ax, Ay, retdest) -> (retdest, Ax, Ay) - JUMP diff --git a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/final_exponent.asm b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/final_exponent.asm deleted file mode 100644 index 035cb43830..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/final_exponent.asm +++ /dev/null @@ -1,326 +0,0 @@ -/// To make the Tate pairing an invariant, the final step is to exponentiate by -/// (p^12 - 1)/N = (p^6 - 1) * (p^2 + 1) * (p^4 - p^2 + 1)/N -/// and thus we can exponentiate by each factor sequentially. -/// -/// def bn254_final_exponent(y: Fp12): -/// y = first_exp(y) -/// y = second_exp(y) -/// return final_exp(y) - -global bn254_final_exponent: - -/// first, exponentiate by (p^6 - 1) via -/// def first_exp(y): -/// return y.frob(6) / y - // stack: k, inp, out, retdest {out: y} - %stack (k, inp, out) -> (out, 0, first_exp, out) - // stack: out, 0, first_exp, out, retdest {out: y} - %jump(inv_fp254_12) -first_exp: - // stack: out, retdest {out: y , 0: y^-1} - %frob_fp254_12_6 - // stack: out, retdest {out: y_6, 0: y^-1} - %stack (out) -> (out, 0, out, second_exp, out) - // stack: out, 0, out, second_exp, out, retdest {out: y_6, 0: y^-1} - %jump(mul_fp254_12) - -/// second, exponentiate by (p^2 + 1) via -/// def second_exp(y): -/// return y.frob(2) * y -second_exp: - // stack: out, retdest {out: y} - %stack (out) -> (out, 0, out, out, final_exp, out) - // stack: out, 0, out, out, final_exp, out, retdest {out: y} - %frob_fp254_12_2_ - // stack: 0, out, out, final_exp, out, retdest {out: y, 0: y_2} - %jump(mul_fp254_12) - -/// Finally, we must exponentiate by (p^4 - p^2 + 1)/N -/// To do so efficiently, we can express this power as -/// (p^4 - p^2 + 1)/N = p^3 + (a2)p^2 - (a1)p - a0 -/// and simultaneously compute y^a4, y^a2, y^a0 where -/// a1 = a4 + 2a2 - a0 -/// We first initialize these powers as 1 and then use -/// binary algorithms for exponentiation. -/// -/// def final_exp(y): -/// y4, y2, y0 = 1, 1, 1 -/// power_loop_4() -/// power_loop_2() -/// power_loop_0() -/// custom_powers() -/// final_power() - -final_exp: - // stack: val, retdest - %stack (val) -> (val, 0, val) - // stack: val, 0, val, retdest - %move_fp254_12 - // dest addr returned by %move_fp254_12 is already scaled - // stack: addr, val, retdest {0: sqr} - - // Write 1s at offset 12, 24 and 36 - PUSH 12 - ADD - DUP1 %add_const(12) - DUP1 %add_const(12) - // stack: addr_1, addr_2, addr_3 - %rep 3 - PUSH 1 MSTORE_GENERAL - %endrep - - // stack: val, retdest {0: sqr, 12: y0, 24: y2, 36: y4} - %stack () -> (64, 62, 65, 0) - // stack: 64, 62, 65, 0, val, retdest {0: sqr, 12: y0, 24: y2, 36: y4} - %jump(power_loop_4) - -/// After computing the powers -/// y^a4, y^a2, y^a0 -/// we would like to transform them to -/// y^a2, y^-a1, y^-a0 -/// -/// def custom_powers() -/// y0 = y0^{-1} -/// y1 = y4 * y2^2 * y0 -/// return y2, y1, y0 -/// -/// And finally, upon doing so, compute the final power -/// y^(p^3) * (y^a2)^(p^2) * (y^-a1)^p * (y^-a0) -/// -/// def final_power() -/// y = y.frob(3) -/// y2 = y2.frob(2) -/// y1 = y1.frob(1) -/// return y * y2 * y1 * y0 - -custom_powers: - // stack: val, retdest {12: y0, 24: y2, 36: y4} - %stack () -> (12, 48, make_term_1) - // stack: 12, 48, make_term_1, val, retdest {12: y0, 24: y2, 36: y4} - %jump(inv_fp254_12) -make_term_1: - // stack: val, retdest {24: y2, 36: y4, 48: y0^-1} - %stack () -> (24, 36, 36, make_term_2) - // stack: 24, 36, 36, make_term_2, val, retdest {24: y2, 36: y4, 48: y0^-1} - %jump(mul_fp254_12) -make_term_2: - // stack: val, retdest {24: y2, 36: y4 * y2, 48: y0^-1} - %stack () -> (24, 36, 36, make_term_3) - // stack: 24, 36, 36, make_term_3, val, retdest {24: y2, 36: y4 * y2, 48: y0^-1} - %jump(mul_fp254_12) -make_term_3: - // stack: val, retdest {24: y2, 36: y4 * y2^2, 48: y0^-1} - %stack () -> (48, 36, 36, final_power) - // stack: 48, 36, 36, final_power, val, retdest {24: y2, 36: y4 * y2^2, 48: y0^-1} - %jump(mul_fp254_12) -final_power: - // stack: val, retdest {val: y , 24: y^a2 , 36: y^a1 , 48: y^a0} - %frob_fp254_12_3 - // stack: val, retdest {val: y_3, 24: y^a2 , 36: y^a1 , 48: y^a0} - %stack () -> (24, 24) - %frob_fp254_12_2_ - POP - // stack: val, retdest {val: y_3, 24: (y^a2)_2, 36: y^a1 , 48: y^a0} - PUSH 36 - %frob_fp254_12_1 - POP - // stack: val, retdest {val: y_3, 24: (y^a2)_2, 36: (y^a1)_1, 48: y^a0} - %stack (val) -> (24, val, val, penult_mul, val) - // stack: 24, val, val, penult_mul, val, retdest {val: y_3, 24: (y^a2)_2, 36: (y^a1)_1, 48: y^a0} - %jump(mul_fp254_12) -penult_mul: - // stack: val, retdest {val: y_3 * (y^a2)_2, 36: (y^a1)_1, 48: y^a0} - %stack (val) -> (36, val, val, final_mul, val) - // stack: 36, val, val, final_mul, val, retdest {val: y_3 * (y^a2)_2, 36: (y^a1)_1, 48: y^a0} - %jump(mul_fp254_12) -final_mul: - // stack: val, retdest {val: y_3 * (y^a2)_2 * (y^a1)_1, 48: y^a0} - %stack (val) -> (48, val, val) - // stack: 48, val, val, retdest {val: y_3 * (y^a2)_2 * (y^a1)_1, 48: y^a0} - %jump(mul_fp254_12) - - -/// def power_loop_4(): -/// for i in range(64): -/// abc = load(i, power_data_4) -/// if a: -/// y4 *= acc -/// if b: -/// y2 *= acc -/// if c: -/// y0 *= acc -/// acc = square_fp254_12(acc) -/// y4 *= acc -/// -/// def power_loop_2(): -/// for i in range(62): -/// ab = load(i, power_data_2) -/// if a: -/// y2 *= acc -/// if b: -/// y0 *= acc -/// acc = square_fp254_12(acc) -/// y2 *= acc -/// -/// def power_loop_0(): -/// for i in range(65): -/// a = load(i, power_data_0) -/// if a: -/// y0 *= acc -/// acc = square_fp254_12(acc) -/// y0 *= acc - -power_loop_4: - // stack: i , j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP1 - ISZERO - // stack: break?, i , j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jumpi(power_loop_4_end) - // stack: i , j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %sub_const(1) - // stack: i-1, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP1 - %mload_kernel_code(power_data_4) - // stack: abc, i-1, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP1 - %lt_const(100) - // stack: skip?, abc, i-1, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jumpi(power_loop_4_b) - // stack: abc, i-1, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %sub_const(100) - // stack: bc, i-1, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %stack () -> (36, 36, power_loop_4_b) - // stack: 36, 36, power_loop_4_b, bc, i-1, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP8 - // stack: sqr, 36, 36, power_loop_4_b, bc, i-1, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jump(mul_fp254_12) -power_loop_4_b: - // stack: bc, i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP1 - %lt_const(10) - // stack: skip?, bc, i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jumpi(power_loop_4_c) - // stack: bc, i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %sub_const(10) - // stack: c, i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %stack () -> (24, 24, power_loop_4_c) - // stack: 24, 24, power_loop_4_c, c, i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP8 - // stack: sqr, 24, 24, power_loop_4_c, c, i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jump(mul_fp254_12) -power_loop_4_c: - // stack: c, i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - ISZERO - // stack: skip?, i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jumpi(power_loop_4_sq) - // stack: i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %stack () -> (12, 12, power_loop_4_sq) - // stack: 12, 12, power_loop_4_sq, i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP7 - // stack: sqr, 12, 12, power_loop_4_sq, i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jump(mul_fp254_12) -power_loop_4_sq: - // stack: i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - PUSH power_loop_4 - // stack: power_loop_4, i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP5 - DUP1 - // stack: sqr, sqr, power_loop_4, i, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jump(square_fp254_12) -power_loop_4_end: - // stack: 0, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - POP - // stack: j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %stack () -> (36, 36, power_loop_2) - // stack: 36, 36, power_loop_2, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP6 - // stack: sqr, 36, 36, power_loop_2, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jump(mul_fp254_12) - -power_loop_2: - // stack: j , k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP1 - ISZERO - // stack: break?, j , k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jumpi(power_loop_2_end) - // stack: j , k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %sub_const(1) - // stack: j-1, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP1 - %mload_kernel_code(power_data_2) - // stack: ab, j-1, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP1 - %lt_const(10) - // stack: skip?, ab, j-1, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jumpi(power_loop_2_b) - // stack: ab, j-1, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %sub_const(10) - // stack: b, j-1, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %stack () -> (24, 24, power_loop_2_b) - // stack: 24, 24, power_loop_2_b, b, j-1, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP7 - // stack: sqr, 24, 24, power_loop_2_b, b, j-1, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jump(mul_fp254_12) -power_loop_2_b: - // stack: b, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - ISZERO - // stack: skip?, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jumpi(power_loop_2_sq) - // stack: j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %stack () -> (12, 12, power_loop_2_sq) - // stack: 12, 12, power_loop_2_sq, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP6 - // stack: sqr, 12, 12, power_loop_2_sq, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jump(mul_fp254_12) -power_loop_2_sq: - // stack: j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - PUSH power_loop_2 - // stack: power_loop_2, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP4 - DUP1 - // stack: sqr, sqr, power_loop_2, j, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jump(square_fp254_12) -power_loop_2_end: - // stack: 0, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - POP - // stack: k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %stack () -> (24, 24, power_loop_0) - // stack: 24, 24, power_loop_0, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP5 - // stack: sqr, 24, 24, power_loop_0, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jump(mul_fp254_12) - -power_loop_0: - // stack: k , sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP1 - ISZERO - // stack: break?, k , sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jumpi(power_loop_0_end) - // stack: k , sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %sub_const(1) - // stack: k-1, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP1 - %mload_kernel_code(power_data_0) - // stack: a, k-1, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - ISZERO - // stack: skip?, k-1, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jumpi(power_loop_0_sq) - // stack: k-1, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %stack () -> (12, 12, power_loop_0_sq) - // stack: 12, 12, power_loop_0_sq, k-1, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP5 - // stack: sqr, 12, 12, power_loop_0_sq, k-1, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jump(mul_fp254_12) -power_loop_0_sq: - // stack: k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - PUSH power_loop_0 - // stack: power_loop_0, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - DUP3 - DUP1 - // stack: sqr, sqr, power_loop_0, k, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %jump(square_fp254_12) -power_loop_0_end: - // stack: 0, sqr {0: sqr, 12: y0, 24: y2, 36: y4} - %stack (i, sqr) -> (12, sqr, 12, custom_powers) - // stack: 12, sqr, 12, custom_powers {0: sqr, 12: y0, 24: y2, 36: y4} - %jump(mul_fp254_12) diff --git a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/glv.asm b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/glv.asm deleted file mode 100644 index 32eb5b6c13..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/glv.asm +++ /dev/null @@ -1,116 +0,0 @@ -// Inspired by https://github.com/AztecProtocol/weierstrudel/blob/master/huff_modules/endomorphism.huff -// See also Sage code in evm/src/cpu/kernel/tests/ecc/bn_glv_test_data -// Given scalar `k ∈ Bn254::ScalarField`, return `u, k1, k2` with `k1,k2 < 2^127` and such that -// `k = k1 - s*k2` if `u==0` otherwise `k = k1 + s*k2`, where `s` is the scalar value representing the endomorphism. -// In the comments below, N means @BN_SCALAR -// -// Z3 proof that the resulting `k1, k2` satisfy `k1>0`, `k1 < 2^127` and `|k2| < 2^127`. -// ```python -// from z3 import Solver, Int, Or, unsat -// q = 0x30644E72E131A029B85045B68181585D2833E84879B9709143E1F593F0000001 -// glv_s = 0xB3C4D79D41A917585BFC41088D8DAAA78B17EA66B99C90DD -// -// b2 = 0x89D3256894D213E3 -// b1 = -0x6F4D8248EEB859FC8211BBEB7D4F1128 -// -// g1 = 0x24CCEF014A773D2CF7A7BD9D4391EB18D -// g2 = 0x2D91D232EC7E0B3D7 -// k = Int("k") -// c1 = Int("c1") -// c2 = Int("c2") -// s = Solver() -// -// c2p = -c2 -// s.add(k < q) -// s.add(0 < k) -// s.add(c1 * (2**256) <= g2 * k) -// s.add((c1 + 1) * (2**256) > g2 * k) -// s.add(c2p * (2**256) <= g1 * k) -// s.add((c2p + 1) * (2**256) > g1 * k) -// -// q1 = c1 * b1 -// q2 = c2 * b2 -// -// k2 = q2 - q1 -// k2L = (glv_s * k2) % q -// k1 = k - k2L -// k2 = -k2 -// -// s.add(Or((k2 >= 2**127), (-k2 >= 2**127), (k1 >= 2**127), (k1 < 0))) -// -// assert s.check() == unsat -// ``` -global bn_glv_decompose: - // stack: k, retdest - %mod_const(@BN_SCALAR) - PUSH @BN_SCALAR DUP1 DUP1 - // Compute c2 which is the top 256 bits of k*g1. Use asm from https://medium.com/wicketh/mathemagic-full-multiply-27650fec525d. - PUSH @U256_MAX - // stack: -1, N, N, N, k, retdest - PUSH @BN_GLV_MINUS_G1 DUP6 - // stack: k, g1, -1, N, N, N, k, retdest - MULMOD - // stack: (k * g1 % -1), N, N, N, k, retdest - PUSH @BN_GLV_MINUS_G1 DUP6 - // stack: k, g1, (k * g1 % -1), N, N, N, k, retdest - MUL - // stack: bottom = (k * g1), (k * g1 % -1), N, N, N, k, retdest - DUP1 DUP3 - // stack: (k * g1 % -1), bottom, bottom, (k * g1 % -1), N, N, N, k, retdest - LT SWAP2 SUB SUB - // stack: c2, N, N, N, k, retdest - PUSH @BN_GLV_B2 MULMOD - // stack: q2=c2*b2, N, N, k, retdest - - // Use the same trick to compute c1 = top 256 bits of g2*k. - PUSH @BN_SCALAR PUSH @U256_MAX - PUSH @BN_GLV_G2 DUP7 MULMOD - PUSH @BN_GLV_G2 DUP7 MUL - DUP1 DUP3 LT - SWAP2 SUB SUB - // stack: c1, N, q2, N, N, k, retdest - PUSH @BN_GLV_B1 MULMOD - // stack: q1, q2, N, N, k, retdest - - // We compute k2 = q1 + q2 - N, but we check for underflow and return N-q1-q2 instead if there is one, - // along with a flag `underflow` set to 1 if there is an underflow, 0 otherwise. - ADD %bn_sub_check_underflow - // stack: k2, underflow, N, k, retdest - DUP1 %ge_const(0x80000000000000000000000000000000) %jumpi(negate) - %jump(contd) -negate: - // stack: k2, underflow, N, k, retdest - SWAP1 PUSH 1 SUB SWAP1 - PUSH @BN_SCALAR SUB -contd: - // stack: k2, underflow, N, k, retdest - SWAP3 PUSH @BN_SCALAR DUP5 PUSH @BN_GLV_S - // stack: s, k2, N, k, underflow, N, k2, retdest - MULMOD - // stack: s*k2, k, underflow, N, k2, retdest - // Need to return `k + s*k2` if no underflow occur, otherwise return `k - s*k2` which is done in the `underflowed` fn. - SWAP2 DUP1 %jumpi(underflowed) - %stack (underflow, k, x, N, k2) -> (k, x, N, k2, underflow) - ADDMOD - %stack (k1, k2, underflow, retdest) -> (retdest, underflow, k1, k2) - JUMP - -underflowed: - // stack: underflow, k, s*k2, N, k2 - // Compute (k-s*k2)%N. - %stack (u, k, x, N, k2) -> (k, x, N, k2, u) - SUBMOD - %stack (k1, k2, underflow, retdest) -> (retdest, underflow, k1, k2) - JUMP - -%macro bn_sub_check_underflow - // stack: x, y - DUP2 DUP2 LT - // stack: x=y, x (x, y, b, a, c) - SUB MUL ADD - %stack (res, bool) -> (res, @BN_SCALAR, bool) - MOD -%endmacro diff --git a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/miller_loop.asm b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/miller_loop.asm deleted file mode 100644 index 99cf24e71d..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/miller_loop.asm +++ /dev/null @@ -1,325 +0,0 @@ -/// def miller(P, Q): -/// miller_init() -/// miller_loop() -/// -/// def miller_init(): -/// out = 1 -/// O = P -/// times = 61 -/// -/// def miller_loop(): -/// while times: -/// 0xnm = load(miller_data) -/// while 0xnm > 0x20: -/// miller_one() -/// while 0xnm: -/// miller_zero() -/// times -= 1 -/// -/// def miller_one(): -/// 0xnm -= 0x20 -/// mul_tangent() -/// mul_cord() -/// -/// def miller_zero(): -/// 0xnm -= 1 -/// mul_tangent() - -global bn254_miller: - // stack: ptr, out, retdest - %stack (ptr, out) -> (out, ptr, out) - // stack: out, ptr, out, retdest - %write_fp254_12_unit - // stack: ptr, out, retdest - %load_fp254_6 - // stack: P, Q, out, retdest - %stack (P: 2) -> (0, 53, P, P) - // stack: 0, 53, O, P, Q, out, retdest - // the head 0 lets miller_loop start with POP -miller_loop: - POP - // stack: times , O, P, Q, out, retdest - DUP1 - ISZERO - // stack: break?, times , O, P, Q, out, retdest - %jumpi(miller_return) - // stack: times , O, P, Q, out, retdest - %sub_const(1) - // stack: times-1, O, P, Q, out, retdest - DUP1 - // stack: times-1, times-1, O, P, Q, out, retdest - %mload_kernel_code(miller_data) - // stack: 0xnm, times-1, O, P, Q, out, retdest - %jump(miller_one) -miller_return: - // stack: times, O, P, Q, out, retdest - %stack (times, O: 2, P: 2, Q: 4, out, retdest) -> (retdest) - // stack: retdest - %clear_line - JUMP - -miller_one: - // stack: 0xnm, times, O, P, Q, out, retdest - DUP1 - %lt_const(0x20) - // stack: skip?, 0xnm, times, O, P, Q, out, retdest - %jumpi(miller_zero) - // stack: 0xnm, times, O, P, Q, out, retdest - %sub_const(0x20) - // stack: 0x{n-1}m, times, O, P, Q, out, retdest - PUSH mul_cord - // stack: mul_cord, 0x{n-1}m, times, O, P, Q, out, retdest - %jump(mul_tangent) - -miller_zero: - // stack: m , times, O, P, Q, out, retdest - DUP1 - ISZERO - // stack: skip?, m , times, O, P, Q, out, retdest - %jumpi(miller_loop) - // stack: m , times, O, P, Q, out, retdest - %sub_const(1) - // stack: m-1, times, O, P, Q, out, retdest - PUSH miller_zero - // stack: miller_zero, m-1, times, O, P, Q, out, retdest - %jump(mul_tangent) - - -/// def mul_tangent() -/// out = square_fp254_12(out) -/// line = tangent(O, Q) -/// out = mul_fp254_12_sparse(out, line) -/// O += O - -mul_tangent: - // stack: retdest, 0xnm, times, O, P, Q, out - PUSH mul_tangent_2 - DUP13 - PUSH mul_tangent_1 - // stack: mul_tangent_1, out, mul_tangent_2, retdest, 0xnm, times, O, P, Q, out - %stack (mul_tangent_1, out) -> (out, out, mul_tangent_1, out) - // stack: out, out, mul_tangent_1, out, mul_tangent_2, retdest, 0xnm, times, O, P, Q, out - %jump(square_fp254_12) -mul_tangent_1: - // stack: out, mul_tangent_2, retdest, 0xnm, times, O, P, Q, out - DUP13 - DUP13 - DUP13 - DUP13 - // stack: Q, out, mul_tangent_2, retdest, 0xnm, times, O, P, Q, out - DUP11 - DUP11 - // stack: O, Q, out, mul_tangent_2, retdest, 0xnm, times, O, P, Q, out - %tangent - // stack: out, mul_tangent_2, retdest, 0xnm, times, O, P, Q, out {12: line} - %stack (out) -> (out, 12, out) - // stack: out, 12, out, mul_tangent_2, retdest, 0xnm, times, O, P, Q, out {12: line} - %jump(mul_fp254_12_sparse) -mul_tangent_2: - // stack: retdest, 0xnm, times, O, P, Q, out {12: line} - PUSH after_double - // stack: after_double, retdest, 0xnm, times, O, P, Q, out {12: line} - DUP6 - DUP6 - // stack: O, after_double, retdest, 0xnm, times, O, P, Q, out {12: line} - %jump(bn_double) -after_double: - // stack: 2*O, retdest, 0xnm, times, O, P, Q, out {12: line} - SWAP5 - POP - SWAP5 - POP - // stack: retdest, 0xnm, times, 2*O, P, Q, out {12: line} - JUMP - -/// def mul_cord() -/// line = cord(P, O, Q) -/// out = mul_fp254_12_sparse(out, line) -/// O += P - -mul_cord: - // stack: 0xnm, times, O, P, Q, out - PUSH mul_cord_1 - // stack: mul_cord_1, 0xnm, times, O, P, Q, out - DUP11 - DUP11 - DUP11 - DUP11 - // stack: Q, mul_cord_1, 0xnm, times, O, P, Q, out - DUP9 - DUP9 - // stack: O, Q, mul_cord_1, 0xnm, times, O, P, Q, out - DUP13 - DUP13 - // stack: P, O, Q, mul_cord_1, 0xnm, times, O, P, Q, out - %cord - // stack: mul_cord_1, 0xnm, times, O, P, Q, out {12: line} - DUP12 - // stack: out, mul_cord_1, 0xnm, times, O, P, Q, out {12: line} - %stack (out) -> (out, 12, out) - // stack: out, 12, out, mul_cord_1, 0xnm, times, O, P, Q, out {12: line} - %jump(mul_fp254_12_sparse) -mul_cord_1: - // stack: 0xnm, times, O , P, Q, out - PUSH after_add - // stack: after_add, 0xnm, times, O , P, Q, out - DUP7 - DUP7 - DUP7 - DUP7 - // stack: O , P, after_add, 0xnm, times, O , P, Q, out - %jump(bn_add_valid_points) -after_add: - // stack: O + P, 0xnm, times, O , P, Q, out - SWAP4 - POP - SWAP4 - POP - // stack: 0xnm, times, O+P, P, Q, out - %jump(miller_one) - - -/// def tangent(px, py, qx, qy): -/// return sparse_store( -/// py**2 - 9, -/// (-3px**2) * qx, -/// (2py) * qy, -/// ) - -%macro tangent - // stack: px, py, qx, qx_, qy, qy_ - PUSH 12 - %create_bn254_pairing_address - %stack (addr12, px, py) -> (py, py, 9, addr12, addr12, px, py) - // stack: py, py, 9, addr12, addr12, px, py, qx, qx_, qy, qy_ - MULFP254 - // stack: py^2, 9, addr12, addr12, px, py, qx, qx_, qy, qy_ - SUBFP254 - // stack: py^2 - 9, addr12, addr12, px, py, qx, qx_, qy, qy_ - MSTORE_GENERAL - // stack: addr12, px, py, qx, qx_, qy, qy_ - %add_const(2) DUP1 - SWAP2 - DUP1 - MULFP254 - // stack: px^2, addr14, addr14, py, qx, qx_, qy, qy_ - PUSH 3 - MULFP254 - // stack: 3*px^2, addr14, addr14, py, qx, qx_, qy, qy_ - PUSH 0 - SUBFP254 - // stack: -3*px^2, addr14, addr14, py, qx, qx_, qy, qy_ - SWAP4 - // stack: qx, addr14, addr14, py, -3px^2, qx_, qy, qy_ - DUP5 - MULFP254 - // stack: (-3*px^2)qx, addr14, addr14, py, -3px^2, qx_, qy, qy_ - MSTORE_GENERAL - // stack: addr14, py, -3px^2, qx_, qy, qy_ - DUP1 %add_const(6) - // stack: addr20, addr14, py, -3px^2, qx_, qy, qy_ - %stack (addr20, addr14, py) -> (2, py, addr20, addr14) - MULFP254 - // stack: 2py, addr20, addr14, -3px^2, qx_, qy, qy_ - SWAP5 - // stack: qy, addr20, addr14, -3px^2, qx_, 2py, qy_ - DUP6 - MULFP254 - // stack: (2py)qy, addr20, addr14, -3px^2, qx_, 2py, qy_ - MSTORE_GENERAL - // stack: addr14, -3px^2, qx_, 2py, qy_ - %add_const(1) SWAP2 - // stack: qx_, -3px^2, addr15, 2py, qy_ - MULFP254 - // stack: (-3px^2)*qx_, addr15, 2py, qy_ - MSTORE_GENERAL - // stack: 2py, qy_ - MULFP254 - // stack: (2py)*qy_ - %mstore_bn254_pairing(21) -%endmacro - -/// def cord(p1x, p1y, p2x, p2y, qx, qy): -/// return sparse_store( -/// p1y*p2x - p2y*p1x, -/// (p2y - p1y) * qx, -/// (p1x - p2x) * qy, -/// ) - -%macro cord - // stack: p1x , p1y, p2x , p2y, qx, qx_, qy, qy_ - DUP1 - DUP5 - MULFP254 - // stack: p2y*p1x, p1x , p1y, p2x , p2y, qx, qx_, qy, qy_ - DUP3 - DUP5 - MULFP254 - // stack: p1y*p2x , p2y*p1x, p1x , p1y, p2x , p2y, qx, qx_, qy, qy_ - SUBFP254 - // stack: p1y*p2x - p2y*p1x, p1x , p1y, p2x , p2y, qx, qx_, qy, qy_ - %mstore_bn254_pairing(12) - // stack: p1x , p1y, p2x , p2y, qx, qx_, qy, qy_ - SWAP3 - // stack: p2y , p1y, p2x , p1x, qx, qx_, qy, qy_ - SUBFP254 - // stack: p2y - p1y, p2x , p1x, qx, qx_, qy, qy_ - SWAP2 - // stack: p1x , p2x, p2y - p1y, qx, qx_, qy, qy_ - SUBFP254 - // stack: p1x - p2x, p2y - p1y, qx, qx_, qy, qy_ - SWAP4 - // stack: qy, p2y - p1y, qx, qx_, p1x - p2x, qy_ - DUP5 - MULFP254 - // stack: (p1x - p2x)qy, p2y - p1y, qx, qx_, p1x - p2x, qy_ - %mstore_bn254_pairing(20) - // stack: p2y - p1y, qx, qx_, p1x - p2x, qy_ - SWAP1 - // stack: qx, p2y - p1y, qx_, p1x - p2x, qy_ - DUP2 - MULFP254 - // stack: (p2y - p1y)qx, p2y - p1y, qx_, p1x - p2x, qy_ - %mstore_bn254_pairing(14) - // stack: p2y - p1y, qx_, p1x - p2x, qy_ - MULFP254 - // stack: (p2y - p1y)qx_, p1x - p2x, qy_ - %mstore_bn254_pairing(15) - // stack: p1x - p2x, qy_ - MULFP254 - // stack: (p1x - p2x)*qy_ - %mstore_bn254_pairing(21) -%endmacro - -%macro clear_line - PUSH 12 - %create_bn254_pairing_address - // stack: addr12 - DUP1 %add_const(2) - // stack: addr14, addr12 - DUP1 %add_const(1) - // stack: addr15, addr14, addr12 - DUP1 %add_const(5) - // stack: addr20, addr15, addr14, addr12 - DUP1 %add_const(1) - // stack: addr21, addr20, addr15, addr14, addr12 - %rep 5 - PUSH 0 MSTORE_GENERAL - %endrep -%endmacro - - -%macro write_fp254_12_unit - // Write 0x10000000000000000000000 with MSTORE_32BYTES_12, - // effectively storing 1 at the initial offset, and 11 0s afterwards. - - // stack: out - %create_bn254_pairing_address - // stack: addr - PUSH 0x10000000000000000000000 - SWAP1 - // stack: addr, 0x10000000000000000000000 - MSTORE_32BYTES_12 - POP - // stack: -%endmacro diff --git a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/msm.asm b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/msm.asm deleted file mode 100644 index d5b97312ba..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/msm.asm +++ /dev/null @@ -1,73 +0,0 @@ -// Computes the multiplication `a*G` using a standard MSM with the GLV decomposition of `a`. -// see there for a detailed description. -global bn_msm: - // stack: retdest - PUSH 0 PUSH 0 PUSH 0 -global bn_msm_loop: - // stack: accx, accy, i, retdest - DUP3 %bn_mload_wnaf_a - // stack: w, accx, accy, i, retdest - DUP1 %jumpi(bn_msm_loop_add_a_nonzero) - POP -msm_loop_add_b: - //stack: accx, accy, i, retdest - DUP3 %bn_mload_wnaf_b - // stack: w, accx, accy, i, retdest - DUP1 %jumpi(bn_msm_loop_add_b_nonzero) - POP -msm_loop_contd: - %stack (accx, accy, i, retdest) -> (i, i, accx, accy, retdest) - // TODO: the GLV scalars for the BN curve are 127-bit, so could use 127 here. But this would require modifying `wnaf.asm`. Not sure it's worth it... - %eq_const(129) %jumpi(msm_end) - %increment - //stack: i+1, accx, accy, retdest - %stack (i, accx, accy, retdest) -> (accx, accy, bn_msm_loop, i, retdest) - %jump(bn_double) - -msm_end: - %stack (i, accx, accy, retdest) -> (retdest, accx, accy) - JUMP - -bn_msm_loop_add_a_nonzero: - %stack (w, accx, accy, i, retdest) -> (w, accx, accy, msm_loop_add_b, i, retdest) - %bn_mload_point_a - // stack: px, py, accx, accy, msm_loop_add_b, i, retdest - %jump(bn_add_valid_points) - -bn_msm_loop_add_b_nonzero: - %stack (w, accx, accy, i, retdest) -> (w, accx, accy, msm_loop_contd, i, retdest) - %bn_mload_point_b - // stack: px, py, accx, accy, msm_loop_contd, i, retdest - %jump(bn_add_valid_points) - -%macro bn_mload_wnaf_a - // stack: i - %mload_current(@SEGMENT_BN_WNAF_A) -%endmacro - -%macro bn_mload_wnaf_b - // stack: i - %mload_current(@SEGMENT_BN_WNAF_B) -%endmacro - -%macro bn_mload_point_a - // stack: w - DUP1 - %mload_current(@SEGMENT_BN_TABLE_Q) - //stack: Gy, w - SWAP1 %decrement %mload_current(@SEGMENT_BN_TABLE_Q) - //stack: Gx, Gy -%endmacro - -%macro bn_mload_point_b - // stack: w - DUP1 - %mload_current(@SEGMENT_BN_TABLE_Q) - PUSH @BN_BNEG_LOC %mload_current(@SEGMENT_BN_TABLE_Q) - %stack (bneg, Gy, w) -> (@BN_BASE, Gy, bneg, bneg, Gy, w) - SUB SWAP1 ISZERO MUL SWAP2 MUL ADD - SWAP1 %decrement %mload_current(@SEGMENT_BN_TABLE_Q) - //stack: Gx, Gy - PUSH @BN_GLV_BETA - MULFP254 -%endmacro diff --git a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/pairing.asm b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/pairing.asm deleted file mode 100644 index 735d001aae..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/pairing.asm +++ /dev/null @@ -1,194 +0,0 @@ -/// The input to the pairing script is a list of points -/// P_i = n_i*G: Curve, Q_i = m_i*H: TwistedCurve -/// where G, H are the respective generators, such that -/// sum_i n_i*m_i = 0 -/// and therefore, due to bilinearity of the pairing: -/// prod_i e(P_i, Q_i) -/// = prod_i e(n_i G, m_i H) -/// = prod_i e(G,H)^{n_i * m_i} -/// = e(G,H)^{sum_i n_i * m_i} -/// = e(G,H)^0 -/// = 1: Fp12 - -/// def bn254_pairing(pairs: List((Curve, TwistedCurve))) -> Bool: -/// -/// for P, Q in pairs: -/// if not (P.is_valid and Q.is_valid): -/// return @U256_MAX -/// -/// out = 1 -/// for P, Q in pairs: -/// if P != 0 and Q != 0: -/// out *= miller_loop(P, Q) -/// -/// result = bn254_final_exponent(out) -/// return result == unit_fp12 - -/// The following is a key to this API -/// -/// - k is the number of inputs -/// - each input given by a pair of points, one on the curve and one on the twisted curve -/// - each input consists of 6 stack terms---2 for the curve point and 4 for the twisted curve point -/// - the inputs are presumed to be placed on the kernel contiguously -/// - the output (as defined above) is an Fp12 element -/// - out and inp are the BnPairing segment offsets for the output element and input -/// - the assembly code currently uses offsets 0-78 for scratch space - -global bn254_pairing: - // stack: k, inp, out, retdest - DUP1 - -bn254_input_check: - // stack: j , k, inp - DUP1 - ISZERO - // stack: end?, j , k, inp - %jumpi(bn254_pairing_start) - // stack: j , k, inp - %sub_const(1) - // stack: j=j-1, k, inp - - %stack (j, k, inp) -> (j, inp, j, k, inp) - // stack: j, inp, j, k, inp - %mul_const(6) - ADD - // stack: inp_j=inp+6j, j, k, inp - DUP1 - // stack: inp_j, inp_j, j, k, inp - %load_fp254_2 - // stack: P_j, inp_j, j, k, inp - %bn_check - // stack: valid?, inp_j, j, k, inp - ISZERO - %jumpi(bn_pairing_invalid_input) - // stack: inp_j, j, k, inp - DUP1 - // stack: inp_j , inp_j, j, k, inp - %add_const(2) - // stack: inp_j', inp_j, j, k, inp - %load_fp254_4 - // stack: Q_j, inp_j, j, k, inp - %bn_check_twisted - // stack: valid?, inp_j, j, k, inp - ISZERO - %jumpi(bn_pairing_invalid_input) - // stack: inp_j, j, k, inp - POP - %jump(bn254_input_check) - -bn_pairing_invalid_input: - // stack: inp_j, j, k, inp, out, retdest - %stack (inp_j, j, k, inp, out, retdest) -> (retdest, @U256_MAX) - JUMP - -bn254_pairing_start: - // stack: 0, k, inp, out, retdest - %stack (j, k, inp, out) -> (out, k, inp, out, bn254_pairing_output_validation, out) - // stack: out, k, inp, out, bn254_pairing_output_validation, out, retdest - %mstore_bn254_pairing_value(1) - // stack: k, inp, out, bn254_pairing_output_validation, out, retdest - -bn254_pairing_loop: - // stack: k, inp, out, bn254_pairing_output_validation, out, retdest - DUP1 - ISZERO - // stack: end?, k, inp, out, bn254_pairing_output_validation, out, retdest - %jumpi(bn254_final_exponent) - // stack: k, inp, out, bn254_pairing_output_validation, out, retdest - %sub_const(1) - // stack: k=k-1, inp, out, bn254_pairing_output_validation, out, retdest - %stack (k, inp) -> (k, inp, k, inp) - // stack: k, inp, k, inp, out, bn254_pairing_output_validation, out, retdest - %mul_const(6) - ADD - // stack: inp_k, k, inp, out, bn254_pairing_output_validation, out, retdest - DUP1 - %load_fp254_6 - // stack: P, Q, inp_k, k, inp, out, bn254_pairing_output_validation, out, retdest - %neutral_input - // stack: skip?, inp_k, k, inp, out, bn254_pairing_output_validation, out, retdest - %jumpi(bn_skip_input) - // stack: inp_k, k, inp, out, bn254_pairing_output_validation, out, retdest - %stack (inp_k, k, inp, out) -> (bn254_miller, inp_k, 0, mul_fp254_12, 0, out, out, bn254_pairing_loop, k, inp, out) - // stack: bn254_miller, inp_k, 0, - // mul_fp254_12, 0, out, out, - // bn254_pairing_loop, k, inp, out, - // bn254_pairing_output_validation, out, retdest - JUMP - -bn_skip_input: - // stack: inp_k, k, inp, out, bn254_pairing_output_validation, out, retdest - POP - // stack: k, inp, out, bn254_pairing_output_validation, out, retdest - %jump(bn254_pairing_loop) - - -bn254_pairing_output_validation: - // stack: out, retdest - %create_bn254_pairing_address - PUSH 1 - // stack: check, out_addr, retdest - %check_output_term - %check_output_term(1) - %check_output_term(2) - %check_output_term(3) - %check_output_term(4) - %check_output_term(5) - %check_output_term(6) - %check_output_term(7) - %check_output_term(8) - %check_output_term(9) - %check_output_term(10) - %check_output_term(11) - // stack: check, out_addr, retdest - %stack (check, out_addr, retdest) -> (retdest, check) - JUMP - -%macro check_output_term - // stack: check, out - DUP2 - // stack: out0, check, out - MLOAD_GENERAL - // stack: f0, check, out - %eq_const(1) - // stack: check0, check, out - MUL - // stack: check, out -%endmacro - -%macro check_output_term(j) - // stack: check, out - DUP2 - %add_const($j) - // stack: outj, check, out - MLOAD_GENERAL - // stack: fj, check, out - ISZERO - // stack: checkj, check, out - MUL - // stack: check, out -%endmacro - -%macro neutral_input - // stack: P , Q - ISZERO - SWAP1 - ISZERO - MUL - // stack: P==0, Q - SWAP4 - // stack: Q , P==0 - ISZERO - SWAP1 - ISZERO - MUL - SWAP1 - ISZERO - MUL - SWAP1 - ISZERO - MUL - // stack: Q==0, P==0 - OR - // stack: Q==0||P==0 -%endmacro \ No newline at end of file diff --git a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/precomputation.asm b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/precomputation.asm deleted file mode 100644 index 5ee6685fe6..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/precomputation.asm +++ /dev/null @@ -1,35 +0,0 @@ -// Precompute a table of multiples of the BN254 point `Q = (Qx, Qy)`. -// Let `(Qxi, Qyi) = i * Q`, then store in the `SEGMENT_BN_TABLE_Q` segment of memory the values -// `i-1 => Qxi`, `i => Qyi if i < 16 else -Qy(32-i)` for `i in range(1, 32, 2)`. -global bn_precompute_table: - // stack: Qx, Qy, retdest - PUSH precompute_table_contd DUP3 DUP3 - %jump(bn_double) -precompute_table_contd: - // stack: Qx2, Qy2, Qx, Qy, retdest - PUSH 1 -bn_precompute_table_loop: - // stack i, Qx2, Qy2, Qx, Qy, retdest - PUSH 1 DUP2 SUB - %stack (im, i, Qx2, Qy2, Qx, Qy, retdest) -> (i, Qy, im, Qx, i, Qx2, Qy2, Qx, Qy, retdest) - %mstore_current(@SEGMENT_BN_TABLE_Q) %mstore_current(@SEGMENT_BN_TABLE_Q) - // stack: i, Qx2, Qy2, Qx, Qy, retdest - DUP1 PUSH 32 SUB PUSH 1 DUP2 SUB - // stack: 31-i, 32-i, i, Qx2, Qy2, Qx, Qy, retdest - DUP7 PUSH @BN_BASE SUB - // TODO: Could maybe avoid storing Qx a second time here, not sure if it would be more efficient. - %stack (Qyy, iii, ii, i, Qx2, Qy2, Qx, Qy, retdest) -> (iii, Qx, ii, Qyy, i, Qx2, Qy2, Qx, Qy, retdest) - %mstore_current(@SEGMENT_BN_TABLE_Q) %mstore_current(@SEGMENT_BN_TABLE_Q) - // stack: i, Qx2, Qy2, Qx, Qy, retdest - PUSH 2 ADD - // stack: i+2, Qx2, Qy2, Qx, Qy, retdest - DUP1 PUSH 16 LT %jumpi(precompute_table_end) - %stack (i, Qx2, Qy2, Qx, Qy, retdest) -> (Qx, Qy, Qx2, Qy2, precompute_table_loop_contd, i, Qx2, Qy2, retdest) - %jump(bn_add_valid_points) -precompute_table_loop_contd: - %stack (Qx, Qy, i, Qx2, Qy2, retdest) -> (i, Qx2, Qy2, Qx, Qy, retdest) - %jump(bn_precompute_table_loop) - -precompute_table_end: - // stack: i, Qx2, Qy2, Qx, Qy, retdest - %pop5 JUMP diff --git a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/twisted_curve.asm b/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/twisted_curve.asm deleted file mode 100644 index 859c45fe3b..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/twisted_curve.asm +++ /dev/null @@ -1,94 +0,0 @@ -// Check if (X,Y) is a valid curve point. -// Returns (range & curve) || ident -// where -// range = (x < N) & (x_ < N) & (y < N) & (y_ < N) -// curve = Y^2 == X^3 + 3/(9+i) -// ident = (X,Y) == (0,0) - -%macro bn_check_twisted - // stack: x, x_, y, y_ - %bn_check_twisted_range - // stack: range, x, x_, y, y_ - %bn_check_twisted_curve - // stack: curve , range, x, x_, y, y_ - MUL // Cheaper than AND - // stack: curve & range, x, x_, y, y_ - SWAP4 - // stack: y_, x, x_, y, curve & range - %bn_check_twisted_ident - // stack: ident , curve & range - OR - // stack: ident || (curve & range) -%endmacro - -%macro bn_check_twisted_range - // stack: x, x_, y, y_ - PUSH @BN_BASE - // stack: N, x, x_, y, y_ - %stack (N) -> (N, N, N, N) - // stack: N, N, N, N, x, x_, y, y_ - DUP8 - // stack: y_ , N, N, N, N, x, x_, y, y_ - LT - // stack: y_ < N, N, N, N, x, x_, y, y_ - SWAP3 - // stack: N, N, N, y_ < N, x, x_, y, y_ - DUP7 - // stack: y , N, N, N, y_ < N, x, x_, y, y_ - LT - // stack: y < N, N, N, y_ < N, x, x_, y, y_ - SWAP2 - // stack: N, N, y < N, y_ < N, x, x_, y, y_ - DUP6 - // stack: x_ , N, N, y < N, y_ < N, x, x_, y, y_ - LT - // stack: x_ < N, N, y < N, y_ < N, x, x_, y, y_ - SWAP1 - // stack: N, x_ < N, y < N, y_ < N, x, x_, y, y_ - DUP5 - // stack: x , N, x_ < N, y < N, y_ < N, x, x_, y, y_ - LT - // stack: x < N, x_ < N, y < N, y_ < N, x, x_, y, y_ - MUL // Cheaper than AND - MUL // Cheaper than AND - MUL // Cheaper than AND - // stack: range, x, x_, y, y_ -%endmacro - -%macro bn_check_twisted_curve - // stack: range, X, Y - %stack (range, X: 2, Y: 2) -> (Y, Y, range, X, Y) - // stack: Y, Y, range, X, Y - %mul_fp254_2 - // stack: Y^2, range, X, Y - %stack () -> (@BN_TWISTED_RE, @BN_TWISTED_IM) - // stack: A, Y^2, range, X, Y - %stack (A: 2, Y2: 2, range, X: 2) -> (X, X, X, A, Y2, range, X) - // stack: X, X, X, A, Y^2, range, X, Y - %mul_fp254_2 - %mul_fp254_2 - // stack: X^3 , A, Y^2, range, X, Y - %add_fp254_2 - // stack: X^3 + A, Y^2, range, X, Y - %eq_fp254_2 - // stack: curve, range, X, Y -%endmacro - -%macro bn_check_twisted_ident - SWAP2 - // stack: a , b , c , d - ISZERO - SWAP3 - // stack: d , b , c , a==0 - ISZERO - SWAP2 - // stack: c , b , d==0, a==0 - ISZERO - SWAP1 - // stack: b , c==0, d==0, a==0 - ISZERO - // stack: b==0, c==0, d==0, a==0 - MUL // Cheaper than AND - MUL // Cheaper than AND - MUL // Cheaper than AND -%endmacro diff --git a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/degree_12_mul.asm b/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/degree_12_mul.asm deleted file mode 100644 index 45016ed155..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/degree_12_mul.asm +++ /dev/null @@ -1,303 +0,0 @@ -/////////////////////////////////////// -///// GENERAL FP12 MULTIPLICATION ///// -/////////////////////////////////////// - -/// inputs: -/// F = f + f'z -/// G = g + g'z -/// -/// output: -/// H = h + h'z = FG -/// -/// h = fg + sh(f'g') -/// h' = (f+f')(g+g') - fg - f'g' -/// -/// memory pointers [ind' = ind+6] -/// {inA: f, inA: f', inB: g, inB':g', out: h, out': h'} -/// -/// f, f', g, g' consist of six elements on the stack - -global mul_fp254_12: - // stack: inA, inB, out - DUP1 - %add_const(6) - // stack: inA', inA, inB, out - %load_fp254_6 - // stack: f', inA, inB, out - DUP8 - %add_const(6) - // stack: inB', f', inA, inB, out - %load_fp254_6 - // stack: g', f', inA, inB, out - PUSH mul_fp254_12_1 - // stack: mul_fp254_12_1, g', f', inA, inB, out - %dup_fp254_6_7 - // stack: f', mul_fp254_12_1, g', f', inA, inB, out - %dup_fp254_6_7 - // stack: g', f', mul_fp254_12_1, g', f', inA, inB, out - %jump(mul_fp254_6) -mul_fp254_12_1: - // stack: f'g', g' , f', inA, inB, out - %dup_fp254_6_0 - // stack: f'g', f'g', g' , f', inA, inB, out - %store_fp254_6_sh(60) - // stack: f'g', g' , f', inA, inB, out {60: sh(f'g')} - %store_fp254_6(66) - // stack: g' , f', inA, inB, out {60: sh(f'g'), 66: f'g'} - DUP13 - // stack: inA, g' , f', inA, inB, out {60: sh(f'g'), 66: f'g'} - DUP15 - // stack: inB, inA, g' , f', inA, inB, out {60: sh(f'g'), 66: f'g'} - %load_fp254_6 - // stack: g , inA, g' , f', inA, inB, out {60: sh(f'g'), 66: f'g'} - %stack (f: 6, x, g: 6) -> (g, x, f) - // stack: g', inA, g , f', inA, inB, out {60: sh(f'g'), 66: f'g'} - %dup_fp254_6_7 - // stack: g,g', inA, g , f', inA, inB, out {60: sh(f'g'), 66: f'g'} - %add_fp254_6 - // stack: g+g', inA, g , f', inA, inB, out {60: sh(f'g'), 66: f'g'} - %stack (f: 6, x, g: 6) -> (g, x, f) - // stack: g, inA, g+g', f', inA, inB, out {60: sh(f'g'), 66: f'g'} - PUSH mul_fp254_12_2 - // stack: mul_fp254_12_2, g, inA, g+g', f', inA, inB, out {60: sh(f'g'), 66: f'g'} - SWAP7 - // stack: inA, g, mul_fp254_12_2, g+g', f', inA, inB, out {60: sh(f'g'), 66: f'g'} - %load_fp254_6 - // stack: f, g, mul_fp254_12_2, g+g', f', inA, inB, out {60: sh(f'g'), 66: f'g'} - %jump(mul_fp254_6) -mul_fp254_12_2: - // stack: fg, g+g', f', inA, inB, out {60: sh(f'g'), 66: f'g'} - %store_fp254_6(72) - // stack: g+g', f', inA, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %stack (x: 6, y: 6) -> (y, x) - // stack: f', g+g', inA, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - PUSH mul_fp254_12_3 - // stack: mul_fp254_12_3, f', g+g', inA, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - SWAP13 - // stack: inA, f', g+g', mul_fp254_12_3, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %load_fp254_6 - // stack: f,f', g+g', mul_fp254_12_3, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %add_fp254_6 - // stack: f+f', g+g', mul_fp254_12_3, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %jump(mul_fp254_6) -mul_fp254_12_3: - // stack: (f+f')(g+g'), inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %load_fp254_6(72) - // stack: fg, (f+f')(g+g'), inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %stack (x: 6, y: 6) -> (y, x) - // stack: (f+f')(g+g'), fg, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %dup_fp254_6_6 - // stack: fg, (f+f')(g+g'), fg, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %load_fp254_6(66) - // stack: f'g',fg, (f+f')(g+g'), fg, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %add_fp254_6 - // stack: f'g'+fg, (f+f')(g+g'), fg, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %subr_fp254_6 - // stack: (f+f')(g+g') - (f'g'+fg), fg, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - DUP14 - %add_const(6) - // stack: out', (f+f')(g+g') - (f'g'+fg), fg, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %store_fp254_6 - // stack: fg, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %load_fp254_6(60) - // stack: sh(f'g') , fg, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %add_fp254_6 - // stack: sh(f'g') + fg, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - DUP8 - // stack: out, sh(f'g') + fg, inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %store_fp254_6 - // stack: inB, out {60: sh(f'g'), 66: f'g', 72: fg} - %pop2 - JUMP - - -////////////////////////////////////// -///// SPARSE FP12 MULTIPLICATION ///// -////////////////////////////////////// - -/// input: -/// F = f + f'z -/// G = g0 + (G1)t + (G2)tz -/// -/// output: -/// H = h + h'z = FG -/// = g0 * [f + f'z] + G1 * [sh(f) + sh(f')z] + G2 * [sh2(f') + sh(f)z] -/// -/// h = g0 * f + G1 * sh(f ) + G2 * sh2(f') -/// h' = g0 * f' + G1 * sh(f') + G2 * sh (f ) -/// -/// memory pointers [ind' = ind+6, inB2 = inB1 + 2 = inB + 3] -/// { inA: f, inA': f', inB: g0, inB1: G1, inB2: G2, out: h, out': h'} -/// -/// f, f' consist of six elements; G1, G1' consist of two elements; and g0 of one element - -global mul_fp254_12_sparse: - // stack: inA, inB, out - DUP1 - %add_const(6) - // stack: inA', inA, inB, out - %load_fp254_6 - // stack: f', inA, inB, out - DUP8 - // stack: inB, f', inA, inB, out - DUP8 - // stack: inA, inB, f', inA, inB, out - %load_fp254_6 - // stack: f, inB, f', inA, inB, out - DUP16 - // stack: out, f, inB, f', inA, inB, out - %dup_fp254_6_8 - // stack: f', out, f, inB, f', inA, inB, out - DUP14 - // stack: inB, f', out, f, inB, f', inA, inB, out - %dup_fp254_6_8 - // stack: f, inB, f', out, f, inB, f', inA, inB, out - DUP7 - // stack: inB, f, inB, f', out, f, inB, f', inA, inB, out - %dup_fp254_6_8 - // stack: f', inB, f, inB, f', out, f, inB, f', inA, inB, out - %dup_fp254_6_7 - // stack: f, f', inB, f, inB, f', out, f, inB, f', inA, inB, out - DUP13 - // stack: inB, f, f', inB, f, inB, f', out, f, inB, f', inA, inB, out - %mload_bn254_pairing - // stack: g0 , f, f', inB, f, inB, f', out, f, inB, f', inA, inB, out - %scale_re_fp254_6 - // stack: g0 * f, f', inB, f, inB, f', out, f, inB, f', inA, inB, out - %stack (x: 6, y: 6) -> (y, x) - // stack: f' , g0 * f, inB, f, inB, f', out, f, inB, f', inA, inB, out - DUP13 - %add_const(8) - // stack: inB2, f' , g0 * f, inB, f, inB, f', out, f, inB, f', inA, inB, out - %load_fp254_2 - // stack: G2 , f' , g0 * f, inB, f, inB, f', out, f, inB, f', inA, inB, out - %scale_fp254_6_sh2 - // stack: G2 * sh2(f') , g0 * f, inB, f, inB, f', out, f, inB, f', inA, inB, out - %add_fp254_6 - // stack: G2 * sh2(f') + g0 * f, inB, f, inB, f', out, f, inB, f', inA, inB, out - %stack (f: 6, x, g: 6) -> (g, x, f) - // stack: f , inB, G2 * sh2(f') + g0 * f, inB, f', out, f, inB, f', inA, inB, out - DUP7 %add_const(2) - // stack: inB1, f , inB, G2 * sh2(f') + g0 * f, inB, f', out, f, inB, f', inA, inB, out - %load_fp254_2 - // stack: G1 , f , inB, G2 * sh2(f') + g0 * f, inB, f', out, f, inB, f', inA, inB, out - %scale_fp254_6_sh - // stack: G1 * sh(f), inB, G2 * sh2(f') + g0 * f, inB, f', out, f, inB, f', inA, inB, out - %add_fp254_6_hole - // stack: G1 * sh(f) + G2 * sh2(f') + g0 * f, inB, f', out, f, inB, f', inA, inB, out - DUP14 - // stack: out, G1 * sh(f) + G2 * sh2(f') + g0 * f, inB, f', out, f, inB, f', inA, inB, out - %store_fp254_6 - // stack: inB, f', out, f, inB, f', inA, inB, out - %mload_bn254_pairing - // stack: g0 , f', out, f, inB, f', inA, inB, out - %scale_re_fp254_6 - // stack: g0 * f', out, f, inB, f', inA, inB, out - %stack (f: 6, x, g: 6) -> (g, x, f) - // stack: f , out, g0 * f', inB, f', inA, inB, out - DUP14 - %add_const(8) - // stack: inB2, f , out, g0 * f', inB, f', inA, inB, out - %load_fp254_2 - // stack: G2 , f , out, g0 * f', inB, f', inA, inB, out - %scale_fp254_6_sh - // stack: G2 * sh(f) , out, g0 * f', inB, f', inA, inB, out - %add_fp254_6_hole - // stack: G2 * sh(f) + g0 * f', inB, f', inA, inB, out - %stack (f: 6, x, g: 6) -> (g, x, f) - // stack: f' , inB, G2 * sh(f) + g0 * f', inA, inB, out - DUP7 - %add_const(2) - // stack: inB1, f' , inB, G2 * sh(f) + g0 * f', inA, inB, out - %load_fp254_2 - // stack: G1 , f' , inB, G2 * sh(f) + g0 * f', inA, inB, out - %scale_fp254_6_sh - // stack: G1 * sh(f'), inB, G2 * sh(f) + g0 * f', inA, inB, out - %add_fp254_6_hole - // stack: G1 * sh(f') + G2 * sh(f) + g0 * f', inA, inB, out - DUP9 - %add_const(6) - // stack: out', G1 * sh(f') + G2 * sh(f) + g0 * f', inA, inB, out - %store_fp254_6 - // stack: inA, inB, out - %pop3 - JUMP - - -///////////////////////// -///// FP12 SQUARING ///// -///////////////////////// - -/// input: -/// F = f + f'z -/// -/// output: -/// H = h + h'z = FF -/// -/// h = ff + sh(f'f') -/// h' = 2ff' -/// -/// memory pointers [ind' = ind+6] -/// {inp: f, inp: f', out: h, out': h'} -/// -/// f, f' consist of six elements on the stack - -global square_fp254_12: - // stack: inp, out - DUP1 - // stack: inp, inp, out - %load_fp254_6 - // stack: f, inp, out - PUSH square_fp254_12_3 - // stack: square_fp254_12_3, f, inp, out - SWAP7 - // stack: inp, f, square_fp254_12_3, out - PUSH square_fp254_12_2 - // stack: square_fp254_12_2, inp, f, square_fp254_12_3, out - %dup_fp254_6_2 - // stack: f , square_fp254_12_2, inp, f, square_fp254_12_3, out - DUP16 - %add_const(6) - // stack: out', f , square_fp254_12_2, inp, f, square_fp254_12_3, out - PUSH square_fp254_12_1 - // stack: square_fp254_12_1, out', f , square_fp254_12_2, inp, f, square_fp254_12_3, out - DUP10 - %add_const(6) - // stack: inp', square_fp254_12_1, out', f , square_fp254_12_2, inp, f, square_fp254_12_3, out - %load_fp254_6 - // stack: f', square_fp254_12_1, out', f , square_fp254_12_2, inp, f, square_fp254_12_3, out - %stack (f: 6, x: 2, g: 6) -> (g, x, f) - // stack: f , square_fp254_12_1, out', f', square_fp254_12_2, inp, f, square_fp254_12_3, out - %dup_fp254_6_8 - // stack: f', f , square_fp254_12_1, out', f', square_fp254_12_2, inp, f, square_fp254_12_3, out - %jump(mul_fp254_6) -square_fp254_12_1: - // stack: f'f, out', f', square_fp254_12_2, inp, f, square_fp254_12_3, out - DUP7 - // stack: out', f'f, out', f', square_fp254_12_2, inp, f, square_fp254_12_3, out - %store_fp254_6_double - // stack: out', f', square_fp254_12_2, inp, f, square_fp254_12_3, out - POP - // stack: f', square_fp254_12_2, inp, f, square_fp254_12_3, out - %jump(square_fp254_6) -square_fp254_12_2: - // stack: f'f', inp, f, square_fp254_12_3, out - %sh_fp254_6 - // stack: sh(f'f'), inp, f, square_fp254_12_3, out - %stack (f: 6, x, g: 6) -> (g, x, f) - // stack: f, inp, sh(f'f'), square_fp254_12_3, out - SWAP6 - SWAP13 - SWAP6 - // stack: f, square_fp254_12_3, sh(f'f'), inp, out - %jump(square_fp254_6) -square_fp254_12_3: - // stack: ff , sh(f'f'), inp, out - %add_fp254_6 - // stack: ff + sh(f'f'), inp, out - DUP8 - // stack: out, ff + sh(f'f'), inp, out - %store_fp254_6 - // stack: inp, out - %pop2 - JUMP diff --git a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/degree_6_mul.asm b/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/degree_6_mul.asm deleted file mode 100644 index db8b09e0c3..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/degree_6_mul.asm +++ /dev/null @@ -1,435 +0,0 @@ -////////////////////////////////////// -///// GENERAL FP6 MULTIPLICATION ///// -////////////////////////////////////// - -/// inputs: -/// C = C0 + C1t + C2t^2 -/// = (c0 + c0_i) + (c1 + c1_i)t + (c2 + c2_i)t^2 -/// -/// D = D0 + D1t + D2t^2 -/// = (d0 + d0_i) + (d1 + d1_i)t + (d2 + d2_i)t^2 -/// -/// output: -/// E = E0 + E1t + E2t^2 = CD -/// = (e0 + e0_i) + (e1 + e1_i)t + (e2 + e2_i)t^2 -/// -/// initial stack: c0, c0_, c1, c1_, c2, c2_, d0, d0_, d1, d1_, d2, d2_, retdest -/// final stack: e0, e0_, e1, e1_, e2, e2_ - -/// computations: -/// -/// E0 = C0D0 + i9(C1D2 + C2D1) -/// -/// C0D0 = (c0d0 - c0_d0_) + (c0d0_ + c0_d0)i -/// -/// C1D2 = (c1d2 - c1_d2_) + (c1d2_ + c1_d2)i -/// C2D1 = (c2d1 - c2_d1_) + (c2d1_ + c2_d1)i -/// -/// CD12 = C1D2 + C2D1 -/// = (c1d2 + c2d1 - c1_d2_ - c2_d1_) + (c1d2_ + c1_d2 + c2d1_ + c2_d1)i -/// -/// i9(CD12) = (9CD12 - CD12_) + (CD12 + 9CD12_)i -/// -/// e0 = 9CD12 - CD12_ + C0D0 -/// e0_ = 9CD12_ + CD12 + C0D0_ -/// -/// -/// E1 = C0D1 + C1D0 + i9(C2D2) -/// -/// C0D1 = (c0d1 - c0_d1_) + (c0d1_ + c0_d1)i -/// C1D0 = (c1d0 - c1_d0_) + (c1d0_ + c1_d0)i -/// -/// CD01 = c0d1 + c1d0 - (c0_d1_ + c1_d0_) -/// CD01_ = c0d1_ + c0_d1 + c1d0_ + c1_d0 -/// -/// C2D2 = (c2d2 - c2_d2_) + (c2d2_ + c2_d2)i -/// i9(C2D2) = (9C2D2 - C2D2_) + (C2D2 + 9C2D2_)i -/// -/// e1 = 9C2D2 - C2D2_ + CD01 -/// e1_ = C2D2 + 9C2D2_ + CD01_ -/// -/// -/// E2 = C0D2 + C1D1 + C2D0 -/// -/// C0D2 = (c0d2 - c0_d2_) + (c0d2_ + c0_d2)i -/// C1D1 = (c1d1 - c1_d1_) + (c1d1_ + c1_d1)i -/// C2D0 = (c2d0 - c2_d0_) + (c2d0_ + c2_d0)i -/// -/// e2 = c0d2 + c1d1 + c2d0 - (c0_d2_ + c1_d1_ + c2_d0_) -/// e2_ = c0d2_ + c0_d2 + c1d1_ + c1_d1 + c2d0_ + c2_d0 - -// cost: 157 -global mul_fp254_6: - // e2 - // make c0_d2_ + c1_d1_ + c2_d0_ - DUP8 - DUP7 - MULFP254 - DUP11 - DUP6 - MULFP254 - ADDFP254 - DUP13 - DUP4 - MULFP254 - ADDFP254 - // make c0d2 + c1d1 + c2d0 - DUP12 - DUP3 - MULFP254 - DUP11 - DUP6 - MULFP254 - ADDFP254 - DUP9 - DUP8 - MULFP254 - ADDFP254 - // stack: c0d2 + c1d1 + c2d0 , c0_d2_ + c1_d1_ + c2_d0_ - SUBFP254 - // stack: e2 = c0d2 + c1d1 + c2d0 - (c0_d2_ + c1_d1_ + c2_d0_) - SWAP12 - - // e0, e0_ - // make CD12_ = c1d2_ + c1_d2 + c2d1_ + c2_d1 - DUP1 - DUP5 - MULFP254 - DUP13 - DUP7 - MULFP254 - ADDFP254 - DUP12 - DUP8 - MULFP254 - ADDFP254 - DUP11 - DUP9 - MULFP254 - ADDFP254 - // make C0D0_ = c0d0_ + c0_d0 - DUP10 - DUP4 - MULFP254 - DUP10 - DUP6 - MULFP254 - ADDFP254 - // make CD12 = c1d2 + c2d1 - c1_d2_ - c2_d1_ - DUP13 - DUP10 - MULFP254 - DUP4 - DUP9 - MULFP254 - ADDFP254 - DUP15 - DUP8 - MULFP254 - DUP14 - DUP11 - MULFP254 - ADDFP254 - SUBFP254 - // make C0D0 = c0d0 - c0_d0_ - DUP12 - DUP7 - MULFP254 - DUP12 - DUP7 - MULFP254 - SUBFP254 - // stack: C0D0 , CD12 , C0D0_, CD12_ - DUP4 - DUP3 - // stack: CD12 , CD12_ , C0D0 , CD12 , C0D0_, CD12_ - PUSH 9 - MULFP254 - SUBFP254 - ADDFP254 - // stack: e0 = 9CD12 - CD12_ + C0D0 , CD12 , C0D0_, CD12_ - SWAP12 - SWAP3 - // stack: CD12_ , CD12 , C0D0_ - PUSH 9 - MULFP254 - ADDFP254 - ADDFP254 - // stack: e0_ = 9CD12_ + CD12 + C0D0_ - SWAP11 - - // e1, e1_ - // make C2D2_ = c2d2_ + c2_d2 - DUP14 - DUP10 - MULFP254 - DUP4 - DUP10 - MULFP254 - ADDFP254 - // make C2D2 = c2d2 - c2_d2_ - DUP4 - DUP11 - MULFP254 - DUP16 - DUP11 - MULFP254 - SUBFP254 - // make CD01 = c0d1 + c1d0 - (c0_d1_ + c1_d0_) - DUP4 - DUP10 - MULFP254 - DUP16 - DUP9 - MULFP254 - ADDFP254 - DUP13 - DUP10 - MULFP254 - DUP5 - DUP9 - MULFP254 - ADDFP254 - SUBFP254 - // stack: CD01, C2D2, C2D2_ - DUP3 - DUP3 - // stack: C2D2 , C2D2_ , CD01, C2D2, C2D2_ - PUSH 9 - MULFP254 - SUBFP254 - ADDFP254 - // stack: e1 = 9C2D2 - C2D2_ + CD01, C2D2, C2D2_ - SWAP15 - SWAP2 - // stack: C2D2_ , C2D2 - PUSH 9 - MULFP254 - ADDFP254 - // stack: 9C2D2_ + C2D2 - // make CD01_ = c0d1_ + c0_d1 + c1d0_ + c1_d0 - DUP12 - DUP10 - MULFP254 - DUP5 - DUP10 - MULFP254 - ADDFP254 - DUP4 - DUP9 - MULFP254 - ADDFP254 - DUP3 - DUP8 - MULFP254 - ADDFP254 - // stack: CD01_ , 9C2D2_ + C2D2 - ADDFP254 - // stack: e1_ = CD01_ + 9C2D2_ + C2D2 - SWAP15 - - // e2_ - // stack: d2, d1_, d1, d0_, d2_, c0, c0_, c1, c1_, c2, c2_, d0 - SWAP7 - MULFP254 - // stack: c1d1_, d1, d0_, d2_, c0, c0_, d2, c1_, c2, c2_, d0 - SWAP7 - MULFP254 - // stack: c1_d1, d0_, d2_, c0, c0_, d2, c1d1_, c2, c2_, d0 - SWAP7 - MULFP254 - // stack: c2d0_, d2_, c0, c0_, d2, c1d1_, c1_d1 , c2_, d0 - SWAP2 - MULFP254 - // stack: c0d2_ , c2d0_, c0_, d2, c1d1_, c1_d1 , c2_, d0 - ADDFP254 - // stack: c0d2_ + c2d0_, c0_, d2, c1d1_, c1_d1 , c2_, d0 - SWAP2 - MULFP254 - // stack: c0_d2 , c0d2_ + c2d0_ , c1d1_ , c1_d1 , c2_, d0 - ADDFP254 - ADDFP254 - ADDFP254 - // stack: c0_d2 + c0d2_ + c2d0_ + c1d1_ + c1_d1 , c2_, d0 - SWAP2 - MULFP254 - ADDFP254 - // stack: e2_ = c2_d0 + c0_d2 + c0d2_ + c2d0_ + c1d1_ + c1_d1 - SWAP6 - - // stack: retdest, e0, e0_, e1, e1_, e2, e2_ - JUMP - - -//////////////////////// -///// FP6 SQUARING ///// -//////////////////////// - -/// inputs: -/// C = C0 + C1t + C2t^2 -/// = (c0 + c0_i) + (c1 + c1_i)t + (c2 + c2_i)t^2 -/// -/// output: -/// E = E0 + E1t + E2t^2 = C^2 -/// = (e0 + e0_i) + (e1 + e1_i)t + (e2 + e2_i)t^2 -/// -/// initial stack: c0, c0_, c1, c1_, c2, c2_, retdest -/// final stack: e0, e0_, e1, e1_, e2, e2_ - -/// computations: -/// -/// E0 = C0C0 + i9(2C1C2) = (c0+c0_i)^2 + i9(2(c1+c1_i)(c2+c2_i)) -/// = (c0^2 - c0_^2) + (2c0c0_)i + i9[2(c1c2 - c1_c2_) + 2(c1_c2 + c1c2_)i] -/// -/// E1 = 2*C0C1 + i9(C2C2) = 2(c0+c0_i)(c1+c1_i) + i9((c2+c2_i)(c2+c2_i)) -/// = 2(c0c1 - c0_c1_) + 2(c0c1_ + c0_c1)i + i9[(c2^2 - c2_^2) + (2c2c2_)i] -/// -/// E2 = 2*C0C2 + C1C1 -/// = 2(c0c2 - c0_c2_) + 2(c0_c2 + c2c0_)i + (c1^2 - c1_^2) + (2c1c1_)i -/// -/// e0 = (c0^2 - c0_^2) + x0 -/// e0_ = 2c0c0_ + x0_ -/// where x0_, x0 = %i9 c1c2 - c1_c2_, c1_c2 + c1c2_ -/// -/// e1 = 2(c0c1 - c0_c1_) + x1 -/// e1_ = 2(c0c1_ + c0_c1) + x1_ -/// where x1_, x1 = %i9 c2^2 - c2_^2, 2c2c2_ -/// -/// e2 = 2(c0c2 - c0_c2_) + (c1^2 - c1_^2) -/// e2_ = 2(c0_c2 + c2c0_) + 2c1c1_ - -// cost: 101 -global square_fp254_6: - /// e0 = (c0^2 - c0_^2) + x0 - /// e0_ = 2c0c0_ + x0_ - /// where x0_, x0 = %i9 2(c1c2 - c1_c2_), 2(c1_c2 + c1c2_) - DUP6 - DUP4 - MULFP254 - DUP6 - DUP6 - MULFP254 - ADDFP254 - PUSH 2 - MULFP254 - DUP7 - DUP6 - MULFP254 - DUP7 - DUP6 - MULFP254 - SUBFP254 - PUSH 2 - MULFP254 - %i9 - // stack: x0_, x0 - DUP3 - DUP5 - MULFP254 - PUSH 2 - MULFP254 - // stack: 2c0c0_, x0_, x0 - ADDFP254 - // stack: e0_, x0 - SWAP4 - SWAP1 - // stack: x0 - DUP4 - DUP1 - MULFP254 - DUP4 - DUP1 - MULFP254 - SUBFP254 - // stack: c0^2 - c0_^2, x0 - ADDFP254 - // stack: e0 - SWAP3 - - /// e1 = 2(c0c1 - c0_c1_) + x1 - /// e1_ = 2(c0c1_ + c0_c1 ) + x1_ - /// where x1_, x1 = %i9 c2^2 - c2_^2, 2c2c2_ - DUP7 - DUP9 - MULFP254 - PUSH 2 - MULFP254 - DUP9 - DUP1 - MULFP254 - DUP9 - DUP1 - MULFP254 - SUBFP254 - %i9 - // stack: x1_, x1 - DUP4 - DUP4 - MULFP254 - DUP9 - DUP7 - MULFP254 - ADDFP254 - PUSH 2 - MULFP254 - // stack: 2(c0c1_ + c0_c1), x1_, x1 - ADDFP254 - // stack: e1_, x1 - SWAP8 - SWAP1 - // stack: x1 - DUP8 - DUP4 - MULFP254 - DUP5 - DUP7 - MULFP254 - SUBFP254 - PUSH 2 - MULFP254 - // stack: 2(c0c1 - c0_c1_), x1 - ADDFP254 - SWAP7 - - /// e2 = 2(c0c2 - c0_c2_) + (c1^2 - c1_^2) - /// e2_ = 2(c0_c2 + c2c0_ + c1c1_) - DUP1 - DUP1 - MULFP254 - DUP5 - DUP1 - MULFP254 - SUBFP254 - DUP11 - DUP5 - MULFP254 - DUP4 - DUP8 - MULFP254 - SUBFP254 - PUSH 2 - MULFP254 - ADDFP254 - // stack: e2 - SWAP10 - // stack: c2_, c1_, c2, c0_, c1, c0 - SWAP4 - MULFP254 - // stack: c1c1_, c2, c0_, c2_, c0 - SWAP2 - MULFP254 - // stack: c0_c2 , c1c1_, c2_, c0 - ADDFP254 - // stack: c0_c2 + c1c1_, c2_, c0 - SWAP2 - MULFP254 - // stack: c0c2_ , c0_c2 + c1c1_ - ADDFP254 - // stack: c0c2_ + c0_c2 + c1c1_ - PUSH 2 - MULFP254 - // stack: e2_ - SWAP6 - - // stack: retdest, e0, e0_, e1, e1_, e2, e2_ - JUMP diff --git a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/frobenius.asm b/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/frobenius.asm deleted file mode 100644 index ee1e467917..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/frobenius.asm +++ /dev/null @@ -1,272 +0,0 @@ -// frob_fp12 tests - -global test_frob_fp254_12_1: - // stack: ptr - %frob_fp254_12_1 - // stack: ptr - %jump(0xdeadbeef) - -global test_frob_fp254_12_2: - // stack: ptr - DUP1 - // stack: ptr, ptr - %frob_fp254_12_2_ - // stack: ptr - %jump(0xdeadbeef) - -global test_frob_fp254_12_3: - // stack: ptr - %frob_fp254_12_3 - // stack: ptr - %jump(0xdeadbeef) - -global test_frob_fp254_12_6: - // stack: ptr - %frob_fp254_12_6 - // stack: ptr - %jump(0xdeadbeef) - - -/// def frob_fp254_12_n(f, f'): -/// g = frob_fp254_6(n, f ) -/// g' = FROB_z[n] * frob_fp254_6(n, f') -/// return g, g' - -%macro frob_fp254_12_1 - // stack: ptr - DUP1 - // stack: ptr, ptr - %load_fp254_6 - // stack: f, ptr - %frob_fp254_6_1 - // stack: g, ptr - DUP7 - // stack: ptr, g, ptr - %store_fp254_6 - // stack: ptr - DUP1 %add_const(6) - // stack: ptr', ptr - %load_fp254_6 - // stack: f', ptr - %frobz_1 - // stack: g', ptr - DUP7 %add_const(6) - // stack: ptr', g', ptr - %store_fp254_6 - // stack: ptr -%endmacro - -// Note: this is the only one with distinct input and output pointers -%macro frob_fp254_12_2_ - // stack: ptr , out - DUP1 - // stack: ptr, ptr , out - %load_fp254_6 - // stack: f, ptr , out - %frob_fp254_6_2 - // stack: g, ptr , out - DUP8 - // stack: out, g, ptr , out - %store_fp254_6 - // stack: ptr , out - %add_const(6) - // stack: ptr', out - %load_fp254_6 - // stack: f', out - %frobz_2 - // stack: g', out - DUP7 %add_const(6) - // stack: out', g', out - %store_fp254_6 - // stack: out -%endmacro - -%macro frob_fp254_12_3 - // stack: ptr - DUP1 - // stack: ptr, ptr - %load_fp254_6 - // stack: f, ptr - %frob_fp254_6_3 - // stack: g, ptr - DUP7 - // stack: ptr, g, ptr - %store_fp254_6 - // stack: ptr - DUP1 %add_const(6) - // stack: ptr', ptr - %load_fp254_6 - // stack: f', ptr - %frobz_3 - // stack: g', ptr - DUP7 %add_const(6) - // stack: ptr', g', ptr - %store_fp254_6 - // stack: ptr -%endmacro - -%macro frob_fp254_12_6 - // stack: ptr - DUP1 %add_const(6) - // stack: ptr', ptr - %load_fp254_6 - // stack: f', ptr - %frobz_6 - // stack: g', ptr - DUP7 %add_const(6) - // stack: ptr', g', ptr - %store_fp254_6 - // stack: ptr -%endmacro - -// frob_fp12 tests - -global test_frob_fp254_6_1: - // stack: ptr - %frob_fp254_6_1 - // stack: ptr - %jump(0xdeadbeef) - -global test_frob_fp254_6_2: - // stack: ptr - %frob_fp254_6_2 - // stack: ptr - %jump(0xdeadbeef) - -global test_frob_fp254_6_3: - // stack: ptr - %frob_fp254_6_3 - // stack: ptr - %jump(0xdeadbeef) - - -/// let Z` denote the complex conjugate of Z - -/// def frob_fp254_6_n(C0, C1, C2): -/// if n%2: -/// D0, D1, D2 = C0`, FROB_T1[n] * C1`, FROB_T2[n] * C2` -/// else: -/// D0, D1, D2 = C0 , FROB_T1[n] * C1 , FROB_T2[n] * C2 -/// return D0, D1, D2 - -%macro frob_fp254_6_1 - // stack: C0 , C1 , C2 - %conj_fp254_2 - // stack: D0 , C1 , C2 - %stack (x: 2, a: 2, y:2) -> (y, a, x) - // stack: C2 , C1 , D0 - %conj_fp254_2 - // stack: C2`, C1 , D0 - %frobt2_1 - // stack: D2 , C1 , D0 - %stack (x: 2, a: 2, y:2) -> (y, a, x) - // stack: D0 , C1 , D2 - %stack (x: 2, y: 2) -> (y, x) - // stack: C1 , D0 , D2 - %conj_fp254_2 - // stack: C1`, D0 , D2 - %frobt1_1 - // stack: D1 , D0 , D2 - %stack (x: 2, y: 2) -> (y, x) - // stack: D0 , D1 , D2 -%endmacro - -%macro frob_fp254_6_2 - // stack: C0, C1, C2 - %stack (x: 2, a: 2, y:2) -> (y, a, x) - // stack: C2, C1, C0 - %frobt2_2 - // stack: D2, C1, C0 - %stack (x: 2, a: 2, y:2) -> (y, a, x) - // stack: C0, C1, D2 - %stack (x: 2, y: 2) -> (y, x) - // stack: C1, C0, D2 - %frobt1_2 - // stack: D1, C0, D2 - %stack (x: 2, y: 2) -> (y, x) - // stack: D0, D1, D2 -%endmacro - -%macro frob_fp254_6_3 - // stack: C0 , C1 , C2 - %conj_fp254_2 - // stack: D0 , C1 , C2 - %stack (x: 2, a: 2, y:2) -> (y, a, x) - // stack: C2 , C1 , D0 - %conj_fp254_2 - // stack: C2`, C1 , D0 - %frobt2_3 - // stack: D2 , C1 , D0 - %stack (x: 2, a: 2, y:2) -> (y, a, x) - // stack: D0 , C1 , D2 - %stack (x: 2, y: 2) -> (y, x) - // stack: C1 , D0 , D2 - %conj_fp254_2 - // stack: C1`, D0 , D2 - %frobt1_3 - // stack: D1 , D0 , D2 - %stack (x: 2, y: 2) -> (y, x) - // stack: D0 , D1 , D2 -%endmacro - - -%macro frobz_1 - %frob_fp254_6_1 - PUSH 0x246996f3b4fae7e6a6327cfe12150b8e747992778eeec7e5ca5cf05f80f362ac - PUSH 0x1284b71c2865a7dfe8b99fdd76e68b605c521e08292f2176d60b35dadcc9e470 - %scale_fp254_6 -%endmacro - -%macro frobz_2 - %frob_fp254_6_2 - PUSH 0x30644e72e131a0295e6dd9e7e0acccb0c28f069fbb966e3de4bd44e5607cfd49 - %scale_re_fp254_6 -%endmacro - -%macro frobz_3 - %frob_fp254_6_3 - PUSH 0xabf8b60be77d7306cbeee33576139d7f03a5e397d439ec7694aa2bf4c0c101 - PUSH 0x19dc81cfcc82e4bbefe9608cd0acaa90894cb38dbe55d24ae86f7d391ed4a67f - %scale_fp254_6 -%endmacro - -%macro frobz_6 - PUSH 0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd46 - %scale_re_fp254_6 -%endmacro - - -%macro frobt1_1 - PUSH 0x16c9e55061ebae204ba4cc8bd75a079432ae2a1d0b7c9dce1665d51c640fcba2 - PUSH 0x2fb347984f7911f74c0bec3cf559b143b78cc310c2c3330c99e39557176f553d - %mul_fp254_2 -%endmacro - -%macro frobt2_1 - PUSH 0x2c145edbe7fd8aee9f3a80b03b0b1c923685d2ea1bdec763c13b4711cd2b8126 - PUSH 0x5b54f5e64eea80180f3c0b75a181e84d33365f7be94ec72848a1f55921ea762 - %mul_fp254_2 -%endmacro - -%macro frobt1_2 - PUSH 0x30644e72e131a0295e6dd9e7e0acccb0c28f069fbb966e3de4bd44e5607cfd48 - %scale_fp254_2 -%endmacro - -%macro frobt2_2 - PUSH 0x59e26bcea0d48bacd4f263f1acdb5c4f5763473177fffffe - %scale_fp254_2 -%endmacro - - -%macro frobt1_3 - PUSH 0x4f1de41b3d1766fa9f30e6dec26094f0fdf31bf98ff2631380cab2baaa586de - PUSH 0x856e078b755ef0abaff1c77959f25ac805ffd3d5d6942d37b746ee87bdcfb6d - %mul_fp254_2 -%endmacro - -%macro frobt2_3 - PUSH 0x23d5e999e1910a12feb0f6ef0cd21d04a44a9e08737f96e55fe3ed9d730c239f - PUSH 0xbc58c6611c08dab19bee0f7b5b2444ee633094575b06bcb0e1a92bc3ccbf066 - %mul_fp254_2 -%endmacro diff --git a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/inverse.asm b/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/inverse.asm deleted file mode 100644 index 7c7729057c..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/inverse.asm +++ /dev/null @@ -1,66 +0,0 @@ -// Returns reverse order division y/x, modulo N -%macro divr_fp254 - // stack: x , y - %inv_fp254 - // stack: x^-1, y - MULFP254 -%endmacro - -// Non-deterministically provide the inverse x^-1 of x modulo N. -// If x === 0 mod N, this function panics. -// Although the official prover provides the unique inverse (inp, out, 60, check_inv_fp254_12) - // stack: inp, out, 60, check_inv_fp254_12, retdest - %jump(mul_fp254_12) -check_inv_fp254_12: - // stack: retdest - PUSH 60 - %load_fp254_12 - // stack: unit?, retdest - %assert_eq_unit_fp254_12 - // stack: retdest - PUSH 60 - %create_bn254_pairing_address - PUSH 0 - // stack: 0, addr, retdest - MSTORE_GENERAL - // stack: retdest - JUMP - -%macro prover_inv_fp254_12 - PROVER_INPUT(ffe::bn254_base::component_11) - PROVER_INPUT(ffe::bn254_base::component_10) - PROVER_INPUT(ffe::bn254_base::component_9) - PROVER_INPUT(ffe::bn254_base::component_8) - PROVER_INPUT(ffe::bn254_base::component_7) - PROVER_INPUT(ffe::bn254_base::component_6) - PROVER_INPUT(ffe::bn254_base::component_5) - PROVER_INPUT(ffe::bn254_base::component_4) - PROVER_INPUT(ffe::bn254_base::component_3) - PROVER_INPUT(ffe::bn254_base::component_2) - PROVER_INPUT(ffe::bn254_base::component_1) - PROVER_INPUT(ffe::bn254_base::component_0) -%endmacro diff --git a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/util.asm b/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/util.asm deleted file mode 100644 index 897404dbf2..0000000000 --- a/evm/src/cpu/kernel/asm/curve/bn254/field_arithmetic/util.asm +++ /dev/null @@ -1,1100 +0,0 @@ -// Load a single value from bn254 pairings memory. -%macro mload_bn254_pairing - // stack: offset - %mload_current(@SEGMENT_BN_PAIRING) - // stack: value -%endmacro - -%macro mload_bn254_pairing(offset) - // stack: - PUSH $offset - // stack: offset - %mload_current(@SEGMENT_BN_PAIRING) - // stack: value -%endmacro - -// Store a single value to bn254 pairings memory. -%macro mstore_bn254_pairing - // stack: offset, value - %mstore_current(@SEGMENT_BN_PAIRING) - // stack: -%endmacro - -// Build an address on the current context within SEGMENT_BN_PAIRING. -%macro create_bn254_pairing_address - // stack: offset - PUSH @SEGMENT_BN_PAIRING - GET_CONTEXT - %build_address - // stack: addr -%endmacro - -// Store a single value to bn254 pairings memory. -%macro mstore_bn254_pairing_value(value) - // stack: offset - %create_bn254_pairing_address - PUSH $value - MSTORE_GENERAL - // stack: -%endmacro - -%macro mstore_bn254_pairing(offset) - // stack: value - PUSH $offset - // stack: offset, value - %mstore_current(@SEGMENT_BN_PAIRING) - // stack: -%endmacro - -// fp254_2 macros - -%macro load_fp254_2 - // stack: ptr - %create_bn254_pairing_address - DUP1 - %add_const(1) - // stack: addr1, addr - MLOAD_GENERAL - // stack: x1, addr - SWAP1 - // stack: addr0, x1 - MLOAD_GENERAL - // stack: x0, x1 -%endmacro - -/// complex conjugate -%macro conj_fp254_2 - // stack: a, b - SWAP1 - PUSH 0 - SUBFP254 - SWAP1 - // stack: a, -b -%endmacro - -%macro scale_fp254_2 - // stack: c, x, y - SWAP2 - // stack: y, x, c - DUP3 - // stack: c, y, x, c - MULFP254 - // stack: cy, x, c - SWAP2 - // stack: c, x, cy - MULFP254 - // stack: cx, cy -%endmacro - -%macro eq_fp254_2 - // stack: x, x_, y, y_ - SWAP3 - // stack: y_, x_, y, x - EQ - // stack: y_==x_, y, x - SWAP2 - // stack: x, y, y_==x_ - EQ - // stack: x==y, y_==x_ - AND -%endmacro - -%macro add_fp254_2 - // stack: x, x_, y, y_ - SWAP3 - // stack: y_, x_, y, x - ADDFP254 - // stack: z_, y, x - SWAP2 - // stack: x, y, z_ - ADDFP254 - // stack: z, z_ -%endmacro - -/// Given z = x + iy: Fp254_2, return complex conjugate z': Fp254_2 -/// where input is represented z.re, z.im and output as z'.im, z'.re -/// cost: 9; note this returns y, x for the output x + yi -%macro i9 - // stack: a , b - DUP2 - // stack: b, a , b - DUP2 - // stack: a , b, a , b - PUSH 9 - MULFP254 - // stack: 9a , b, a , b - SUBFP254 - // stack: 9a - b, a , b - SWAP2 - // stack: b , a, 9a - b - PUSH 9 - MULFP254 - // stack 9b , a, 9a - b - ADDFP254 - // stack: 9b + a, 9a - b -%endmacro - -%macro mul_fp254_2 - // stack: a, b, c, d - DUP4 - DUP3 - MULFP254 - // stack: bd, a, b, c, d - DUP4 - DUP3 - MULFP254 - // stack: ac , bd, a, b, c, d - SUBFP254 - // stack: ac - bd, a, b, c, d - SWAP4 - // stack: d, a, b, c, ac - bd - MULFP254 - // stack: ad, b, c, ac - bd - SWAP2 - // stack: c, b, ad, ac - bd - MULFP254 - // stack: bc , ad, ac - bd - ADDFP254 - // stack: bc + ad, ac - bd - SWAP1 - // stack: ac - bd, bc + ad -%endmacro - -// load twisted curve - -%macro load_fp254_4 - // stack: ptr - %create_bn254_pairing_address - DUP1 - %add_const(2) - // stack: addr2, addr - MLOAD_GENERAL - // stack: x2, addr - DUP2 - %add_const(1) - // stack: addr1, x2, addr - MLOAD_GENERAL - // stack: x1, x2, addr - DUP3 - %add_const(3) - // stack: addr3, x1, x2, addr - MLOAD_GENERAL - // stack: x3, x1, x2, addr - SWAP3 - // stack: addr0, x1, x2, x3 - MLOAD_GENERAL - // stack: x0, x1, x2, x3 -%endmacro - -// fp254_6 macros - -%macro load_fp254_6 - // stack: ptr - %create_bn254_pairing_address - DUP1 - %add_const(4) - // stack: addr4, addr - MLOAD_GENERAL - // stack: x4, addr - DUP2 - %add_const(3) - // stack: addr3, x4, addr - MLOAD_GENERAL - // stack: x3, x4, addr - DUP3 - %add_const(2) - // stack: addr2, x3, x4, addr - MLOAD_GENERAL - // stack: x2, x3, x4, addr - DUP4 - %add_const(1) - // stack: addr1, x2, x3, x4, addr - MLOAD_GENERAL - // stack: x1, x2, x3, x4, addr - DUP5 - %add_const(5) - // stack: addr5, x1, x2, x3, x4, addr - MLOAD_GENERAL - // stack: x5, x1, x2, x3, x4, addr - SWAP5 - // stack: addr0, x1, x2, x3, x4, x5 - MLOAD_GENERAL - // stack: x0, x1, x2, x3, x4, x5 -%endmacro - -%macro load_fp254_6(ptr) - // stack: - PUSH $ptr - %load_fp254_6 - // stack: x0, x1, x2, x3, x4, x5 -%endmacro - -%macro store_fp254_6 - // stack: ptr, x0, x1, x2, x3, x4 , x5 - %create_bn254_pairing_address - SWAP5 - // stack: x4, x0, x1, x2, x3, addr, x5 - DUP6 - %add_const(4) - // stack: addr4, x4, x0, x1, x2, x3, addr, x5 - %swap_mstore - // stack: x0, x1, x2, x3, addr, x5 - DUP5 - // stack: addr0, x0, x1, x2, x3, addr, x5 - %swap_mstore - // stack: x1, x2, x3, addr, x5 - DUP4 - %add_const(1) - // stack: addr1, x1, x2, x3, addr, x5 - %swap_mstore - // stack: x2, x3, addr, x5 - DUP3 - %add_const(2) - // stack: addr2, x2, x3, addr, x5 - %swap_mstore - // stack: x3, addr, x5 - DUP2 - %add_const(3) - // stack: addr3, x3, addr, x5 - %swap_mstore - // stack: addr, x5 - %add_const(5) - // stack: addr5, x5 - %swap_mstore - // stack: -%endmacro - -%macro store_fp254_6_double - // stack: ptr, x0, x1, x2, x3, x4, x5 - %create_bn254_pairing_address - SWAP6 - // stack: x5, x0, x1, x2, x3, x4, addr - PUSH 2 - MULFP254 - // stack: 2*x5, x0, x1, x2, x3, x4, addr - DUP7 - %add_const(5) - // stack: addr5, 2*x5, x0, x1, x2, x3, x4, addr - %swap_mstore - // stack: x0, x1, x2, x3, x4, addr - PUSH 2 - MULFP254 - // stack: 2*x0, x1, x2, x3, x4, addr - DUP6 - // stack: addr0, 2*x0, x1, x2, x3, x4, addr - %swap_mstore - // stack: x1, x2, x3, x4, addr - PUSH 2 - MULFP254 - // stack: 2*x1, x2, x3, x4, addr - DUP5 - %add_const(1) - // stack: addr1, 2*x1, x2, x3, x4, addr - %swap_mstore - // stack: x2, x3, x4, addr - PUSH 2 - MULFP254 - // stack: 2*x2, x3, x4, addr - DUP4 - %add_const(2) - // stack: addr2, 2*x2, x3, x4, addr - %swap_mstore - // stack: x3, x4, addr - PUSH 2 - MULFP254 - // stack: 2*x3, x4, addr - DUP3 - %add_const(3) - // stack: addr3, 2*x3, x4, addr - %swap_mstore - // stack: x4, addr - PUSH 2 - MULFP254 - // stack: 2*x4, addr - SWAP1 - // stack: addr, 2*x4 - %add_const(4) - // stack: addr4, 2*x4 - %swap_mstore - // stack: -%endmacro - -%macro store_fp254_6(ptr) - // stack: x0, x1, x2, x3, x4, x5 - PUSH $ptr - %store_fp254_6 - // stack: -%endmacro - -%macro store_fp254_6_sh(ptr) - // stack: x0, x1, x2, x3, x4, x5 - PUSH $ptr - %create_bn254_pairing_address - // stack: addr, x0, x1, x2, x3, x4, x5 - %add_const(2) - DUP1 - // stack: addr2, addr2, x0, x1, x2, x3, x4, x5 - SWAP2 MSTORE_GENERAL - // stack: addr2, x1, x2, x3, x4, x5 - %add_const(1) - DUP1 - // stack: addr3, addr3, x1, x2, x3, x4, x5 - SWAP2 MSTORE_GENERAL - // stack: addr3, x2, x3, x4, x5 - %add_const(1) - DUP1 - // stack: addr4, addr4, x2, x3, x4, x5 - SWAP2 MSTORE_GENERAL - // stack: addr4, x3, x4, x5 - %add_const(1) - // stack: addr5, x3, x4, x5 - %swap_mstore - // stack: x4, x5 - %i9 - // stack: y5, y4 - PUSH $ptr - %create_bn254_pairing_address - DUP1 - %add_const(1) - // stack: addr1, addr, y5, y4 - SWAP3 - MSTORE_GENERAL - // stack: y5, addr1 - MSTORE_GENERAL - // stack: -%endmacro - -// cost: 6 -%macro dup_fp254_6_0 - // stack: f: 6 - DUP6 - DUP6 - DUP6 - DUP6 - DUP6 - DUP6 - // stack: f: 6, f: 6 -%endmacro - -// cost: 6 -%macro dup_fp254_6_2 - // stack: X: 2, f: 6 - DUP8 - DUP8 - DUP8 - DUP8 - DUP8 - DUP8 - // stack: f: 6, X: 2, f: 6 -%endmacro - -// cost: 6 -%macro dup_fp254_6_6 - // stack: X: 6, f: 6 - DUP12 - DUP12 - DUP12 - DUP12 - DUP12 - DUP12 - // stack: f: 6, X: 6, f: 6 -%endmacro - -// cost: 6 -%macro dup_fp254_6_7 - // stack: X: 7, f: 6 - DUP13 - DUP13 - DUP13 - DUP13 - DUP13 - DUP13 - // stack: f: 6, X: 7, f: 6 -%endmacro - -// cost: 6 -%macro dup_fp254_6_8 - // stack: X: 8, f: 6 - DUP14 - DUP14 - DUP14 - DUP14 - DUP14 - DUP14 - // stack: f: 6, X: 8, f: 6 -%endmacro - -/// multiply (a + bt + ct^2) by t: -/// t(a + bt + ct^2) = at + bt^2 + ct^3 = (9+i)c + at + bt^2 -%macro sh_fp254_6 - // stack: a, b, c - %stack (a: 2, b: 2, c: 2) -> (c, a, b) - // stack: c, a, b - %i9 - SWAP1 - // stack: (9+i)c, a, b -%endmacro - -// cost: 16 -%macro add_fp254_6 - // stack: f0, f1, f2, f3, f4, f5, g0, g1, g2, g3, g4, g5 - SWAP7 - ADDFP254 - SWAP6 - // stack: f0, f2, f3, f4, f5, g0, h1, g2, g3, g4, g5 - SWAP7 - ADDFP254 - SWAP6 - // stack: f0, f3, f4, f5, g0, h1, h2, g3, g4, g5 - SWAP7 - ADDFP254 - SWAP6 - // stack: f0, f4, f5, g0, h1, h2, h3, g4, g5 - SWAP7 - ADDFP254 - SWAP6 - // stack: f0, f5, g0, h1, h2, h3, h4, g5 - SWAP7 - ADDFP254 - SWAP6 - // stack: f0, g0, h1, h2, h3, h4, h5 - ADDFP254 - // stack: h0, h1, h2, h3, h4, h5 -%endmacro - -// cost: 18 -// add two fp254_6 elements with a to-be-popped stack term separating them -// (f: 6, X, g: 6) -> (f + g) -%macro add_fp254_6_hole - // stack: f0, f1, f2, f3, f4, f5, X, g0, g1, g2, g3, g4, g5 - SWAP8 - ADDFP254 - SWAP7 - // stack: f0, f2, f3, f4, f5, X, g0, h1, g2, g3, g4, g5 - SWAP8 - ADDFP254 - SWAP7 - // stack: f0, f3, f4, f5, X, g0, h1, h2, g3, g4, g5 - SWAP8 - ADDFP254 - SWAP7 - // stack: f0, f4, f5, X, g0, h1, h2, h3, g4, g5 - SWAP8 - ADDFP254 - SWAP7 - // stack: f0, f5, X, g0, h1, h2, h3, h4, g5 - SWAP8 - ADDFP254 - SWAP7 - // stack: f0, X, g0, h1, h2, h3, h4, h5 - SWAP1 - POP - ADDFP254 - // stack: h0, h1, h2, h3, h4, h5 -%endmacro - -// *reversed argument subtraction* cost: 17 -%macro subr_fp254_6 - // stack: f0, f1, f2, f3, f4, f5, g0, g1, g2, g3, g4, g5 - SWAP7 - SUBFP254 - SWAP6 - // stack: f0, f2, f3, f4, f5, g0, h1, g2, g3, g4, g5 - SWAP7 - SUBFP254 - SWAP6 - // stack: f0, f3, f4, f5, g0, h1, h2, g3, g4, g5 - SWAP7 - SUBFP254 - SWAP6 - // stack: f0, f4, f5, g0, h1, h2, h3, g4, g5 - SWAP7 - SUBFP254 - SWAP6 - // stack: f0, f5, g0, h1, h2, h3, h4, g5 - SWAP7 - SUBFP254 - SWAP6 - // stack: f0, g0, h1, h2, h3, h4, h5 - SWAP1 - SUBFP254 - // stack: h0, h1, h2, h3, h4, h5 -%endmacro - -// cost: 21 -%macro scale_re_fp254_6 - // stack: c , f0, f1, f2, f3, f4, f5 - SWAP6 - DUP7 - MULFP254 - SWAP6 - // stack: c , f0, f1, f2, f3, f4, c * f5 - SWAP5 - DUP6 - MULFP254 - SWAP5 - // stack: c , f0, f1, f2, f3, c * f4, c * f5 - SWAP4 - DUP5 - MULFP254 - SWAP4 - // stack: c , f0, f1, f2, c * f3, c * f4, c * f5 - SWAP3 - DUP4 - MULFP254 - SWAP3 - // stack: c , f0, f1, c * f2, c * f3, c *f 4, c * f5 - SWAP2 - DUP3 - MULFP254 - SWAP2 - // stack: c , f0, c * f1, c * f2, c * f3, c * f4, c * f5 - MULFP254 - // stack: c * f0, c * f1, c * f2, c * f3, c * f4, c * f5 -%endmacro - -/// cost: -/// -/// G0 + G1t + G2t^2 = (a+bi) * (F0 + F1t + F2t^2) -/// = (a+bi)F0 + (a+bi)F1t + (a+bi)F2t^2 -/// -/// G0 = (a+bi)(f0+f0_i) = (af0 - bf0_) + (bf0 + af0_)i -/// G1 = (a+bi)(f1+f1_i) = (af1 - bf1_) + (bf1 + af1_)i -/// G2 = (a+bi)(f2+f2_i) = (af2 - bf2_) + (bf2 + af2_)i - -%macro scale_fp254_6 - // stack: a, b, f0, f0_, f1, f1_, f2, f2_ - DUP2 - DUP5 - MULFP254 - // stack: bf0_, a, b, f0, f0_, f1, f1_, f2, f2_ - DUP2 - DUP5 - MULFP254 - // stack: af0, bf0_, a, b, f0, f0_, f1, f1_, f2, f2_ - SUBFP254 - // stack: g0, a, b, f0, f0_, f1, f1_, f2, f2_ - SWAP3 - // stack: f0, a, b, g0, f0_, f1, f1_, f2, f2_ - DUP3 - MULFP254 - // stack: bf0, a, b, g0, f0_, f1, f1_, f2, f2_ - SWAP1 - SWAP4 - // stack: f0_, bf0, b, g0, a, f1, f1_, f2, f2_ - DUP5 - MULFP254 - // stack: af0_, bf0, b, g0, a, f1, f1_, f2, f2_ - ADDFP254 - // stack: g0_, b, g0, a, f1, f1_, f2, f2_ - SWAP3 - // stack: a, b, g0, g0_, f1, f1_, f2, f2_ - DUP2 - DUP7 - MULFP254 - // stack: bf1_, a, b, g0, g0_, f1, f1_, f2, f2_ - DUP2 - DUP7 - MULFP254 - // stack: af1, bf1_, a, b, g0, g0_, f1, f1_, f2, f2_ - SUBFP254 - // stack: g1, a, b, g0, g0_, f1, f1_, f2, f2_ - SWAP5 - // stack: f1, a, b, g0, g0_, g1, f1_, f2, f2_ - DUP3 - MULFP254 - // stack: bf1, a, b, g0, g0_, g1, f1_, f2, f2_ - SWAP1 - SWAP6 - // stack: f1_, bf1, b, g0, g0_, g1, a, f2, f2_ - DUP7 - MULFP254 - // stack: af1_, bf1, b, g0, g0_, g1, a, f2, f2_ - ADDFP254 - // stack: g1_, b, g0, g0_, g1, a, f2, f2_ - SWAP5 - // stack: a, b, g0, g0_, g1, g1_, f2, f2_ - DUP2 - DUP9 - MULFP254 - // stack: bf2_, a, b, g0, g0_, g1, g1_, f2, f2_ - DUP2 - DUP9 - MULFP254 - // stack: af2, bf2_, a, b, g0, g0_, g1, g1_, f2, f2_ - SUBFP254 - // stack: g2, a, b, g0, g0_, g1, g1_, f2, f2_ - SWAP7 - // stack: f2, a, b, g0, g0_, g1, g1_, g2, f2_ - SWAP8 - // stack: f2_, a, b, g0, g0_, g1, g1_, g2, f2 - MULFP254 - // stack: af2_, b, g0, g0_, g1, g1_, g2, f2 - SWAP7 - // stack: f2, b, g0, g0_, g1, g1_, g2, af2_ - MULFP254 - // stack: bf2, g0, g0_, g1, g1_, g2, af2_ - SWAP1 - SWAP6 - // stack: af2_, bf2, g0_, g1, g1_, g2, g0 - ADDFP254 - // stack: g2_, g0_, g1, g1_, g2, g0 - SWAP5 - // stack: g0, g0_, g1, g1_, g2, g2_ -%endmacro - -/// cost: 1 i9 (9) + 16 dups + 15 swaps + 12 muls + 6 adds/subs = 58 -/// -/// G0 + G1t + G2t^2 = (a+bi)t * (F0 + F1t + F2t^2) -/// = (c+di)F2 + (a+bi)F0t + (a+bi)F1t^2 -/// where c+di = (a+bi)(9+i) = (9a-b) + (a+9b)i -/// -/// G0 = (c+di)(f2+f2_i) = (cf2 - df2_) + (df2 + cf2_)i -/// G1 = (a+bi)(f0+f0_i) = (af0 - bf0_) + (bf0 + af0_)i -/// G2 = (a+bi)(f1+f1_i) = (af1 - bf1_) + (bf1 + af1_)i - -%macro scale_fp254_6_sh - // stack: a, b, f0, f0_, f1, f1_, f2, f2_ - DUP6 - DUP3 - MULFP254 - // stack: bf1_, a, b, f0, f0_, f1, f1_, f2, f2_ - DUP6 - DUP3 - MULFP254 - // stack: af1 , bf1_, a, b, f0, f0_, f1, f1_, f2, f2_ - SUBFP254 - // stack: g2, a, b, f0, f0_, f1, f1_, f2, f2_ - SWAP7 - // stack: f2, a, b, f0, f0_, f1, f1_, g2, f2_ - SWAP5 - // stack: f1, a, b, f0, f0_, f2, f1_, g2, f2_ - DUP3 - MULFP254 - // stack: bf1, a, b, f0, f0_, f2, f1_, g2, f2_ - SWAP1 - SWAP6 - // stack: f1_, bf1, b, f0, f0_, f2, a, g2, f2_ - DUP7 - MULFP254 - // stack: af1_, bf1, b, f0, f0_, f2, a, g2, f2_ - ADDFP254 - // stack: g2_, b, f0, f0_, f2, a, g2, f2_ - SWAP7 - // stack: f2_, b, f0, f0_, f2, a, g2, g2_ - DUP4 - DUP3 - MULFP254 - // stack: bf0_, f2_, b, f0, f0_, f2, a, g2, g2_ - DUP4 - DUP8 - MULFP254 - // stack: af0, bf0_, f2_, b, f0, f0_, f2, a, g2, g2_ - SUBFP254 - // stack: g1, f2_, b, f0, f0_, f2, a, g2, g2_ - SWAP5 - // stack: f2, f2_, b, f0, f0_, g1, a, g2, g2_ - SWAP3 - // stack: f0, f2_, b, f2, f0_, g1, a, g2, g2_ - DUP3 - MULFP254 - // stack: bf0, f2_, b, f2, f0_, g1, a, g2, g2_ - SWAP1 - SWAP4 - // stack: f0_, bf0, b, f2, f2_, g1, a, g2, g2_ - DUP7 - MULFP254 - // stack: af0_, bf0, b, f2, f2_, g1, a, g2, g2_ - ADDFP254 - // stack: g1_, b, f2, f2_, g1, a, g2, g2_ - SWAP5 - // stack: a, b, f2, f2_, g1, g1_, g2, g2_ - %i9 - // stack: d, c, f2, f2_, g1, g1_, g2, g2_ - DUP4 - DUP2 - MULFP254 - // stack: df2_, d, c, f2, f2_, g1, g1_, g2, g2_ - DUP4 - DUP4 - MULFP254 - // stack: cf2, df2_, d, c, f2, f2_, g1, g1_, g2, g2_ - SUBFP254 - // stack: g0, d, c, f2, f2_, g1, g1_, g2, g2_ - SWAP3 - // stack: f2, d, c, g0, f2_, g1, g1_, g2, g2_ - MULFP254 - // stack: df2, c, g0, f2_, g1, g1_, g2, g2_ - SWAP3 - MULFP254 - // stack: cf2_, g0, df2, g1, g1_, g2, g2_ - SWAP1 - SWAP2 - // stack: df2, cf2_, g0, g1, g1_, g2, g2_ - ADDFP254 - // stack: g0_, g0, g1, g1_, g2, g2_ - SWAP1 - // stack: g0, g0_, g1, g1_, g2, g2_ -%endmacro - -/// cost: 1 i9 (9) + 16 dups + 17 swaps + 12 muls + 6 adds/subs = 60 -/// -/// G0 + G1t + G2t^2 = (a+bi)t^2 * (F0 + F1t + F2t^2) -/// = (c+di)F1 + (c+di)F2t + (a+bi)F0t^2 -/// where c+di = (a+bi)(9+i) = (9a-b) + (a+9b)i -/// -/// G0 = (c+di)(f1+f1_i) = (cf1 - df1_) + (df1 + cf1_)i -/// G1 = (a+bi)(f2+f2_i) = (cf2 - df2_) + (df2 + cf2_)i -/// G2 = (a+bi)(f0+f0_i) = (af0 - bf0_) + (bf0 + af0_)i - -%macro scale_fp254_6_sh2 - // stack: a, b, f0, f0_, f1, f1_, f2, f2_ - DUP4 - DUP3 - MULFP254 - // stack: bf0_, a, b, f0, f0_, f1, f1_, f2, f2_ - DUP4 - DUP3 - MULFP254 - // stack: af0, bf0_, a, b, f0, f0_, f1, f1_, f2, f2_ - SUBFP254 - // stack: g2, a, b, f0, f0_, f1, f1_, f2, f2_ - SWAP7 - SWAP3 - // stack: f0, a, b, f2, f0_, f1, f1_, g2, f2_ - DUP3 - MULFP254 - // stack: bf0, a, b, f2, f0_, f1, f1_, g2, f2_ - SWAP1 - SWAP4 - // stack: f0_, bf0, b, f2, a, f1, f1_, g2, f2_ - DUP5 - MULFP254 - // stack: af0_, bf0, b, f2, a, f1, f1_, g2, f2_ - ADDFP254 - // stack: g2_, b, f2, a, f1, f1_, g2, f2_ - SWAP7 - SWAP3 - // stack: a, b, f2, f2_, f1, f1_, g2, g2_ - %i9 - // stack: d, c, f2, f2_, f1, f1_, g2, g2_ - DUP4 - DUP2 - MULFP254 - // stack: df2_, d, c, f2, f2_, f1, f1_, g2, g2_ - DUP4 - DUP4 - MULFP254 - // stack: cf2, df2_, d, c, f2, f2_, f1, f1_, g2, g2_ - SUBFP254 - // stack: g1, d, c, f2, f2_, f1, f1_, g2, g2_ - SWAP5 - SWAP3 - // stack: f2, d, c, f1, f2_, g1, f1_, g2, g2_ - DUP2 - MULFP254 - // stack: df2, d, c, f1, f2_, g1, f1_, g2, g2_ - SWAP1 - SWAP4 - // stack: f2_, df2, c, f1, d, g1, f1_, g2, g2_ - DUP3 - MULFP254 - // stack: cf2_, df2, c, f1, d, g1, f1_, g2, g2_ - ADDFP254 - // stack: g1_, c, f1, d, g1, f1_, g2, g2_ - SWAP5 - // stack: f1_, c, f1, d, g1, g1_, g2, g2_ - DUP1 - DUP5 - MULFP254 - // stack: df1_, f1_, c, f1, d, g1, g1_, g2, g2_ - DUP4 - DUP4 - MULFP254 - // stack: cf1, df1_, f1_, c, f1, d, g1, g1_, g2, g2_ - SUBFP254 - // stack: g0, f1_, c, f1, d, g1, g1_, g2, g2_ - SWAP3 - // stack: f1, f1_, c, g0, d, g1, g1_, g2, g2_ - SWAP2 - MULFP254 - // stack: cf1_, f1, g0, d, g1, g1_, g2, g2_ - SWAP3 - MULFP254 - // stack: df1, g0, cf1_, g1, g1_, g2, g2_ - SWAP1 - SWAP2 - // stack: cf1_, df1, g0, g1, g1_, g2, g2_ - ADDFP254 - // stack: g0_, g0, g1, g1_, g2, g2_ - SWAP1 - // stack: g0, g0_, g1, g1_, g2, g2_ -%endmacro - -%macro load_fp254_12 - // stack: ptr - %create_bn254_pairing_address - DUP1 - %add_const(10) - // stack: addr10, addr - MLOAD_GENERAL - // stack: x10, addr - DUP2 - %add_const(9) - // stack: addr09, x10, addr - MLOAD_GENERAL - // stack: x09, x10, addr - DUP3 - %add_const(8) - // stack: addr08, x09, x10, addr - MLOAD_GENERAL - // stack: x08, x09, x10, addr - DUP4 - %add_const(7) - // stack: addr07, x08, x09, x10, addr - MLOAD_GENERAL - // stack: x07, x08, x09, x10, addr - DUP5 - %add_const(6) - // stack: addr06, x07, x08, x09, x10, addr - MLOAD_GENERAL - // stack: x06, x07, x08, x09, x10, addr - DUP6 - %add_const(5) - // stack: addr05, x06, x07, x08, x09, x10, addr - MLOAD_GENERAL - // stack: x05, x06, x07, x08, x09, x10, addr - DUP7 - %add_const(4) - // stack: addr04, x05, x06, x07, x08, x09, x10, addr - MLOAD_GENERAL - // stack: x04, x05, x06, x07, x08, x09, x10, addr - DUP8 - %add_const(3) - // stack: addr03, x04, x05, x06, x07, x08, x09, x10, addr - MLOAD_GENERAL - // stack: x03, x04, x05, x06, x07, x08, x09, x10, addr - DUP9 - %add_const(2) - // stack: addr02, x03, x04, x05, x06, x07, x08, x09, x10, addr - MLOAD_GENERAL - // stack: x02, x03, x04, x05, x06, x07, x08, x09, x10, addr - DUP10 - %add_const(1) - // stack: addr01, x02, x03, x04, x05, x06, x07, x08, x09, x10, addr - MLOAD_GENERAL - // stack: x01, x02, x03, x04, x05, x06, x07, x08, x09, x10, addr - DUP11 - %add_const(11) - // stack: addr11, x01, x02, x03, x04, x05, x06, x07, x08, x09, x10, addr - MLOAD_GENERAL - // stack: x11, x01, x02, x03, x04, x05, x06, x07, x08, x09, x10, addr - SWAP11 - // stack: addr00, x01, x02, x03, x04, x05, x06, x07, x08, x09, x10, x11 - MLOAD_GENERAL - // stack: x00, x01, x02, x03, x04, x05, x06, x07, x08, x09, x10, x11 -%endmacro - -%macro store_fp254_12 - // stack: ptr, x00, x01, x02, x03, x04, x05, x06, x07, x08, x09, x10, x11 - %create_bn254_pairing_address - SWAP11 - // stack: x10, x00, x01, x02, x03, x04, x05, x06, x07, x08, x09, addr, x11 - DUP12 - %add_const(10) - // stack: addr10, x10, x00, x01, x02, x03, x04, x05, x06, x07, x08, x09, addr, x11 - %swap_mstore - // stack: x00, x01, x02, x03, x04, x05, x06, x07, x08, x09, addr, x11 - DUP11 - // stack: addr00, x00, x01, x02, x03, x04, x05, x06, x07, x08, x09, addr, x11 - %swap_mstore - // stack: x01, x02, x03, x04, x05, x06, x07, x08, x09, addr, x11 - DUP10 - %add_const(01) - // stack: addr01, x01, x02, x03, x04, x05, x06, x07, x08, x09, addr, x11 - %swap_mstore - // stack: x02, x03, x04, x05, x06, x07, x08, x09, addr, x11 - DUP9 - %add_const(02) - // stack: addr02, x02, x03, x04, x05, x06, x07, x08, x09, addr, x11 - %swap_mstore - // stack: x03, x04, x05, x06, x07, x08, x09, addr, x11 - DUP8 - %add_const(03) - // stack: addr03, x03, x04, x05, x06, x07, x08, x09, addr, x11 - %swap_mstore - // stack: x04, x05, x06, x07, x08, x09, addr, x11 - DUP7 - %add_const(04) - // stack: addr04, x04, x05, x06, x07, x08, x09, addr, x11 - %swap_mstore - // stack: x05, x06, x07, x08, x09, addr, x11 - DUP6 - %add_const(05) - // stack: addr05, x05, x06, x07, x08, x09, addr, x11 - %swap_mstore - // stack: x06, x07, x08, x09, addr, x11 - DUP5 - %add_const(06) - // stack: addr06, x06, x07, x08, x09, addr, x11 - %swap_mstore - // stack: x07, x08, x09, addr, x11 - DUP4 - %add_const(07) - // stack: addr07, x07, x08, x09, addr, x11 - %swap_mstore - // stack: x08, x09, addr, x11 - DUP3 - %add_const(08) - // stack: addr08, x08, x09, addr, x11 - %swap_mstore - // stack: x09, addr, x11 - DUP2 - %add_const(09) - // stack: addr09, x09, addr, x11 - %swap_mstore - // stack: addr, x11 - %add_const(11) - // stack: addr11, x11 - %swap_mstore - // stack: -%endmacro - -/// moves fp254_12 from src..src+12 to dest..dest+12 -/// these should not overlap. leaves scaled DEST on stack -%macro move_fp254_12 - // stack: src, dest - PUSH @SEGMENT_BN_PAIRING - GET_CONTEXT - %build_address_no_offset - DUP1 - // stack: base_addr, base_addr, src, dest - SWAP3 ADD - // stack: DEST, src, base_addr - SWAP2 ADD - // stack: SRC, DEST - DUP1 - // stack: addr00, SRC, DEST - MLOAD_GENERAL - // stack: x00, SRC, DEST - DUP3 - // stack: addr00', x00, SRC, DEST - %swap_mstore - // stack: SRC, DEST - DUP1 - %add_const(1) - // stack: addr01, SRC, DEST - MLOAD_GENERAL - // stack: x01, SRC, DEST - DUP3 - %add_const(1) - // stack: addr01', x01, SRC, DEST - %swap_mstore - // stack: SRC, DEST - DUP1 - %add_const(2) - // stack: addr02, SRC, DEST - MLOAD_GENERAL - // stack: x02, SRC, DEST - DUP3 - %add_const(2) - // stack: addr02', x02, SRC, DEST - %swap_mstore - // stack: SRC, DEST - DUP1 - %add_const(3) - // stack: addr03, SRC, DEST - MLOAD_GENERAL - // stack: x03, SRC, DEST - DUP3 - %add_const(3) - // stack: addr03', x03, SRC, DEST - %swap_mstore - // stack: SRC, DEST - DUP1 - %add_const(4) - // stack: addr04, SRC, DEST - MLOAD_GENERAL - // stack: x04, SRC, DEST - DUP3 - %add_const(4) - // stack: addr04', x04, SRC, DEST - %swap_mstore - // stack: SRC, DEST - DUP1 - %add_const(5) - // stack: addr05, SRC, DEST - MLOAD_GENERAL - // stack: x05, SRC, DEST - DUP3 - %add_const(5) - // stack: addr05', x05, SRC, DEST - %swap_mstore - // stack: SRC, DEST - DUP1 - %add_const(6) - // stack: addr06, SRC, DEST - MLOAD_GENERAL - // stack: x06, SRC, DEST - DUP3 - %add_const(6) - // stack: addr06', x06, SRC, DEST - %swap_mstore - // stack: SRC, DEST - DUP1 - %add_const(7) - // stack: addr07, SRC, DEST - MLOAD_GENERAL - // stack: x07, SRC, DEST - DUP3 - %add_const(7) - // stack: addr07', x07, SRC, DEST - %swap_mstore - // stack: SRC, DEST - DUP1 - %add_const(8) - // stack: addr08, SRC, DEST - MLOAD_GENERAL - // stack: x08, SRC, DEST - DUP3 - %add_const(8) - // stack: addr08', x08, SRC, DEST - %swap_mstore - // stack: SRC, DEST - DUP1 - %add_const(9) - // stack: addr09, SRC, DEST - MLOAD_GENERAL - // stack: x09, SRC, DEST - DUP3 - %add_const(9) - // stack: addr09', x09, SRC, DEST - %swap_mstore - // stack: SRC, DEST - DUP1 - %add_const(10) - // stack: addr10, SRC, DEST - MLOAD_GENERAL - // stack: x10, SRC, DEST - DUP3 - %add_const(10) - // stack: addr10', x10, SRC, DEST - %swap_mstore - // stack: SRC, DEST - %add_const(11) - // stack: addr11, DEST - MLOAD_GENERAL - // stack: x11, DEST - DUP2 - %add_const(11) - // stack: addr11', x11, DEST - %swap_mstore -%endmacro - -%macro assert_eq_unit_fp254_12 - %assert_eq_const(1) - %rep 10 - OR - %endrep - %assert_zero -%endmacro diff --git a/evm/src/cpu/kernel/asm/curve/common.asm b/evm/src/cpu/kernel/asm/curve/common.asm deleted file mode 100644 index 50f174fac1..0000000000 --- a/evm/src/cpu/kernel/asm/curve/common.asm +++ /dev/null @@ -1,25 +0,0 @@ -global ret_zero_ec_mul: - // stack: x, y, s, retdest - %pop3 - // stack: retdest - PUSH 0 - // stack: 0, retdest - PUSH 0 - // stack: 0, 0, retdest - SWAP2 - // stack: retdest, 0, 0 - JUMP - -global ec_double_retself: - %stack (x, y, retdest) -> (retdest, x, y) - JUMP - -// Check if (x,y)==(0,0) -%macro ec_isidentity - // stack: x, y - OR - // stack: x | y - ISZERO - // stack: (x,y) == (0,0) -%endmacro - diff --git a/evm/src/cpu/kernel/asm/curve/secp256k1/curve_add.asm b/evm/src/cpu/kernel/asm/curve/secp256k1/curve_add.asm deleted file mode 100644 index 43c47c5009..0000000000 --- a/evm/src/cpu/kernel/asm/curve/secp256k1/curve_add.asm +++ /dev/null @@ -1,287 +0,0 @@ -// #define N 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 // Secp256k1 scalar field order - -// Secp256k1 elliptic curve addition. -// Assumption: (x0,y0) and (x1,y1) are valid points. -global secp_add_valid_points: - // stack: x0, y0, x1, y1, retdest - - // Check if the first point is the identity. - DUP2 - // stack: y0, x0, y0, x1, y1, retdest - DUP2 - // stack: x0, y0, x0, y0, x1, y1, retdest - %ec_isidentity - // stack: (x0,y0)==(0,0), x0, y0, x1, y1, retdest - %jumpi(secp_add_first_zero) - // stack: x0, y0, x1, y1, retdest - - // Check if the second point is the identity. - DUP4 - // stack: y1, x0, y0, x1, y1, retdest - DUP4 - // stack: x1, y1, x0, y0, x1, y1, retdest - %ec_isidentity - // stack: (x1,y1)==(0,0), x0, y0, x1, y1, retdest - %jumpi(secp_add_snd_zero) - // stack: x0, y0, x1, y1, retdest - - // Check if both points have the same x-coordinate. - DUP3 - // stack: x1, x0, y0, x1, y1, retdest - DUP2 - // stack: x0, x1, x0, y0, x1, y1, retdest - EQ - // stack: x0 == x1, x0, y0, x1, y1, retdest - %jumpi(secp_add_equal_first_coord) -// Standard affine addition formula. -global secp_add_valid_points_no_edge_case: - // stack: x0, y0, x1, y1, retdest - // Compute lambda = (y0 - y1)/(x0 - x1) - %secp_base - // stack: N, x0, y0, x1, y1, retdest - DUP5 - DUP4 - // stack: y0, y1, N, x0, y0, x1, y1, retdest - SUBMOD - // stack: y0 - y1, x0, y0, x1, y1, retdest - %secp_base - // stack: N, y0 - y1, x0, y0, x1, y1, retdest - DUP5 - DUP4 - // stack: x0, x1, N, y0 - y1, x0, y0, x1, y1, retdest - SUBMOD - // stack: x0 - x1, y0 - y1, x0, y0, x1, y1, retdest - %moddiv_secp_base - // stack: lambda, x0, y0, x1, y1, retdest - %jump(secp_add_valid_points_with_lambda) - -// Secp256k1 elliptic curve addition. -// Assumption: (x0,y0) == (0,0) -secp_add_first_zero: - // stack: x0, y0, x1, y1, retdest - - // Just return (x1,y1) - %pop2 - // stack: x1, y1, retdest - SWAP1 - // stack: y1, x1, retdest - SWAP2 - // stack: retdest, x1, y1 - JUMP - -// Secp256k1 elliptic curve addition. -// Assumption: (x1,y1) == (0,0) -secp_add_snd_zero: - // stack: x0, y0, x1, y1, retdest - - // Just return (x1,y1) - SWAP2 - // stack: x1, y0, x0, y1, retdest - POP - // stack: y0, x0, y1, retdest - SWAP2 - // stack: y1, x0, y0, retdest - POP - // stack: x0, y0, retdest - SWAP1 - // stack: y0, x0, retdest - SWAP2 - // stack: retdest, x0, y0 - JUMP - -// Secp256k1 elliptic curve addition. -// Assumption: lambda = (y0 - y1)/(x0 - x1) -secp_add_valid_points_with_lambda: - // stack: lambda, x0, y0, x1, y1, retdest - - // Compute x2 = lambda^2 - x1 - x0 - %secp_base - // stack: N, lambda, x0, y0, x1, y1, retdest - DUP3 - // stack: x0, N, lambda, x0, y0, x1, y1, retdest - %secp_base - // stack: N, x0, N, lambda, x0, y0, x1, y1, retdest - DUP7 - // stack: x1, N, x0, N, lambda, x0, y0, x1, y1, retdest - %secp_base - // stack: N, x1, N, x0, N, lambda, x0, y0, x1, y1, retdest - DUP6 - // stack: lambda, N, x1, N, x0, N, lambda, x0, y0, x1, y1, retdest - DUP1 - // stack: lambda, lambda, N, x1, N, x0, N, lambda, x0, y0, x1, y1, retdest - MULMOD - // stack: lambda^2, x1, N, x0, N, lambda, x0, y0, x1, y1, retdest - SUBMOD - // stack: lambda^2 - x1, x0, N, lambda, x0, y0, x1, y1, retdest - SUBMOD - // stack: x2, lambda, x0, y0, x1, y1, retdest - - // Compute y2 = lambda*(x1 - x2) - y1 - %secp_base %secp_base %secp_base // Pre-load moduli for incoming SUBMODs - // stack: N, N, N, x2, lambda, x0, y0, x1, y1, retdest - DUP4 - // stack: x2, N, N, N, x2, lambda, x0, y0, x1, y1, retdest - DUP9 - // stack: x1, x2, N, N, N, x2, lambda, x0, y0, x1, y1, retdest - SUBMOD - // stack: x1 - x2, N, N, x2, lambda, x0, y0, x1, y1, retdest - DUP5 - // stack: lambda, x1 - x2, N, N, x2, lambda, x0, y0, x1, y1, retdest - MULMOD - // stack: lambda * (x1 - x2), N, x2, lambda, x0, y0, x1, y1, retdest - DUP8 - // stack: y1, lambda * (x1 - x2), N, x2, lambda, x0, y0, x1, y1, retdest - SWAP1 - // stack: lambda * (x1 - x2), y1, N, x2, lambda, x0, y0, x1, y1, retdest - SUBMOD - // stack: y2, x2, lambda, x0, y0, x1, y1, retdest - - // Return x2,y2 - SWAP5 - // stack: x1, x2, lambda, x0, y0, y2, y1, retdest - POP - // stack: x2, lambda, x0, y0, y2, y1, retdest - SWAP5 - // stack: y1, lambda, x0, y0, y2, x2, retdest - %pop4 - // stack: y2, x2, retdest - SWAP2 - // stack: retdest, x2, y2 - JUMP - -// Secp256k1 elliptic curve addition. -// Assumption: (x0,y0) and (x1,y1) are valid points and x0 == x1 -secp_add_equal_first_coord: - // stack: x0, y0, x1, y1, retdest with x0 == x1 - - // Check if the points are equal - DUP2 - // stack: y0, x0, y0, x1, y1, retdest - DUP5 - // stack: y1, y0, x0, y0, x1, y1, retdest - EQ - // stack: y1 == y0, x0, y0, x1, y1, retdest - %jumpi(secp_add_equal_points) - // stack: x0, y0, x1, y1, retdest - - // Otherwise, one is the negation of the other so we can return (0,0). - %pop4 - // stack: retdest - PUSH 0 - // stack: 0, retdest - PUSH 0 - // stack: 0, 0, retdest - SWAP2 - // stack: retdest, 0, 0 - JUMP - - -// Secp256k1 elliptic curve addition. -// Assumption: x0 == x1 and y0 == y1 -// Standard doubling formula. -secp_add_equal_points: - // Compute lambda = 3/2 * x0^2 / y0 - %stack (x0, y0, x1, y1, retdest) -> (x0, x0, @SECP_BASE, @SECP_BASE, x0, y0, x1, y1, retdest) - MULMOD - PUSH 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff7ffffe19 // 3/2 in the base field - MULMOD - DUP3 - %moddiv_secp_base - %jump(secp_add_valid_points_with_lambda) - -// Secp256k1 elliptic curve doubling. -// Assumption: (x,y) is a valid point. -// Standard doubling formula. -global secp_double: - // stack: x, y, retdest - DUP2 DUP2 %ec_isidentity - // stack: (x,y)==(0,0), x, y, retdest - %jumpi(ec_double_retself) - - // Compute lambda = 3/2 * x0^2 / y0 - %stack (x, y, retdest) -> (x, x, @SECP_BASE, @SECP_BASE, x, y, x, y, retdest) - MULMOD - PUSH 0x7fffffffffffffffffffffffffffffffffffffffffffffffffffffff7ffffe19 // 3/2 in the base field - MULMOD - DUP3 - %moddiv_secp_base - // stack: lambda, x, y, x, y, retdest - %jump(secp_add_valid_points_with_lambda) - -// Push the order of the Secp256k1 scalar field. -%macro secp_base - PUSH @SECP_BASE -%endmacro - -// Modular subtraction. -%macro submod_secp_base - // stack: x, y - %stack (x, y) -> (x, y, @SECP_BASE) - SUBMOD -%endmacro - -// Check if (x,y) is a valid curve point. -// Puts y^2 % N == (x^3 + 3) % N & (x < N) & (y < N) || (x,y)==(0,0) on top of the stack. -%macro secp_check - // stack: x, y - %secp_base - // stack: N, x, y - DUP2 - // stack: x, N, x, y - LT - // stack: x < N, x, y - %secp_base - // stack: N, x < N, x, y - DUP4 - // stack: y, N, x < N, x, y - LT - // stack: y < N, x < N, x, y - AND - // stack: (y < N) & (x < N), x, y - SWAP2 - // stack: y, x, (y < N) & (x < N), x - SWAP1 - // stack: x, y, (y < N) & (x < N) - %secp_base - // stack: N, x, y, b - %secp_base - // stack: N, N, x, y, b - DUP3 - // stack: x, N, N, x, y, b - %secp_base - // stack: N, x, N, N, x, y, b - DUP2 - // stack: x, N, x, N, N, x, y, b - DUP1 - // stack: x, x, N, x, N, N, x, y, b - MULMOD - // stack: x^2 % N, x, N, N, x, y, b - MULMOD - // stack: x^3 % N, N, x, y, b - PUSH 7 - // stack: 7, x^3 % N, N, x, y, b - ADDMOD - // stack: (x^3 + 7) % N, x, y, b - DUP3 - // stack: y, (x^3 + 7) % N, x, y, b - %secp_base - // stack: N, y, (x^3 + 7) % N, x, y, b - SWAP1 - // stack: y, N, (x^3 + 7) % N, x, y, b - DUP1 - // stack: y, y, N, (x^3 + 7) % N, x, y, b - MULMOD - // stack: y^2 % N, (x^3 + 7) % N, x, y, b - EQ - // stack: y^2 % N == (x^3 + 7) % N, x, y, b - SWAP2 - // stack: y, x, y^2 % N == (x^3 + 7) % N, b - %ec_isidentity - // stack: (x,y)==(0,0), y^2 % N == (x^3 + 7) % N, b - SWAP2 - // stack: b, y^2 % N == (x^3 + 7) % N, (x,y)==(0,0) - AND - // stack: y^2 % N == (x^3 + 7) % N & (x < N) & (y < N), (x,y)==(0,0) - OR - // stack: y^2 % N == (x^3 + 7) % N & (x < N) & (y < N) || (x,y)==(0,0) -%endmacro \ No newline at end of file diff --git a/evm/src/cpu/kernel/asm/curve/secp256k1/ecrecover.asm b/evm/src/cpu/kernel/asm/curve/secp256k1/ecrecover.asm deleted file mode 100644 index c11031004f..0000000000 --- a/evm/src/cpu/kernel/asm/curve/secp256k1/ecrecover.asm +++ /dev/null @@ -1,186 +0,0 @@ -// ecrecover precompile. -global ecrecover: - // stack: hash, v, r, s, retdest - - // Check if inputs are valid. - %ecrecover_input_check - // stack: isValid(v,r,s), hash, v, r, s, retdest - - %stack (valid, hash, v, r, s, retdest) -> (v, 27, r, hash, valid, r, s, retdest) - SUB - // stack: v - 27, r, hash, isValid(v,r,s), r, s, retdest - SWAP1 - // stack: r, v - 27, hash, isValid(v,r,s), r, s, retdest - %secp_lift_x - // stack: y, sqrtOk, hash, isValid(v,r,s), r, s, retdest - - // If inputs are invalid or lifting fails, abort. - SWAP3 - // stack: isValid(v,r,s), sqrtOk, hash, y, r, s, retdest - AND - // stack: isValid(v,r,s) & sqrtOk, hash, y, r, s, retdest - %jumpi(ecrecover_valid_input) - // stack: hash, y, r, s, retdest - %pop4 - // stack: retdest - %ecrecover_invalid_input - -// ecrecover precompile. -// Assumption: Inputs are valid. -// Pseudo-code: -// let P = lift_x(r, recovery_id); -// let r_inv = r.inverse(); -// let u1 = s * r_inv; -// let u2 = -hash * r_inv; -// return u1*P + u2*GENERATOR; -ecrecover_valid_input: - // stack: hash, y, r, s, retdest - - // Compute u1 = s * r^(-1) - SWAP1 - // stack: y, hash, r, s, retdest - DUP3 - // stack: r, y, hash, x, s, retdest (r=x) - %inverse_secp_scalar - // stack: r^(-1), y, hash, x, s, retdest - DUP1 - // stack: r^(-1), r^(-1), y, hash, x, s, retdest - SWAP5 - // stack: s, r^(-1), y, hash, x, r^(-1), retdest - %mulmodn_secp_scalar - // stack: u1, y, hash, x, r^(-1), retdest - - // Compute u2 = -hash * r^(-1) - %stack (u1, y, hash, x, rinv, retdest) -> (hash, @SECP_SCALAR, @SECP_SCALAR, rinv, @SECP_SCALAR, u1, x, y, pubkey_to_addr, retdest) - MOD SWAP1 SUB MULMOD - // stack: u2, u1, x, y, pubkey_to_addr, retdest - %jump(ecdsa_msm_with_glv) - -// Computes `a * G + b * Q` using GLV+precomputation, where `G` is the Secp256k1 generator and `Q` is a point on the curve. -// Pseudo-code: -// precompute_table(G) -- precomputation table for the combinations of `G, phi(G), Q, phi(Q)`. -// let a0, a1 = glv_decompose(a) -// let b0, b1 = glv_decompose(b) -// return msm_with_precomputation([a0, a1, b0, b1], [G, phi(G), Q, phi(Q)]) -- phi is the Secp endomorphism. -ecdsa_msm_with_glv: - %stack (a, b, Qx, Qy, retdest) -> (a, ecdsa_after_glv_a, b, Qx, Qy, retdest) - %jump(secp_glv_decompose) -ecdsa_after_glv_a: - %stack (a1neg, a0, a1, b, Qx, Qy, retdest) -> (b, ecdsa_after_glv_b, a1neg, a0, a1, Qx, Qy, retdest) - %jump(secp_glv_decompose) -ecdsa_after_glv_b: - %stack (b1neg, b0, b1, a1neg, a0, a1, Qx, Qy, retdest) -> (a1neg, b1neg, Qx, Qy, ecdsa_after_precompute, a0, a1, b0, b1, retdest) - %jump(secp_precompute_table) -ecdsa_after_precompute: - // stack: a0, a1, b0, b1, retdest - PUSH 0 PUSH 0 PUSH 129 // 129 is the bit length of the GLV exponents - // stack: i, accx, accy, a0, a1, b0, b1, retdest -ecdsa_after_precompute_loop: - %stack (i, accx, accy, a0, a1, b0, b1, retdest) -> (i, b1, i, accx, accy, a0, a1, b0, b1, retdest) - SHR %and_const(1) - %stack (bit_b1, i, accx, accy, a0, a1, b0, b1, retdest) -> (i, b0, bit_b1, i, accx, accy, a0, a1, b0, b1, retdest) - SHR %and_const(1) - %stack (bit_b0, bit_b1, i, accx, accy, a0, a1, b0, b1, retdest) -> (i, a1, bit_b0, bit_b1, i, accx, accy, a0, a1, b0, b1, retdest) - SHR %and_const(1) - %stack (bit_a1, bit_b0, bit_b1, i, accx, accy, a0, a1, b0, b1, retdest) -> (i, a0, bit_a1, bit_b0, bit_b1, i, accx, accy, a0, a1, b0, b1, retdest) - SHR %and_const(1) - %mul_const(2) ADD %mul_const(2) ADD %mul_const(2) ADD - %stack (index, i, accx, accy, a0, a1, b0, b1, retdest) -> (index, index, i, accx, accy, a0, a1, b0, b1, retdest) - %mul_const(2) %add_const(1) - %mload_current(@SEGMENT_ECDSA_TABLE) - SWAP1 %mul_const(2) - %mload_current(@SEGMENT_ECDSA_TABLE) - %stack (Px, Py, i, accx, accy, a0, a1, b0, b1, retdest) -> (Px, Py, accx, accy, ecdsa_after_precompute_loop_contd, i, a0, a1, b0, b1, retdest) - %jump(secp_add_valid_points) -ecdsa_after_precompute_loop_contd: - %stack (accx, accy, i, a0, a1, b0, b1, retdest) -> (i, accx, accy, ecdsa_after_precompute_loop_contd2, i, a0, a1, b0, b1, retdest) - ISZERO %jumpi(ecdsa_after_precompute_loop_end) - %jump(secp_double) -ecdsa_after_precompute_loop_contd2: - %stack (accx, accy, i, a0, a1, b0, b1, retdest) -> (i, 1, accx, accy, a0, a1, b0, b1, retdest) - SUB // i - 1 - %jump(ecdsa_after_precompute_loop) -ecdsa_after_precompute_loop_end: - // Check that the public key is not the point at infinity. See https://github.com/ethereum/eth-keys/pull/76 for discussion. - DUP2 DUP2 ISZERO SWAP1 ISZERO MUL %jumpi(pk_is_infinity) - %stack (accx, accy, ecdsa_after_precompute_loop_contd2, i, a0, a1, b0, b1, retdest) -> (retdest, accx, accy) - JUMP - -pk_is_infinity: - %stack (accx, accy, ecdsa_after_precompute_loop_contd2, i, a0, a1, b0, b1, pubkey_to_addr, retdest) -> (retdest, @U256_MAX) - JUMP - -// Take a public key (PKx, PKy) and return the associated address KECCAK256(PKx || PKy)[-20:]. -pubkey_to_addr: - // stack: PKx, PKy, retdest - %keccak256_u256_pair - // stack: hash, retdest - %u256_to_addr - // stack: address, retdest - SWAP1 - // stack: retdest, address - JUMP - -// Check if v, r, and s are in correct form. -// Returns r < N & r!=0 & s < N & s!=0 & (v==28 || v==27). -%macro ecrecover_input_check - // stack: hash, v, r, s, retdest - DUP2 - // stack: v, hash, v, r, s, retdest - %eq_const(27) - // stack: v==27, hash, v, r, s, retdest - DUP3 - // stack: v, v==27, hash, v, r, s, retdest - %eq_const(28) - // stack: v==28, v==27, hash, v, r, s, retdest - ADD // OR - // stack: (v==28 || v==27), hash, v, r, s, retdest - DUP5 - // stack: s, (v==28 || v==27), hash, v, r, s, retdest - %secp_is_out_of_bounds - // stack: (s >= N || s==0), (v==28 || v==27), hash, v, r, s, retdest - DUP5 - // stack: r, (s >= N || s==0), (v==28 || v==27), hash, v, r, s, retdest - %secp_is_out_of_bounds - // stack: (r >= N || r==0), (s >= N || s==0), (v==28 || v==27), hash, v, r, s, retdest - ADD // OR - // stack: (r >= N || r==0 || s >= N || s==0), (v==28 || v==27), hash, v, r, s, retdest - ISZERO - // stack: (r < N & r!=0 & s < N & s!=0), (v==28 || v==27), hash, v, r, s, retdest - AND - // stack: r < N & r!=0 & s < N & s!=0 & (v==28 || v==27), hash, v, r, s, retdest -%endmacro - -%macro secp_is_out_of_bounds - // stack: x - DUP1 - // stack: x, x - ISZERO - // stack: x==0, x - SWAP1 - // stack: x, x==0 - %secp_scalar - // stack: N, x, x==0 - SWAP1 - // stack: x, N, x==0 - LT - // stack: x < N, x==0 - ISZERO - // stack: x >= N, x==0 - ADD // OR - // stack: x >= N || x==0 -%endmacro - -%macro secp_scalar - PUSH @SECP_SCALAR -%endmacro - -// Return u256::MAX which is used to indicate the input was invalid. -%macro ecrecover_invalid_input - // stack: retdest - PUSH @U256_MAX - // stack: u256::MAX, retdest - SWAP1 - // stack: retdest, u256::MAX - JUMP -%endmacro diff --git a/evm/src/cpu/kernel/asm/curve/secp256k1/glv.asm b/evm/src/cpu/kernel/asm/curve/secp256k1/glv.asm deleted file mode 100644 index 26d887f269..0000000000 --- a/evm/src/cpu/kernel/asm/curve/secp256k1/glv.asm +++ /dev/null @@ -1,104 +0,0 @@ -// Inspired by https://github.com/AztecProtocol/weierstrudel/blob/master/huff_modules/endomorphism.huff -// See also Sage code in evm/src/cpu/kernel/tests/ecc/secp_glv_test_data -// Given scalar `k ∈ Secp256k1::ScalarField`, return `u, k1, k2` with `k1,k2 < 2^129` and such that -// `k = k1 - s*k2` if `u==0` otherwise `k = k1 + s*k2`, where `s` is the scalar value representing the endomorphism. -// In the comments below, N means @SECP_SCALAR -// -// Z3 proof that the resulting `k1, k2` satisfy `k1>0`, `k1 < 2^129` and `|k2| < 2^129`. -// ```python -// from z3 import Solver, Int, Or, unsat -// q = 115792089237316195423570985008687907852837564279074904382605163141518161494337 -// glv_s = 37718080363155996902926221483475020450927657555482586988616620542887997980018 -// g1 = 303414439467246543595250775667605759172 -// g2 = 64502973549206556628585045361533709077 -// b2 = 64502973549206556628585045361533709077 -// b1 = -303414439467246543595250775667605759171 -// k = Int("k") -// c1 = Int("c1") -// c2 = Int("c2") -// s = Solver() -// -// c2p = -c2 -// s.add(k < q) -// s.add(0 < k) -// s.add(c1 * (2**256) <= g2 * k) -// s.add((c1 + 1) * (2**256) > g2 * k) -// s.add(c2p * (2**256) <= g1 * k) -// s.add((c2p + 1) * (2**256) > g1 * k) -// -// q1 = c1 * b1 -// q2 = c2 * b2 -// -// k2 = q2 - q1 -// k2L = (glv_s * k2) % q -// k1 = k - k2L -// -// s.add(Or((k2 >= 2**129), (-k2 >= 2**129), (k1 >= 2**129), (k1 < 0))) -// assert s.check() == unsat -// ``` -global secp_glv_decompose: - // stack: k, retdest - PUSH @SECP_SCALAR DUP1 DUP1 - // Compute c2 which is the top 256 bits of k*g1. Use asm from https://medium.com/wicketh/mathemagic-full-multiply-27650fec525d. - PUSH @U256_MAX - // stack: -1, N, N, N, k, retdest - PUSH @SECP_GLV_MINUS_G1 DUP6 - // stack: k, g1, -1, N, N, N, k, retdest - MULMOD - // stack: (k * g1 % -1), N, N, N, k, retdest - PUSH @SECP_GLV_MINUS_G1 DUP6 - // stack: k, g1, (k * g1 % -1), N, N, N, k, retdest - MUL - // stack: bottom = (k * g1), (k * g1 % -1), N, N, N, k, retdest - DUP1 DUP3 - // stack: (k * g1 % -1), bottom, bottom, (k * g1 % -1), N, N, N, k, retdest - LT SWAP2 SUB SUB - // stack: c2, N, N, N, k, retdest - PUSH @SECP_GLV_B2 MULMOD - // stack: q2=c2*b2, N, N, k, retdest - - // Use the same trick to compute c1 = top 256 bits of g2*k. - PUSH @SECP_SCALAR PUSH @U256_MAX - PUSH @SECP_GLV_G2 DUP7 MULMOD - PUSH @SECP_GLV_G2 DUP7 MUL - DUP1 DUP3 LT - SWAP2 SUB SUB - // stack: c1, N, q2, N, N, k, retdest - PUSH @SECP_GLV_B1 MULMOD - // stack: q1, q2, N, N, k, retdest - - // We compute k2 = q1 + q2 - N, but we check for underflow and return N-q1-q2 instead if there is one, - // along with a flag `underflow` set to 1 if there is an underflow, 0 otherwise. - ADD %sub_check_underflow - // stack: k2, underflow, N, k, retdest - SWAP3 PUSH @SECP_SCALAR DUP5 PUSH @SECP_GLV_S - // stack: s, k2, N, k, underflow, N, k2, retdest - MULMOD - // stack: s*k2, k, underflow, N, k2, retdest - // Need to return `k + s*k2` if no underflow occur, otherwise return `k - s*k2` which is done in the `underflowed` fn. - SWAP2 DUP1 %jumpi(underflowed) - %stack (underflow, k, x, N, k2) -> (k, x, N, k2, underflow) - ADDMOD - %stack (k1, k2, underflow, retdest) -> (retdest, underflow, k1, k2) - JUMP - -underflowed: - // stack: underflow, k, s*k2, N, k2 - // Compute (k-s*k2)%N. - %stack (u, k, x, N, k2) -> (k, x, N, k2, u) - SUBMOD - %stack (k1, k2, underflow, retdest) -> (retdest, underflow, k1, k2) - JUMP - -%macro sub_check_underflow - // stack: x, y - DUP2 DUP2 LT - // stack: x=y, x (x, y, b, a, c) - SUB MUL ADD - %stack (res, bool) -> (res, @SECP_SCALAR, bool) - MOD -%endmacro - diff --git a/evm/src/cpu/kernel/asm/curve/secp256k1/inverse_scalar.asm b/evm/src/cpu/kernel/asm/curve/secp256k1/inverse_scalar.asm deleted file mode 100644 index 6e1563e2f2..0000000000 --- a/evm/src/cpu/kernel/asm/curve/secp256k1/inverse_scalar.asm +++ /dev/null @@ -1,31 +0,0 @@ -/// Division modulo 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141, the Secp256k1 scalar field order -/// To replace with more efficient method using non-determinism later. - -%macro mulmodn_secp_scalar - // stack: x, y - %secp_scalar - // stack: N, x, y - SWAP2 - // stack: y, x, N - MULMOD -%endmacro - -%macro squaremodn_secp_scalar - // stack: x - DUP1 - // stack: x, x - %mulmodn_secp_scalar -%endmacro - -// Non-deterministically provide the inverse modulo N. -%macro inverse_secp_scalar - // stack: x - PROVER_INPUT(ff::secp256k1_scalar::inverse) - // stack: x^-1, x - %stack (inv, x) -> (inv, x, @SECP_SCALAR, inv) - // stack: x^-1, x, N, x^-1 - MULMOD - // stack: x^-1 * x, x^-1 - %assert_eq_const(1) - // stack: x^-1 -%endmacro diff --git a/evm/src/cpu/kernel/asm/curve/secp256k1/lift_x.asm b/evm/src/cpu/kernel/asm/curve/secp256k1/lift_x.asm deleted file mode 100644 index 77e484be5c..0000000000 --- a/evm/src/cpu/kernel/asm/curve/secp256k1/lift_x.asm +++ /dev/null @@ -1,73 +0,0 @@ -// Returns y such that (x,y) is on Secp256k1 and y&1 = parity, -// as well as a flag indicating whether such a y exists. -%macro secp_lift_x - // stack: x, parity - %cubemodn_secp_base - // stack: x^3, parity - PUSH 7 - // stack: 7, x^3, parity - %addmodn_secp_base - // stack: x^3+7, x, parity - DUP1 - // stack: x^3+7, x^3+7, parity - %sqrt_secp_base_unsafe - // stack: y, x^3+7, x, parity - SWAP1 - // stack: x^3+7, y, parity - DUP2 - // stack: y, x^3+7, y, parity - %squaremodn_secp_base - // stack: y^2, x^3+7, y, parity - EQ - // stack: sqrtOk, y, parity - SWAP2 - // stack: parity, y, sqrtOk - DUP2 - // stack: y, parity, y, sqrtOk - PUSH 1 - // stack: 1, y, parity, y, sqrtOk - AND - // stack: 1 & y, parity, y, sqrtOk - EQ - // stack: correctParity, y, sqrtOk - DUP2 - // stack: y, correctParity, y, sqrtOk - %secp_base - // stack: N, y, correctParity, y, sqrtOk - SUB - // stack: N - y, correctParity, y, sqrtOk - SWAP1 - // stack: correctParity, N - y, y, sqrtOk - %select_bool - // stack: goody, sqrtOk -%endmacro - -%macro cubemodn_secp_base - // stack: x - DUP1 - // stack: x, x - %squaremodn_secp_base - // stack: x^2, x - %mulmodn_secp_base -%endmacro - -%macro addmodn_secp_base - // stack: x, y - %secp_base - // stack: N, x, y - SWAP2 - // stack: y, x, N - ADDMOD -%endmacro - -// Non-deterministically provide the square root modulo N. -// Note: The square root is not checked and the macro doesn't panic if `x` is not a square. -%macro sqrt_secp_base_unsafe - // stack: x - PROVER_INPUT(ff::secp256k1_base::sqrt) - // stack: √x, x - SWAP1 - // stack: x, √x - POP - // stack: √x -%endmacro \ No newline at end of file diff --git a/evm/src/cpu/kernel/asm/curve/secp256k1/moddiv.asm b/evm/src/cpu/kernel/asm/curve/secp256k1/moddiv.asm deleted file mode 100644 index d878dc1404..0000000000 --- a/evm/src/cpu/kernel/asm/curve/secp256k1/moddiv.asm +++ /dev/null @@ -1,39 +0,0 @@ -/// Division modulo 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f, the Secp256k1 base field order -/// To replace with more efficient method using non-determinism later. - -// Returns y * (x^-1) where the inverse is taken modulo N -%macro moddiv_secp_base - // stack: x, y - %inverse_secp_base - // stack: x^-1, y - %mulmodn_secp_base -%endmacro - -%macro mulmodn_secp_base - // stack: x, y - %secp_base - // stack: N, x, y - SWAP2 - // stack: y, x, N - MULMOD -%endmacro - -%macro squaremodn_secp_base - // stack: x - DUP1 - // stack: x, x - %mulmodn_secp_base -%endmacro - -// Non-deterministically provide the inverse modulo N. -%macro inverse_secp_base - // stack: x - PROVER_INPUT(ff::secp256k1_base::inverse) - // stack: x^-1, x - %stack (inv, x) -> (inv, x, @SECP_BASE, inv) - // stack: x^-1, x, N, x^-1 - MULMOD - // stack: x^-1 * x, x^-1 - %assert_eq_const(1) - // stack: x^-1 -%endmacro diff --git a/evm/src/cpu/kernel/asm/curve/secp256k1/precomputation.asm b/evm/src/cpu/kernel/asm/curve/secp256k1/precomputation.asm deleted file mode 100644 index b6bed1b0a9..0000000000 --- a/evm/src/cpu/kernel/asm/curve/secp256k1/precomputation.asm +++ /dev/null @@ -1,74 +0,0 @@ -// Initial stack: Gneg, Qneg, Qx, Qy, retdest -// Compute a*G ± b*phi(G) + c*Q ± d*phi(Q) for a,b,c,d in {0,1}^4 and store its x-coordinate at location `2*(8a+4b+2c+d)` and its y-coordinate at location `2*(8a+4b+2c+d)+1` in the SEGMENT_ECDSA_TABLE segment. -global secp_precompute_table: - // First store G, ± phi(G), G ± phi(G) - // Use Gneg for the ±, e.g., ±phi(G) is computed as `Gneg * (-phi(G)) + (1-Gneg)*phi(G)` (note only the y-coordinate needs to be filtered). - // stack: Gneg, Qneg, Qx, Qy, retdest - PUSH 32670510020758816978083085130507043184471273380659243275938904335757337482424 PUSH 17 PUSH 55066263022277343669578718895168534326250603453777594175500187360389116729240 PUSH 16 - %mstore_current(@SEGMENT_ECDSA_TABLE) %mstore_current(@SEGMENT_ECDSA_TABLE) - - DUP1 DUP1 %mul_const(32670510020758816978083085130507043184471273380659243275938904335757337482424) SWAP1 PUSH 1 SUB %mul_const(83121579216557378445487899878180864668798711284981320763518679672151497189239) ADD - PUSH 9 PUSH 85340279321737800624759429340272274763154997815782306132637707972559913914315 PUSH 8 - %mstore_current(@SEGMENT_ECDSA_TABLE) %mstore_current(@SEGMENT_ECDSA_TABLE) - - DUP1 DUP1 %mul_const(83121579216557378445487899878180864668798711284981320763518679672151497189239) SWAP1 PUSH 1 SUB %mul_const(100652675408719987021357910538015346127426077519185866739835120963490438734674) ADD - PUSH 25 - %mstore_current(@SEGMENT_ECDSA_TABLE) - - DUP1 %mul_const(91177636130617246552803821781935006617134368061721227770777272682868638699771) SWAP1 PUSH 1 SUB %mul_const(66837770201594535779099350687042404727408598709762866365333192677982385899440) ADD - PUSH 24 - %mstore_current(@SEGMENT_ECDSA_TABLE) - - // Then store Q, ±phi(Q), Q ± phi(Q) - %stack (Qneg, Qx, Qy, retdest) -> (4, Qx, 5, Qy, Qx, @SECP_BASE, Qneg, Qx, Qy, retdest) - %mstore_current(@SEGMENT_ECDSA_TABLE) %mstore_current(@SEGMENT_ECDSA_TABLE) - // stack: Qx, @SECP_BASE, Qx, Qy, retdest - PUSH @SECP_GLV_BETA MULMOD - %stack (betaQx, Qneg, Qx, Qy, retdest) -> (Qneg, Qy, Qneg, betaQx, Qx, Qy, retdest) - MUL SWAP1 PUSH 1 SUB - // stack: 1-Qneg, Qneg*Qy, betaQx, Qx, Qy, retdest - DUP5 PUSH @SECP_BASE SUB MUL ADD - %stack (selectQy, betaQx, Qx, Qy, retdest) -> (2, betaQx, 3, selectQy, betaQx, selectQy, Qx, Qy, precompute_table_contd, retdest) - %mstore_current(@SEGMENT_ECDSA_TABLE) %mstore_current(@SEGMENT_ECDSA_TABLE) - %jump(secp_add_valid_points_no_edge_case) -precompute_table_contd: - %stack (x, y, retdest) -> (6, x, 7, y, retdest) - %mstore_current(@SEGMENT_ECDSA_TABLE) %mstore_current(@SEGMENT_ECDSA_TABLE) - PUSH 2 -// Use a loop to store a*G ± b*phi(G) + c*Q ± d*phi(Q) for a,b,c,d in {0,1}^4. -precompute_table_loop: - // stack: i, retdest - DUP1 %increment %mload_current(@SEGMENT_ECDSA_TABLE) - %stack (y, i, retdest) -> (i, y, i, retdest) - %mload_current(@SEGMENT_ECDSA_TABLE) - PUSH precompute_table_loop_contd - DUP3 DUP3 - PUSH 9 %mload_current(@SEGMENT_ECDSA_TABLE) - PUSH 8 %mload_current(@SEGMENT_ECDSA_TABLE) - // stack: Gx, Gy, x, y, precompute_table_loop_contd, x, y, i, retdest - %jump(secp_add_valid_points) -precompute_table_loop_contd: - %stack (Rx, Ry, x, y, i, retdest) -> (i, 8, Rx, i, 9, Ry, x, y, i, retdest) - ADD %mstore_current(@SEGMENT_ECDSA_TABLE) ADD %mstore_current(@SEGMENT_ECDSA_TABLE) - DUP2 DUP2 - PUSH 17 %mload_current(@SEGMENT_ECDSA_TABLE) - PUSH 16 %mload_current(@SEGMENT_ECDSA_TABLE) - %stack (Gx, Gy, x, y, x, y, i, retdest) -> (Gx, Gy, x, y, precompute_table_loop_contd2, x, y, i, retdest) - %jump(secp_add_valid_points) -precompute_table_loop_contd2: - %stack (Rx, Ry, x, y, i, retdest) -> (i, 16, Rx, i, 17, Ry, x, y, i, retdest) - ADD %mstore_current(@SEGMENT_ECDSA_TABLE) ADD %mstore_current(@SEGMENT_ECDSA_TABLE) - PUSH 25 %mload_current(@SEGMENT_ECDSA_TABLE) - PUSH 24 %mload_current(@SEGMENT_ECDSA_TABLE) - %stack (Gx, Gy, x, y, i, retdest) -> (Gx, Gy, x, y, precompute_table_loop_contd3, i, retdest) - %jump(secp_add_valid_points) -precompute_table_loop_contd3: - %stack (Rx, Ry, i, retdest) -> (i, 24, Rx, i, 25, Ry, i, retdest) - ADD %mstore_current(@SEGMENT_ECDSA_TABLE) ADD %mstore_current(@SEGMENT_ECDSA_TABLE) - %add_const(2) - DUP1 %eq_const(8) %jumpi(precompute_table_end) - %jump(precompute_table_loop) - -precompute_table_end: - // stack: i, retdest - POP JUMP diff --git a/evm/src/cpu/kernel/asm/curve/wnaf.asm b/evm/src/cpu/kernel/asm/curve/wnaf.asm deleted file mode 100644 index f554bc649d..0000000000 --- a/evm/src/cpu/kernel/asm/curve/wnaf.asm +++ /dev/null @@ -1,74 +0,0 @@ -// wNAF expansion with w=5. -// Stores the reversed expansion of the given scalar in memory at the given segment and offsets 0..130. -// Should be called with scalars of bit length <= 129, which is the case when using GLV. -// Pseudo-code: -// def wnaf(n): -// ans = [0 for _ in range(130)] -// o = 0 -// while n != 0: -// i = n.trailing_zero_bits() -// o += i -// n >>= i -// m = n & 31 -// ans[o] = m -// if m > 16: -// ne += 32 -// ne -= m -// return ans -global wnaf: - // stack: N, segment, n, retdest (N is the size of the group in which the mul is taking place) - DUP3 MOD ISZERO %jumpi(wnaf_zero_scalar) - PUSH 0 -wnaf_loop: - %stack (o, segment, n, retdest) -> (n, wnaf_loop_contd, o, segment, retdest) - %jump(trailing_zeros) -wnaf_loop_contd: - %stack (n, i, o, segment, retdest) -> (o, i, n, segment, retdest) - ADD - %stack (o, n, segment, retdest) -> (n, segment, o, retdest) - DUP1 %and_const(31) SWAP1 - PUSH 16 DUP3 GT - // stack: m>16, n, m, segment, o, retdest - %mul_const(32) ADD - // stack: n, m, segment, o, retdest - DUP2 SWAP1 SUB - %stack (n, m, segment, o, retdest) -> (129, o, m, o, segment, n, retdest) - SUB - // stack: i, m, o, segment, n, retdest - DUP4 - GET_CONTEXT - %build_address - // stack: addr, m, o, segment, n, retdest - SWAP1 - MSTORE_GENERAL - // stack: o, segment, n, retdest - DUP3 ISZERO %jumpi(wnaf_end) - // stack: o, segment, n, retdest - %jump(wnaf_loop) - -wnaf_end: - // stack: o, segment, n, retdest - %pop3 JUMP - -wnaf_zero_scalar: - // stack: segment, n, retdest - %pop2 JUMP - - - -// Number of trailing zeros computed with a simple loop and returning the scalar without its lsb zeros. -trailing_zeros: - // stack: x, retdest - PUSH 0 -trailing_zeros_loop: - // stack: count, x, retdest - PUSH 1 DUP3 AND - // stack: x&1, count, x, retdest - %jumpi(trailing_zeros_end) - // stack: count, x, retdest - %increment SWAP1 PUSH 1 SHR SWAP1 - // stack: count, x>>1, retdest - %jump(trailing_zeros_loop) -trailing_zeros_end: - %stack (count, x, retdest) -> (retdest, x, count) - JUMP diff --git a/evm/src/cpu/kernel/asm/exp.asm b/evm/src/cpu/kernel/asm/exp.asm deleted file mode 100644 index 4b798e841c..0000000000 --- a/evm/src/cpu/kernel/asm/exp.asm +++ /dev/null @@ -1,102 +0,0 @@ -/// Recursive implementation of exp. -/// Equivalent to: -/// def exp(x, e): -/// if e == 0: -/// # The path where JUMPI does not jump to `step_case` -/// return 1 -/// else: -/// # This is under the `step_case` label -/// return (x if e % 2 else 1) * exp(x * x, e // 2) -/// Note that this correctly handles exp(0, 0) == 1. - -global exp: - // stack: x, e, retdest - dup2 - // stack: e, x, e, retdest - %jumpi(step_case) - // stack: x, e, retdest - pop - // stack: e, retdest - pop - // stack: retdest - push 1 - // stack: 1, retdest - swap1 - // stack: retdest, 1 - jump - -step_case: - // stack: x, e, retdest - push recursion_return - // stack: recursion_return, x, e, retdest - push 2 - // stack: 2, recursion_return, x, e, retdest - dup4 - // stack: e, 2, recursion_return, x, e, retdest - div - // stack: e / 2, recursion_return, x, e, retdest - dup3 - // stack: x, e / 2, recursion_return, x, e, retdest - %square - // stack: x * x, e / 2, recursion_return, x, e, retdest - %jump(exp) -recursion_return: - // stack: exp(x * x, e / 2), x, e, retdest - push 2 - // stack: 2, exp(x * x, e / 2), x, e, retdest - dup4 - // stack: e, 2, exp(x * x, e / 2), x, e, retdest - mod - // stack: e % 2, exp(x * x, e / 2), x, e, retdest - push 1 - // stack: 1, e % 2, exp(x * x, e / 2), x, e, retdest - dup4 - // stack: x, 1, e % 2, exp(x * x, e / 2), x, e, retdest - sub - // stack: x - 1, e % 2, exp(x * x, e / 2), x, e, retdest - mul - // stack: (x - 1) * (e % 2), exp(x * x, e / 2), x, e, retdest - push 1 - // stack: 1, (x - 1) * (e % 2), exp(x * x, e / 2), x, e, retdest - add - // stack: 1 + (x - 1) * (e % 2), exp(x * x, e / 2), x, e, retdest - mul - // stack: (1 + (x - 1) * (e % 2)) * exp(x * x, e / 2), x, e, retdest - swap3 - // stack: retdest, x, e, (1 + (x - 1) * (e % 2)) * exp(x * x, e / 2) - swap2 - // stack: e, x, retdest, (1 + (x - 1) * (e % 2)) * exp(x * x, e / 2) - pop - // stack: x, retdest, (1 + (x - 1) * (e % 2)) * exp(x * x, e / 2) - pop - // stack: retdest, (1 + (x - 1) * (e % 2)) * exp(x * x, e / 2) - jump - -global sys_exp: - %stack (return_info, x, e) -> (x, e, return_info) - push 0 - // stack: shift, x, e, return_info - %jump(sys_exp_gas_loop_enter) -sys_exp_gas_loop: - %add_const(8) -sys_exp_gas_loop_enter: - dup3 - dup2 - shr - // stack: e >> shift, shift, x, e, return_info - %jumpi(sys_exp_gas_loop) - // stack: shift_bits, x, e, return_info - %shr_const(3) - // stack: byte_size_of_e := shift_bits / 8, x, e, return_info - %mul_const(@GAS_EXPBYTE) - %add_const(@GAS_EXP) - // stack: gas_cost := 10 + 50 * byte_size_of_e, x, e, return_info - %stack(gas_cost, x, e, return_info) -> (gas_cost, return_info, x, e) - %charge_gas - - %stack(return_info, x, e) -> (x, e, sys_exp_return, return_info) - %jump(exp) -sys_exp_return: - // stack: pow(x, e), return_info - swap1 - exit_kernel diff --git a/evm/src/cpu/kernel/asm/halt.asm b/evm/src/cpu/kernel/asm/halt.asm deleted file mode 100644 index 49561fd660..0000000000 --- a/evm/src/cpu/kernel/asm/halt.asm +++ /dev/null @@ -1,2 +0,0 @@ -global halt: - PANIC diff --git a/evm/src/cpu/kernel/asm/hash/blake2/addresses.asm b/evm/src/cpu/kernel/asm/hash/blake2/addresses.asm deleted file mode 100644 index 3244cfa1f2..0000000000 --- a/evm/src/cpu/kernel/asm/hash/blake2/addresses.asm +++ /dev/null @@ -1,31 +0,0 @@ -// Address where the working version of the hash value is stored. -// It is ready to be used, i.e. already containing the current context -// and SEGMENT_KERNEL_GENERAL. -%macro blake2_hash_value_addr - %build_current_general_address_no_offset - DUP1 - MLOAD_GENERAL - // stack: num_blocks, addr - %block_size - %add_const(2) - // stack: num_bytes+2, addr - ADD - // stack: addr -%endmacro - -// Address where the working version of the compression internal state is stored. -%macro blake2_internal_state_addr - %blake2_hash_value_addr - %add_const(8) -%endmacro - -// Address where the current message block is stored. -%macro blake2_message_addr - %blake2_internal_state_addr - %add_const(16) -%endmacro - -// Block size is 128 bytes. -%macro block_size - %mul_const(128) -%endmacro \ No newline at end of file diff --git a/evm/src/cpu/kernel/asm/hash/blake2/blake2_f.asm b/evm/src/cpu/kernel/asm/hash/blake2/blake2_f.asm deleted file mode 100644 index d1a4a2ab64..0000000000 --- a/evm/src/cpu/kernel/asm/hash/blake2/blake2_f.asm +++ /dev/null @@ -1,141 +0,0 @@ -global blake2_f: - // stack: rounds, h0...h7, m0...m15, t0, t1, flag, retdest - - // Store the hash values. - %blake2_hash_value_addr - // stack: addr, rounds, h0...h7, m0...m15, t0, t1, flag, retdest - %rep 8 - // stack: addr, rounds, h_i, ... - %stack (addr, rounds, h_i) -> (h_i, addr, addr, rounds) - // stack: h_i, addr, addr, rounds, ... - MSTORE_GENERAL - %increment - %endrep - - // stack: addr, rounds, m0...m15, t0, t1, flag, retdest - POP - // stack: rounds, m0...m15, t0, t1, flag, retdest - - // Save the message to the message working space. - %blake2_message_addr - // stack: message_addr, rounds, m0...m15, t0, t1, flag, retdest - %rep 16 - // stack: message_addr, rounds, m_i, ... - %stack (message_addr, rounds, m_i) -> (m_i, message_addr, message_addr, rounds) - // stack: m_i, message_addr, message_addr, rounds, ... - MSTORE_GENERAL - %increment - %endrep - - // stack: message_addr, rounds, t0, t1, flag, retdest - POP - // stack: rounds, t0, t1, flag, retdest - - %blake2_hash_value_addr - %add_const(7) - %rep 8 - // stack: addr, ... - DUP1 - // stack: addr, addr, ... - MLOAD_GENERAL - // stack: val, addr, ... - SWAP1 - // stack: addr, val, ... - %decrement - %endrep - // stack: addr, h_0, ..., h_7, rounds, t0, t1, flag, retdest - POP - // stack: h_0, ..., h_7, rounds, t0, t1, flag, retdest - - // Store the initial 16 values of the internal state. - %blake2_internal_state_addr - // stack: start, h_0, ..., h_7, rounds, t0, t1, flag, retdest - - // First eight words of the internal state: current hash value h_0, ..., h_7. - %rep 8 - DUP1 - SWAP2 - MSTORE_GENERAL - %increment - %endrep - // stack: start + 8, rounds, t0, t1, flag, retdest - - // Next four values of the internal state: first four IV values. - PUSH 0 - // stack: 0, addr, rounds, t0, t1, flag, retdest - %rep 4 - // stack: i, addr, ... - DUP2 - DUP2 - // stack: i, addr, i, addr, ... - %blake2_iv - // stack: IV_i, addr, i, addr, ... - MSTORE_GENERAL - // stack: i, addr, ... - %increment - SWAP1 - %increment - SWAP1 - // stack: i + 1, addr + 1,... - %endrep - // stack: 4, start + 12, rounds, t0, t1, flag, retdest - POP - // stack: start + 12, rounds, t0, t1, flag, retdest - SWAP4 - // stack: flag, rounds, t0, t1, start + 12, retdest - %mul_const(0xFFFFFFFFFFFFFFFF) - // stack: invert_if_flag, rounds, t0, t1, start + 12, retdest - %stack (inv, r, t0, t1, s) -> (4, s, t0, t1, inv, 0, r) - // stack: 4, start + 12, t0, t1, invert_if_flag, 0, rounds, retdest - - // Last four values of the internal state: last four IV values, XOR'd with - // the values (t0, t1, invert_if_flag, 0). - %rep 4 - // stack: i, addr, val, next_val,... - DUP2 - DUP2 - // stack: i, addr, i, addr, val, next_val,... - %blake2_iv - // stack: IV_i, addr, i, addr, val, next_val,... - DUP5 - // stack: val, IV_i, addr, i, addr, val, next_val,... - XOR - // stack: val ^ IV_i, addr, i, addr, val, next_val,... - MSTORE_GENERAL - // stack: i, addr, val, next_val,... - %increment - // stack: i + 1, addr, val, next_val,... - SWAP2 - // stack: val, addr, i + 1, next_val,... - POP - // stack: addr, i + 1, next_val,... - %increment - // stack: addr + 1, i + 1, next_val,... - SWAP1 - // stack: i + 1, addr + 1, next_val,... - %endrep - // stack: 8, start + 16, rounds, retdest - %pop2 - // stack: rounds, retdest - - // Run rounds of G functions. - PUSH g_functions_return - // stack: g_functions_return, rounds, retdest - SWAP1 - // stack: rounds, g_functions_return, retdest - %blake2_internal_state_addr - // stack: start, rounds, g_functions_return, retdest - PUSH 0 - // stack: current_round=0, start, rounds, g_functions_return, retdest - %jump(run_rounds_g_function) -g_functions_return: - // Finalize hash value. - // stack: retdest - PUSH hash_generate_return - // stack: hash_generate_return, retdest - %jump(blake2_generate_all_hash_values) -hash_generate_return: - // stack: h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7', retdest - %stack (h: 8, retdest) -> (retdest, h) - // stack: retdest, h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7' - JUMP diff --git a/evm/src/cpu/kernel/asm/hash/blake2/blake2b.asm b/evm/src/cpu/kernel/asm/hash/blake2/blake2b.asm deleted file mode 100644 index e3daed263e..0000000000 --- a/evm/src/cpu/kernel/asm/hash/blake2/blake2b.asm +++ /dev/null @@ -1,14 +0,0 @@ -global blake2b: - // stack: virt, num_bytes, retdest - DUP2 - // stack: num_bytes, virt, num_bytes, retdest - %ceil_div_const(128) - // stack: num_blocks, virt, num_bytes, retdest - DUP2 - // stack: virt, num_blocks, virt, num_bytes, retdest - %mstore_current_general - // stack: virt, num_bytes, retdest - %add_const(1) - %mstore_current_general - // stack: retdest - %jump(blake2_compression) diff --git a/evm/src/cpu/kernel/asm/hash/blake2/compression.asm b/evm/src/cpu/kernel/asm/hash/blake2/compression.asm deleted file mode 100644 index ba9ffc1343..0000000000 --- a/evm/src/cpu/kernel/asm/hash/blake2/compression.asm +++ /dev/null @@ -1,265 +0,0 @@ -global blake2_compression: - // stack: retdest - PUSH 0 - // stack: cur_block = 0, retdest - PUSH compression_loop - // stack: compression_loop, cur_block, retdest - %jump(blake2_initial_hash_value) -compression_loop: - // stack: h_0, ..., h_7, cur_block, retdest - - // Store the hash values. - %blake2_hash_value_addr - // stack: addr, h_0, ..., h_7, cur_block, retdest - %rep 8 - SWAP1 - DUP2 - %mstore_current_general - %increment - %endrep - - // stack: addr, cur_block, retdest - POP - // stack: cur_block, retdest - PUSH 1 - PUSH 0 - %mload_current_general - // stack: num_blocks, 1, cur_block, retdest - SUB - // stack: num_blocks - 1, cur_block, retdest - DUP2 - // stack: cur_block, num_blocks - 1, cur_block, retdest - EQ - // stack: is_last_block, cur_block, retdest - SWAP1 - // stack: cur_block, is_last_block, retdest - PUSH 1 - %mload_current_general - // stack: num_bytes, cur_block, is_last_block, retdest - - // Calculate t counter value. - DUP3 - // stack: is_last_block, num_bytes, cur_block, is_last_block, retdest - MUL - // stack: is_last_block * num_bytes, cur_block, is_last_block, retdest - DUP2 - // stack: cur_block, is_last_block * num_bytes, cur_block, is_last_block, retdest - %increment - %block_size - // stack: (cur_block + 1) * 128, is_last_block * num_bytes, cur_block, is_last_block, retdest - DUP4 - // stack: is_last_block, (cur_block + 1) * 128, is_last_block * num_bytes, cur_block, is_last_block, retdest - ISZERO - // stack: not_last_block, (cur_block + 1) * 128, is_last_block * num_bytes, cur_block, is_last_block, retdest - MUL - // stack: not_last_block * ((cur_block + 1) * 128), is_last_block * num_bytes, cur_block, is_last_block, retdest - ADD - // stack: t = not_last_block * ((cur_block + 1) * 128) + is_last_block * num_bytes, cur_block, is_last_block, retdest - SWAP1 - // stack: cur_block, t, is_last_block, retdest - DUP1 - // stack: cur_block, cur_block, t, is_last_block, retdest - %block_size - %add_const(2) - // stack: cur_block_start_byte, t, cur_block, is_last_block, retdest - - // Copy the message from the input space to the message working space. - %blake2_message_addr - // stack: message_addr, cur_block_start_byte, t, cur_block, is_last_block, retdest - %rep 16 - // stack: cur_message_addr, cur_block_byte, ... - DUP2 - // stack: cur_block_byte, cur_message_addr, cur_block_byte, ... - %mload_current_general_u64_LE - // stack: m_i, cur_message_addr, cur_block_byte, ... - DUP2 - // stack: cur_message_addr, m_i, cur_message_addr, cur_block_byte, ... - %mstore_current_general - // stack: cur_message_addr, cur_block_byte, ... - %increment - // stack: cur_message_addr + 1, cur_block_byte, ... - SWAP1 - // stack: cur_block_byte, cur_message_addr + 1, ... - %add_const(8) - // stack: cur_block_byte + 8, cur_message_addr + 1, ... - SWAP1 - // stack: cur_message_addr + 1, cur_block_byte + 8, ... - %endrep - // stack: end_message_addr, end_block_start_byte, t, cur_block, is_last_block, retdest - %pop2 - // stack: t, cur_block, is_last_block, retdest - SWAP1 - // stack: cur_block, t, is_last_block, retdest - SWAP2 - // stack: is_last_block, t, cur_block, retdest - %mul_const(0xFFFFFFFFFFFFFFFF) - // stack: invert_if_last_block, t, cur_block, retdest - %blake2_hash_value_addr - %add_const(7) - %rep 8 - // stack: addr, ... - DUP1 - // stack: addr, addr, ... - %mload_current_general - // stack: val, addr, ... - SWAP1 - // stack: addr, val, ... - %decrement - %endrep - // stack: addr, h_0, ..., h_7, invert_if_last_block, t, cur_block, retdest - POP - // stack: h_0, ..., h_7, invert_if_last_block, t, cur_block, retdest - - // Store the initial 16 values of the internal state. - %blake2_internal_state_addr - // stack: start, h_0, ..., h_7, invert_if_last_block, t, cur_block, retdest - - // First eight words of the internal state: current hash value h_0, ..., h_7. - %rep 8 - SWAP1 - DUP2 - %mstore_current_general - %increment - %endrep - // stack: start + 8, invert_if_last_block, t, cur_block, retdest - - // Next four values of the internal state: first four IV values. - PUSH 0 - // stack: 0, start + 8, invert_if_last_block, t, cur_block, retdest - %rep 4 - // stack: i, loc, ... - DUP1 - // stack: i, i, loc, ... - %blake2_iv - // stack: IV_i, i, loc, ... - DUP3 - // stack: loc, IV_i, i, loc, ... - %mstore_current_general - // stack: i, loc, ... - %increment - SWAP1 - %increment - SWAP1 - // stack: i + 1, loc + 1,... - %endrep - // stack: 4, start + 12, invert_if_last_block, t, cur_block, retdest - %stack (i, loc, inv, last, t) -> (t, t, i, loc, inv, last) - // stack: t, t, 4, start + 12, invert_if_last_block, cur_block, retdest - %shr_const(64) - // stack: t_hi = t >> 64, t, 4, start + 12, invert_if_last_block, cur_block, retdest - SWAP1 - // stack: t, t_hi, 4, start + 12, invert_if_last_block, cur_block, retdest - %mod_const(0x10000000000000000) - // stack: t_lo = t % (1 << 64), t_hi, 4, start + 12, invert_if_last_block, cur_block, retdest - %stack (t_lo, t_hi, i, loc, inv) -> (i, loc, t_lo, t_hi, inv, 0) - // stack: 4, start + 12, t_lo, t_hi, invert_if_last_block, 0, cur_block, retdest - - // Last four values of the internal state: last four IV values, XOR'd with - // the values (t % 2**64, t >> 64, invert_if, 0). - %rep 4 - // stack: i, loc, val, next_val,... - DUP1 - // stack: i, i, loc, val, next_val,... - %blake2_iv - // stack: IV_i, i, loc, val, next_val,... - DUP4 - // stack: val, IV_i, i, loc, val, next_val,... - XOR - // stack: val ^ IV_i, i, loc, val, next_val,... - DUP3 - // stack: loc, val ^ IV_i, i, loc, val, next_val,... - %mstore_current_general - // stack: i, loc, val, next_val,... - %increment - // stack: i + 1, loc, val, next_val,... - SWAP2 - // stack: val, loc, i + 1, next_val,... - POP - // stack: loc, i + 1, next_val,... - %increment - // stack: loc + 1, i + 1, next_val,... - SWAP1 - // stack: i + 1, loc + 1, next_val,... - %endrep - // stack: 8, loc + 16, cur_block, retdest - %pop2 - // stack: cur_block, retdest - - // Run 12 rounds of G functions. - PUSH g_functions_return - // stack: g_functions_return, cur_block, retdest - PUSH 12 - %blake2_internal_state_addr - // stack: start, 12, g_functions_return, cur_block, retdest - PUSH 0 - // stack: current_round=0, start, 12, g_functions_return, cur_block, retdest - %jump(run_rounds_g_function) -g_functions_return: - // Finalize hash value. - // stack: cur_block, retdest - PUSH hash_generate_return - // stack: hash_generate_return, cur_block, retdest - %jump(blake2_generate_all_hash_values) -hash_generate_return: - // stack: h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7', cur_block, retdest - DUP9 - // stack: cur_block, h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7', cur_block, retdest - %increment - // stack: cur_block + 1, h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7', cur_block, retdest - SWAP9 - // stack: cur_block, h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7', cur_block + 1, retdest - %increment - // stack: cur_block + 1, h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7', cur_block + 1, retdest - PUSH 0 - %mload_current_general - // stack: num_blocks, cur_block + 1, h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7', cur_block + 1, retdest - GT - // stack: not_last_block, h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7', cur_block + 1, retdest - %jumpi(compression_loop) -compression_end: - // stack: h_0', h_1', h_2', h_3', h_4', h_5', h_6', h_7', cur_block + 1, retdest - - // Invert the bytes of each hash value. - %reverse_bytes_u64 - // stack: h_0'', h_1', h_2', h_3', h_4', h_5', h_6', h_7', cur_block + 1, retdest - SWAP1 - // stack: h_1', h_0'', h_2', h_3', h_4', h_5', h_6', h_7', cur_block + 1, retdest - %reverse_bytes_u64 - // stack: h_1'', h_0'', h_2', h_3', h_4', h_5', h_6', h_7', cur_block + 1, retdest - SWAP2 - // stack: h_2', h_0'', h_1'', h_3', h_4', h_5', h_6', h_7', cur_block + 1, retdest - %reverse_bytes_u64 - // stack: h_2'', h_0'', h_1'', h_3', h_4', h_5', h_6', h_7', cur_block + 1, retdest - SWAP3 - // stack: h_3', h_0'', h_1'', h_2'', h_4', h_5', h_6', h_7', cur_block + 1, retdest - %reverse_bytes_u64 - // stack: h_3'', h_0'', h_1'', h_2'', h_4', h_5', h_6', h_7', cur_block + 1, retdest - SWAP4 - // stack: h_4', h_0'', h_1'', h_2'', h_3'', h_5', h_6', h_7', cur_block + 1, retdest - %reverse_bytes_u64 - // stack: h_4'', h_0'', h_1'', h_2'', h_3'', h_5', h_6', h_7', cur_block + 1, retdest - SWAP5 - // stack: h_5', h_0'', h_1'', h_2'', h_3'', h_4'', h_6', h_7', cur_block + 1, retdest - %reverse_bytes_u64 - // stack: h_5'', h_0'', h_1'', h_2'', h_3'', h_4'', h_6', h_7', cur_block + 1, retdest - SWAP6 - // stack: h_6', h_0'', h_1'', h_2'', h_3'', h_4'', h_5'', h_7', cur_block + 1, retdest - %reverse_bytes_u64 - // stack: h_6'', h_0'', h_1'', h_2'', h_3'', h_4'', h_5'', h_7', cur_block + 1, retdest - SWAP7 - // stack: h_7', h_0'', h_1'', h_2'', h_3'', h_4'', h_5'', h_6'', cur_block + 1, retdest - %reverse_bytes_u64 - // stack: h_7'', h_0'', h_1'', h_2'', h_3'', h_4'', h_5'', h_6'', cur_block + 1, retdest - %stack (h_7, h_s: 7) -> (h_s, h_7) - // stack: h_0'', h_1'', h_2'', h_3'', h_4'', h_5'', h_6'', h_7'', cur_block + 1, retdest - - // Combine hash values. - %u64s_to_u256 - // stack: h_0'' || h_1'' || h_2'' || h_3'', h_4'', h_5'', h_6'', h_7'', cur_block + 1, retdest - %stack (first, second: 4, cur) -> (second, first) - // stack: h_4'', h_5'', h_6'', h_7'', h_0'' || h_1'' || h_2'' || h_3'', retdest - %u64s_to_u256 - // stack: hash_second = h_4'' || h_5'' || h_6'' || h_7'', hash_first = h_0'' || h_1'' || h_2'' || h_3'', retdest - %stack (second, first, ret) -> (ret, second, first) - // stack: retdest, hash_first, hash_second - JUMP diff --git a/evm/src/cpu/kernel/asm/hash/blake2/g_functions.asm b/evm/src/cpu/kernel/asm/hash/blake2/g_functions.asm deleted file mode 100644 index d521da6d80..0000000000 --- a/evm/src/cpu/kernel/asm/hash/blake2/g_functions.asm +++ /dev/null @@ -1,175 +0,0 @@ -%macro blake2_g_function - // Function to mix two input words, x and y, into the four words indexed by a, b, c, d (which - // are in the range 0..16) in the internal state. - // The internal state is stored in memory starting at the address start. - // stack: a, b, c, d, x, y, start - DUP4 - DUP4 - DUP4 - DUP4 - // stack: a, b, c, d, a, b, c, d, x, y, start - DUP11 - // stack: start, a, b, c, d, a, b, c, d, x, y, start - ADD - MLOAD_GENERAL - // stack: v[a], b, c, d, a, b, c, d, x, y, start - SWAP1 - // stack: b, v[a], c, d, a, b, c, d, x, y, start - DUP11 - // stack: start, b, v[a], c, d, a, b, c, d, x, y, start - ADD - MLOAD_GENERAL - // stack: v[b], v[a], c, d, a, b, c, d, x, y, start - SWAP2 - // stack: c, v[a], v[b], d, a, b, c, d, x, y, start - DUP11 - // stack: start, c, v[a], v[b], d, a, b, c, d, x, y, start - ADD - MLOAD_GENERAL - // stack: v[c], v[a], v[b], d, a, b, c, d, x, y, start - SWAP3 - // stack: d, v[a], v[b], v[c], a, b, c, d, x, y, start - DUP11 - // stack: start, d, v[a], v[b], v[c], a, b, c, d, x, y, start - ADD - MLOAD_GENERAL - // stack: v[d], v[a], v[b], v[c], a, b, c, d, x, y, start - %stack (vd, vs: 3) -> (vs, vd) - // stack: v[a], v[b], v[c], v[d], a, b, c, d, x, y, start - DUP2 - // stack: v[b], v[a], v[b], v[c], v[d], a, b, c, d, x, y, start - DUP10 - // stack: x, v[b], v[a], v[b], v[c], v[d], a, b, c, d, x, y, start - ADD - ADD - %as_u64 - // stack: v[a]' = (v[a] + v[b] + x) % 2^64, v[b], v[c], v[d], a, b, c, d, x, y, start - %stack (a, b, c, d) -> (a, d, a, b, c, d) - // stack: v[a]', v[d], v[a]', v[b], v[c], v[d], a, b, c, d, x, y, start - XOR - %rotr_64(32) - // stack: v[d]' = (v[d] ^ v[a]') >>> 32, v[a]', v[b], v[c], v[d], a, b, c, d, x, y, start - %stack (top: 4, vd) -> (top) - // stack: v[d]', v[a]', v[b], v[c], a, b, c, d, x, y, start - %stack (d, a, b, c) -> (c, d, a, b, d) - // stack: v[c], v[d]', v[a]', v[b], v[d]', a, b, c, d, x, y, start - ADD - %as_u64 - // stack: v[c]' = (v[c] + v[d]') % 2^64, v[a]', v[b], v[d]', a, b, c, d, x, y, start - %stack (c, a, b, d) -> (b, c, a, c, d) - // stack: v[b], v[c]', v[a]', v[c]', v[d]', a, b, c, d, x, y, start - XOR - %rotr_64(24) - // stack: v[b]' = (v[b] ^ v[c]') >>> 24, v[a]', v[c]', v[d]', a, b, c, d, x, y, start - SWAP1 - // stack: v[a]', v[b]', v[c]', v[d]', a, b, c, d, x, y, start - DUP2 - // stack: v[b]', v[a]', v[b]', v[c]', v[d]', a, b, c, d, x, y, start - DUP11 - // stack: y, v[b]', v[a]', v[b]', v[c]', v[d]', a, b, c, d, x, y, start - ADD - ADD - %as_u64 - // stack: v[a]'' = (v[a]' + v[b]' + y) % 2^64, v[b]', v[c]', v[d]', a, b, c, d, x, y, start - SWAP3 - // stack: v[d]', v[b]', v[c]', v[a]'', a, b, c, d, x, y, start - DUP4 - // stack: v[a]'', v[d]', v[b]', v[c]', v[a]'', a, b, c, d, x, y, start - XOR - %rotr_64(16) - // stack: v[d]'' = (v[a]'' ^ v[d]') >>> 8, v[b]', v[c]', v[a]'', a, b, c, d, x, y, start - SWAP2 - // stack: v[c]', v[b]', v[d]'', v[a]'', a, b, c, d, x, y, start - DUP3 - // stack: v[d]'', v[c]', v[b]', v[d]'', v[a]'', a, b, c, d, x, y, start - ADD - %as_u64 - // stack: v[c]'' = (v[c]' + v[d]'') % 2^64, v[b]', v[d]'', v[a]'', a, b, c, d, x, y, start - DUP1 - // stack: v[c]'', v[c]'', v[b]', v[d]'', v[a]'', a, b, c, d, x, y, start - SWAP2 - // stack: v[b]', v[c]'', v[c]'', v[d]'', v[a]'', a, b, c, d, x, y, start - XOR - %rotr_64(63) - // stack: v[b]'' = (v[b]' ^ v[c]'') >>> 7, v[c]'', v[d]'', v[a]'', a, b, c, d, x, y, start - %stack (vb, vc, vd, va, a, b, c, d, x, y, start) -> (start, a, va, start, b, vb, start, c, vc, start, d, vd) - // stack: start, a, v[a]'', start, b, v[b]'', start, c, v[c]'', start, d, v[d]'' - ADD - %swap_mstore - ADD - %swap_mstore - ADD - %swap_mstore - ADD - %swap_mstore -%endmacro - -%macro call_blake2_g_function(a, b, c, d, x_idx, y_idx) - // stack: round, start - PUSH $y_idx - DUP2 - // stack: round, y_idx, round, start - %blake2_permutation - // stack: s[y_idx], round, start - %blake2_message_addr - ADD - MLOAD_GENERAL - // stack: m[s[y_idx]], round, start - PUSH $x_idx - DUP3 - // stack: round, 2, m[s[y_idx]], round, start - %blake2_permutation - // stack: s[x_idx], m[s[y_idx]], round, start - %blake2_message_addr - ADD - MLOAD_GENERAL - // stack: m[s[x_idx]], m[s[y_idx]], round, start - %stack (ss: 2, r, s) -> (ss, s, r, s) - // stack: m[s[x_idx]], m[s[y_idx]], start, round, start - PUSH $d - PUSH $c - PUSH $b - PUSH $a - // stack: a, b, c, d, m[s[x_idx]], m[s[y_idx]], start, round, start - %blake2_g_function - // stack: round, start -%endmacro - -run_g_function_round: - // stack: round, start, retdest - %call_blake2_g_function(0, 4, 8, 12, 0, 1) - %call_blake2_g_function(1, 5, 9, 13, 2, 3) - %call_blake2_g_function(2, 6, 10, 14, 4, 5) - %call_blake2_g_function(3, 7, 11, 15, 6, 7) - %call_blake2_g_function(0, 5, 10, 15, 8, 9) - %call_blake2_g_function(1, 6, 11, 12, 10, 11) - %call_blake2_g_function(2, 7, 8, 13, 12, 13) - %call_blake2_g_function(3, 4, 9, 14, 14, 15) - %stack (r, s, ret) -> (ret, r, s) - // stack: retdest, round, start - JUMP - -global run_rounds_g_function: - // stack: current_round, start, rounds, retdest - DUP3 - // stack: rounds, current_round, start, rounds, retdest - DUP2 - // stack: current_round, rounds, current_round, start, rounds, retdest - EQ - %jumpi(run_rounds_g_function_end) - // stack: current_round, start, rounds, retdest - PUSH run_rounds_g_function_return - // stack: run_rounds_g_function_return, current_round, start, rounds, retdest - %stack (ret, r, s) -> (r, s, ret) - // stack: current_round, start, run_rounds_g_function_return, rounds, retdest - %jump(run_g_function_round) -run_rounds_g_function_return: - // stack: round, start, rounds, retdest - %increment - // stack: round + 1, start, rounds, retdest - %jump(run_rounds_g_function) -run_rounds_g_function_end: - // stack: current_round, start, rounds, retdest - %pop3 - // stack: retdest - JUMP diff --git a/evm/src/cpu/kernel/asm/hash/blake2/hash.asm b/evm/src/cpu/kernel/asm/hash/blake2/hash.asm deleted file mode 100644 index ab0d247633..0000000000 --- a/evm/src/cpu/kernel/asm/hash/blake2/hash.asm +++ /dev/null @@ -1,55 +0,0 @@ -// Generate a new hash value from the previous hash value and two elements of the internal state. -blake2_generate_new_hash_value: - // stack: i, retdest - %blake2_hash_value_addr - // stack: addr, i, retdest - DUP2 - ADD - MLOAD_GENERAL - // stack: h_i, i, retdest - %blake2_internal_state_addr - // stack: addr, h_i, i, retdest - DUP3 - ADD - MLOAD_GENERAL - // stack: v_i, h_i, i, retdest - %blake2_internal_state_addr - // stack: addr, v_i, h_i, i, retdest - SWAP1 - // stack: v_i, addr, h_i, i, retdest - SWAP3 - // stack: i, addr, h_i, v_i, retdest - ADD - %add_const(8) - MLOAD_GENERAL - // stack: v_(i+8), h_i, v_i, retdest - XOR - XOR - // stack: h_i' = v_(i+8) ^ v_i ^ h_i, retdest - SWAP1 - JUMP - -global blake2_generate_all_hash_values: - // stack: retdest - PUSH 8 - // stack: i=8, retdest -blake2_generate_hash_loop: - // stack: i, h_i', ..., h_7', retdest - %decrement - // stack: i-1, h_i', ..., h_7', retdest - PUSH blake2_generate_hash_return - // stack: blake2_generate_hash_return, i-1, h_i', ..., h_7', retdest - DUP2 - // stack: i-1, blake2_generate_hash_return, i-1, h_i', ..., h_7', retdest - %jump(blake2_generate_new_hash_value) -blake2_generate_hash_return: - // stack: h_(i-1)', i-1, h_i', ..., h_7', retdest - SWAP1 - // stack: i-1, h_(i-1)', h_i', ..., h_7', retdest - DUP1 - // stack: i-1, i-1, h_(i-1)', ..., h_7', retdest - %jumpi(blake2_generate_hash_loop) - // stack: i-1=0, h_0', ..., h_7', retdest - %stack (i, h: 8, ret) -> (ret, h) - // stack: retdest, h_0'...h_7' - JUMP diff --git a/evm/src/cpu/kernel/asm/hash/blake2/iv.asm b/evm/src/cpu/kernel/asm/hash/blake2/iv.asm deleted file mode 100644 index 72058ae4ad..0000000000 --- a/evm/src/cpu/kernel/asm/hash/blake2/iv.asm +++ /dev/null @@ -1,95 +0,0 @@ -global blake2_iv_const: - // IV constants (big-endian) - - // IV_0 - BYTES 106, 9, 230, 103 - BYTES 243, 188, 201, 8 - - // IV_1 - BYTES 187, 103, 174, 133 - BYTES 132, 202, 167, 59 - - // IV_2 - BYTES 60, 110, 243, 114 - BYTES 254, 148, 248, 43 - - // IV_3 - BYTES 165, 79, 245, 58 - BYTES 95, 29, 54, 241 - - // IV_4 - BYTES 81, 14, 82, 127 - BYTES 173, 230, 130, 209 - - // IV_5 - BYTES 155, 5, 104, 140 - BYTES 43, 62, 108, 31 - - // IV_6 - BYTES 31, 131, 217, 171 - BYTES 251, 65, 189, 107 - - // IV_7 - BYTES 91, 224, 205, 25 - BYTES 19, 126, 33, 121 - -global blake2_iv: - // stack: i, retdest - PUSH blake2_iv_const - // stack: blake2_iv_const, i, retdest - SWAP1 - // stack: i, blake2_iv_const, retdest - %mul_const(8) - ADD - // stack: blake2_iv_const + 2 * i, retdest - DUP1 - // stack: blake2_iv_const + 2 * i, blake2_iv_const + 2 * i, retdest - %add_const(4) - // stack: blake2_iv_const + 2 * i + 1, blake2_iv_const + 2 * i, retdest - %mload_kernel_code_u32 - SWAP1 - %mload_kernel_code_u32 - // stack: IV_i[32:], IV_i[:32], retdest - %shl_const(32) - // stack: IV_i[32:] << 32, IV_i[:32], retdest - ADD // OR - // stack: IV_i, retdest - SWAP1 - JUMP - -%macro blake2_iv - %stack (i) -> (i, %%after) - %jump(blake2_iv) -%%after: -%endmacro - -// Load the initial hash value (the IV, but with params XOR'd into the first word). -global blake2_initial_hash_value: - // stack: retdest - PUSH 8 - // stack: i=8, retdest -blake2_initial_hash_loop: - // stack: i, IV_i, ..., IV_7, retdest - %decrement - // stack: i-1, IV_i, ..., IV_7, retdest - PUSH blake2_initial_hash_return - // stack: blake2_initial_hash_return, i-1, IV_i, ..., IV_7, retdest - DUP2 - // stack: i-1, blake2_initial_hash_return, i-1, IV_i, ..., IV_7, retdest - %jump(blake2_iv) -blake2_initial_hash_return: - // stack: IV_(i-1), i-1, IV_i, ..., IV_7, retdest - SWAP1 - // stack: i-1, IV_(i-1), IV_i, ..., IV_7, retdest - DUP1 - // stack: i-1, i-1, IV_(i-1), ..., IV_7, retdest - %jumpi(blake2_initial_hash_loop) - // stack: i-1=0, IV_0, ..., IV_7, retdest - POP - // stack: IV_0, ..., IV_7, retdest - PUSH 0x01010040 // params: key = 00, digest_size = 64 = 0x40 - XOR - // stack: IV_0 ^ params, IV_1, IV_2, IV_3, IV_4, IV_5, IV_6, IV_7, retdest - %stack(iv: 8, ret) -> (ret, iv) - JUMP - diff --git a/evm/src/cpu/kernel/asm/hash/blake2/ops.asm b/evm/src/cpu/kernel/asm/hash/blake2/ops.asm deleted file mode 100644 index 2b40db7f66..0000000000 --- a/evm/src/cpu/kernel/asm/hash/blake2/ops.asm +++ /dev/null @@ -1,21 +0,0 @@ -// 64-bit right rotation -%macro rotr_64(rot) - // stack: value - PUSH $rot - // stack: rot, value - DUP2 - DUP2 - // stack: rot, value, rot, value - SHR - // stack: value >> rot, rot, value - %stack (shifted, rot, value) -> (rot, value, shifted) - // stack: rot, value, value >> rot - PUSH 64 - SUB - // stack: 64 - rot, value, value >> rot - SHL - // stack: value << (64 - rot), value >> rot - %as_u64 - // stack: (value << (64 - rot)) % (1 << 64), value >> rot - ADD -%endmacro diff --git a/evm/src/cpu/kernel/asm/hash/blake2/permutations.asm b/evm/src/cpu/kernel/asm/hash/blake2/permutations.asm deleted file mode 100644 index 44070b7ae6..0000000000 --- a/evm/src/cpu/kernel/asm/hash/blake2/permutations.asm +++ /dev/null @@ -1,85 +0,0 @@ -global permutation_0_constants: - BYTES 0, 1, 2, 3 - BYTES 4, 5, 6, 7 - BYTES 8, 9, 10, 11 - BYTES 12, 13, 14, 15 - -global permutation_1_constants: - BYTES 14, 10, 4, 8 - BYTES 9, 15, 13, 6 - BYTES 1, 12, 0, 2 - BYTES 11, 7, 5, 3 - -global permutation_2_constants: - BYTES 11, 8, 12, 0 - BYTES 5, 2, 15, 13 - BYTES 10, 14, 3, 6 - BYTES 7, 1, 9, 4 - -global permutation_3_constants: - BYTES 7, 9, 3, 1 - BYTES 13, 12, 11, 14 - BYTES 2, 6, 5, 10 - BYTES 4, 0, 15, 8 - -global permutation_4_constants: - BYTES 9, 0, 5, 7 - BYTES 2, 4, 10, 15 - BYTES 14, 1, 11, 12 - BYTES 6, 8, 3, 13 - -global permutation_5_constants: - BYTES 2, 12, 6, 10 - BYTES 0, 11, 8, 3 - BYTES 4, 13, 7, 5 - BYTES 15, 14, 1, 9 - -global permutation_6_constants: - BYTES 12, 5, 1, 15 - BYTES 14, 13, 4, 10 - BYTES 0, 7, 6, 3 - BYTES 9, 2, 8, 11 - -global permutation_7_constants: - BYTES 13, 11, 7, 14 - BYTES 12, 1, 3, 9 - BYTES 5, 0, 15, 4 - BYTES 8, 6, 2, 10 - -global permutation_8_constants: - BYTES 6, 15, 14, 9 - BYTES 11, 3, 0, 8 - BYTES 12, 2, 13, 7 - BYTES 1, 4, 10, 5 - -global permutation_9_constants: - BYTES 10, 2, 8, 4 - BYTES 7, 6, 1, 5 - BYTES 15, 11, 9, 14 - BYTES 3, 12, 13, 0 - -global blake2_permutation: - // stack: i, round, retdest - PUSH permutation_0_constants - // stack: permutation_0_constants, i, round, retdest - SWAP2 - // stack: round, i, permutation_0_constants, retdest - %mod_const(10) - // stack: round % 10, i, permutation_0_constants, retdest - %mul_const(16) - ADD - ADD - %mload_kernel_code - // stack: permutation_(round%10)_constants[i], retdest - SWAP1 - JUMP - -%macro blake2_permutation - // stack: round, i - PUSH %%after - // stack: %%after, round, i - SWAP2 - // stack: i, round, %%after - %jump(blake2_permutation) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/hash/ripemd/box.asm b/evm/src/cpu/kernel/asm/hash/ripemd/box.asm deleted file mode 100644 index 6cb16c6e8a..0000000000 --- a/evm/src/cpu/kernel/asm/hash/ripemd/box.asm +++ /dev/null @@ -1,96 +0,0 @@ -/// Note that we unpack STATE: 5 to a, b, c, d, e -/// All additions are u32 -/// -/// def box(a, b, c, d, e, F, K): -/// -/// box = get_box(sides, rounds, boxes) -/// a += F(b, c, d) -/// r = load(r)(box) -/// x = load_offset(r) -/// a += x + K -/// s = load(s)(box) -/// a = rol(s, a) -/// a += e -/// c = rol(10, c) -/// -/// return e, a, b, c, d, F, K - -global box: - // stack: a, b, c, d, e, F, K, boxes, rounds, sides, virt - PUSH pre_rol - DUP5 - DUP5 - DUP5 - DUP10 - // stack: F, b, c, d, pre_rol, a, b, c, d, e, F, K, boxes, rounds, sides, virt - JUMP -pre_rol: - // stack: F(b, c, d), a, b, c, d, e, F, K, boxes, rounds, sides, virt - ADD - // stack: a, b, c, d, e, F, K, boxes, rounds, sides, virt - %get_box - // stack: box, a, b, c, d, e, F, K, boxes, rounds, sides, virt - DUP12 - DUP2 - %mload_kernel_code(r_data) - ADD - // stack: virt + r, box, a, b, c, d, e, F, K, boxes, rounds, sides, virt - %mload_current_general_u32_LE - // stack: x, box, a, b, c, d, e, F, K, boxes, rounds, sides, virt - SWAP1 - SWAP2 - // stack: a, x, box, b, c, d, e, F, K, boxes, rounds, sides, virt - ADD - DUP8 - ADD - %as_u32 - // stack: a, box, b, c, d, e, F, K, boxes, rounds, sides, virt - PUSH mid_rol - SWAP2 - // stack: box, a, mid_rol, b, c, d, e, F, K, boxes, rounds, sides, virt - %mload_kernel_code(s_data) - // stack: s, a, mid_rol, b, c, d, e, F, K, boxes, rounds, sides, virt - %jump(rol) -mid_rol: - // stack: a, b, c, d, e, F, K, boxes, rounds, sides, virt - DUP5 - // stack: e, a, b, c, d, e, F, K, boxes, rounds, sides, virt - ADD - %as_u32 - // stack: a, b, c, d, e, F, K, boxes, rounds, sides, virt - %stack (a, b, c) -> (10, c, post_rol, a, b) - // stack: 10, c, post_rol, a, b, d, e, F, K, boxes, rounds, sides, virt - %jump(rol) -post_rol: - // stack: c, a, b, d, e, F, K, boxes , rounds, sides, virt - %stack (c, a, b, d, e, F, K, boxes) -> (boxes, 1, a, b, c, d, F, K, e) - // stack: boxes, 1, a, b, c, d, F, K, e, rounds, sides, virt - SUB - SWAP7 - // stack: e, a, b, c, d, F, K, boxes-1, rounds, sides, virt - %jump(round) - - -%macro get_round - // stack: sides , rounds - %mul_const(5) - PUSH 10 - SUB - SUB - // stack: 10 - 5*sides - rounds -%endmacro - -%macro get_box - // stack: ARGS: 7, boxes, rounds, sides - DUP10 - %mul_const(80) - DUP10 - %mul_const(16) - DUP10 - // stack: boxes , 16*rounds , 80*sides, ARGS: 7, boxes, rounds, sides - PUSH 176 - SUB - SUB - SUB - // stack: 176 - boxes - 16*rounds - 80*sides, ARGS: 7, boxes, rounds, sides -%endmacro diff --git a/evm/src/cpu/kernel/asm/hash/ripemd/compression.asm b/evm/src/cpu/kernel/asm/hash/ripemd/compression.asm deleted file mode 100644 index a83bf8322a..0000000000 --- a/evm/src/cpu/kernel/asm/hash/ripemd/compression.asm +++ /dev/null @@ -1,160 +0,0 @@ -/// _block is stored in memory: its address virt stays on the stack -/// def compress(STATE: 5, _block): -/// -/// STATEL = STATE -/// STATEL = loop(STATEL) -/// -/// STATER = state -/// STATER = loop(STATER) -/// -/// return mix(STATER, STATEL, STATE) -/// -/// -/// def mix(STATER, STATEL, STATE): -/// return -/// u32(s1 + l2 + r3), -/// u32(s2 + l3 + r4), -/// u32(s3 + l4 + r0), -/// u32(s4 + l0 + r1), -/// u32(s0 + l1 + r2) -/// -/// where si, li, ri, oi, VR, RD respectively denote -/// STATE[i], STATEL[i], STATER[i], OUTPUT[i], virt, retdest - -global compress: - // stack: STATE, virt, retdest - PUSH switch - DUP7 - %stack () -> (0, 0, 16, 5, 1) - // stack: 0, 0, 16, 5, 1, virt, switch, STATE, virt, retdest - DUP12 - DUP12 - DUP12 - DUP12 - DUP12 - // stack: STATE, 0, 0, 16, 5, 1, virt, switch, STATE, virt, retdest - %jump(loop) -switch: - // stack: STATEL, STATE, virt, retdest - PUSH mix - DUP12 - %stack () -> (16, 5, 0) - // stack: 16, 5, 0, virt, mix, STATEL, STATE, virt, retdest - DUP15 - DUP15 - DUP15 - DUP15 - DUP15 - // stack: STATE, 16, 5, 0, virt, mix, STATEL, STATE, virt, retdest - %stack (STATE: 5) -> (STATE, 0, 0) - // stack: STATE, 0, 0, 16, 5, 0, virt, mix, STATEL, STATE, virt, retdest - %jump(loop) -mix: - // stack: r0, r1, r2, r3, r4, l0, l1, l2, l3, l4, s0, s1, s2, s3, s4, VR, RD - SWAP10 - // stack: s0, r1, r2, r3, r4, l0, l1, l2, l3, l4, r0, s1, s2, s3, s4, VR, RD - SWAP1 - // stack: r1, s0, r2, r3, r4, l0, l1, l2, l3, l4, r0, s1, s2, s3, s4, VR, RD - SWAP6 - // stack: l1, s0, r2, r3, r4, l0, r1, l2, l3, l4, r0, s1, s2, s3, s4, VR, RD - %add3_u32 - // stack: o4, r3, r4, l0, r1, l2, l3, l4, r0, s1, s2, s3, s4, VR, RD - SWAP14 - // stack: RD, r3, r4, l0, r1, l2, l3, l4, r0, s1, s2, s3, s4, VR, o4 - SWAP11 - // stack: s3, r3, r4, l0, r1, l2, l3, l4, r0, s1, s2, RD, s4, VR, o4 - SWAP10 - // stack: s2, r3, r4, l0, r1, l2, l3, l4, r0, s1, s3, RD, s4, VR, o4 - SWAP1 - // stack: r3, s2, r4, l0, r1, l2, l3, l4, r0, s1, s3, RD, s4, VR, o4 - SWAP6 - // stack: l3, s2, r4, l0, r1, l2, r3, l4, r0, s1, s3, RD, s4, VR, o4 - %add3_u32 - // stack: o1, l0, r1, l2, r3, l4, r0, s1, s3, RD, s4, VR, o4 - SWAP9 - // stack: RD, l0, r1, l2, r3, l4, r0, s1, s3, o1, s4, VR, o4 - SWAP10 - // stack: s4, l0, r1, l2, r3, l4, r0, s1, s3, o1, RD, VR, o4 - %add3_u32 - // stack: o3, l2, r3, l4, r0, s1, s3, o1, RD, VR, o4 - SWAP9 - // stack: VR, l2, r3, l4, r0, s1, s3, o1, RD, o3, o4 - SWAP5 - // stack: s1, l2, r3, l4, r0, VR, s3, o1, RD, o3, o4 - %add3_u32 - // stack: o0, l4, r0, VR, s3, o1, RD, o3, o4 - SWAP4 - // stack: s3, l4, r0, VR, o0, o1, RD, o3, o4 - %add3_u32 - // stack: o2, VR, o0, o1, RD, o3, o4 - SWAP4 - // stack: RD, VR, o0, o1, o2, o3, o4 - SWAP1 - // stack: VR, RD, o0, o1, o2, o3, o4 - POP - // stack: RD, o0, o1, o2, o3, o4 - JUMP - - -/// def loop(STATE: 5): -/// while rounds: -/// update_round_vars() -/// round(STATE: 5, F, K, rounds, sides) -/// -/// def update_round_vars(): -/// F = load(F)(sides, rounds) -/// K = load(K)(sides, rounds) -/// -/// def round(STATE, rounds, sides): -/// while boxes: -/// box(STATE, F, K) -/// boxes -= 1 -/// boxes = 16 -/// rounds -= 1 - -loop: - // stack: STATE, F, K, 16, rounds, sides, virt, retdest - DUP9 - // stack: round, STATE, F, K, 16, rounds, sides, virt, retdest - %jumpi(update_round_vars) - // stack: STATE, F, K, 16, 0, sides, virt, retdest - %stack (STATE: 5, F, K, boxes, rounds, sides, virt, retdest) -> (retdest, STATE) - // stack: retdest, STATE - JUMP -update_round_vars: - // stack: STATE, F , K , 16, rounds, sides, virt, retdest - DUP9 - DUP11 - %get_round - DUP1 - // stack: rnd, rnd, STATE, F , K , 16, rounds, sides, virt, retdest - SWAP7 - POP - %push_f - SWAP7 - // stack: rnd, rnd, STATE, F', K , 16, rounds, sides, virt, retdest - SWAP8 - POP - %mload_kernel_code_u32(k_data) - SWAP7 - POP - // stack: STATE, F', K', 16, rounds, sides, virt, retdest - %jump(round) -global round: - // stack: STATE, F, K, boxes, rounds , sides, virt, retdest - DUP8 - // stack: boxes, STATE, F, K, boxes, rounds , sides, virt, retdest - %jumpi(box) - // stack: STATE, F, K, 0, rounds , sides, virt, retdest - SWAP7 - POP - PUSH 16 - SWAP7 - // stack: STATE, F, K, 16, rounds , sides, virt, retdest - PUSH 1 - DUP10 - SUB - SWAP9 - POP - // stack: STATE, F, K, 16, rounds-1, sides, virt, retdest - %jump(loop) diff --git a/evm/src/cpu/kernel/asm/hash/ripemd/constants.asm b/evm/src/cpu/kernel/asm/hash/ripemd/constants.asm deleted file mode 100644 index 7a8959feda..0000000000 --- a/evm/src/cpu/kernel/asm/hash/ripemd/constants.asm +++ /dev/null @@ -1,117 +0,0 @@ -global k_data: - // Left - BYTES 0x00, 0x00, 0x00, 0x00 - BYTES 0x5A, 0x82, 0x79, 0x99 - BYTES 0x6E, 0xD9, 0xEB, 0xA1 - BYTES 0x8F, 0x1B, 0xBC, 0xDC - BYTES 0xA9, 0x53, 0xFD, 0x4E - // Right - BYTES 0x50, 0xA2, 0x8B, 0xE6 - BYTES 0x5C, 0x4D, 0xD1, 0x24 - BYTES 0x6D, 0x70, 0x3E, 0xF3 - BYTES 0x7A, 0x6D, 0x76, 0xE9 - BYTES 0x00, 0x00, 0x00, 0x00 - -global s_data: - // Left Round 0 - BYTES 11, 14, 15, 12 - BYTES 05, 08, 07, 09 - BYTES 11, 13, 14, 15 - BYTES 06, 07, 09, 08 - // Left Round 1 - BYTES 07, 06, 08, 13 - BYTES 11, 09, 07, 15 - BYTES 07, 12, 15, 09 - BYTES 11, 07, 13, 12 - // Left Round 2 - BYTES 11, 13, 06, 07 - BYTES 14, 09, 13, 15 - BYTES 14, 08, 13, 06 - BYTES 05, 12, 07, 05 - // Left Round 3 - BYTES 11, 12, 14, 15 - BYTES 14, 15, 09, 08 - BYTES 09, 14, 05, 06 - BYTES 08, 06, 05, 12 - // Left Round 4 - BYTES 09, 15, 05, 11 - BYTES 06, 08, 13, 12 - BYTES 05, 12, 13, 14 - BYTES 11, 08, 05, 06 - // Right Round 0 - BYTES 08, 09, 09, 11 - BYTES 13, 15, 15, 05 - BYTES 07, 07, 08, 11 - BYTES 14, 14, 12, 06 - // Right Round 1 - BYTES 09, 13, 15, 07 - BYTES 12, 08, 09, 11 - BYTES 07, 07, 12, 07 - BYTES 06, 15, 13, 11 - // Right Round 2 - BYTES 09, 07, 15, 11 - BYTES 08, 06, 06, 14 - BYTES 12, 13, 05, 14 - BYTES 13, 13, 07, 05 - // Right Round 3 - BYTES 15, 05, 08, 11 - BYTES 14, 14, 06, 14 - BYTES 06, 09, 12, 09 - BYTES 12, 05, 15, 08 - // Right Round 4 - BYTES 08, 05, 12, 09 - BYTES 12, 05, 14, 06 - BYTES 08, 13, 06, 05 - BYTES 15, 13, 11, 11 - -global r_data: - // Left Round 0 - BYTES 00, 04, 08, 12 - BYTES 16, 20, 24, 28 - BYTES 32, 36, 40, 44 - BYTES 48, 52, 56, 60 - // Left Round 1 - BYTES 28, 16, 52, 04 - BYTES 40, 24, 60, 12 - BYTES 48, 00, 36, 20 - BYTES 08, 56, 44, 32 - // Left Round 2 - BYTES 12, 40, 56, 16 - BYTES 36, 60, 32, 04 - BYTES 08, 28, 00, 24 - BYTES 52, 44, 20, 48 - // Left Round 3 - BYTES 04, 36, 44, 40 - BYTES 00, 32, 48, 16 - BYTES 52, 12, 28, 60 - BYTES 56, 20, 24, 08 - // Left Round 4 - BYTES 16, 00, 20, 36 - BYTES 28, 48, 08, 40 - BYTES 56, 04, 12, 32 - BYTES 44, 24, 60, 52 - // Right Round 0 - BYTES 20, 56, 28, 00 - BYTES 36, 08, 44, 16 - BYTES 52, 24, 60, 32 - BYTES 04, 40, 12, 48 - // Right Round 1 - BYTES 24, 44, 12, 28 - BYTES 00, 52, 20, 40 - BYTES 56, 60, 32, 48 - BYTES 16, 36, 04, 08 - // Right Round 2 - BYTES 60, 20, 04, 12 - BYTES 28, 56, 24, 36 - BYTES 44, 32, 48, 08 - BYTES 40, 00, 16, 52 - // Right Round 3 - BYTES 32, 24, 16, 04 - BYTES 12, 44, 60, 00 - BYTES 20, 48, 08, 52 - BYTES 36, 28, 40, 56 - // Right Round 4 - BYTES 48, 60, 40, 16 - BYTES 04, 20, 32, 28 - BYTES 24, 08, 52, 56 - BYTES 00, 12, 36, 44 diff --git a/evm/src/cpu/kernel/asm/hash/ripemd/functions.asm b/evm/src/cpu/kernel/asm/hash/ripemd/functions.asm deleted file mode 100644 index de2fdcf625..0000000000 --- a/evm/src/cpu/kernel/asm/hash/ripemd/functions.asm +++ /dev/null @@ -1,150 +0,0 @@ -/// def rol(n, x): -/// return (u32(x << n)) | (x >> (32 - n)) - -global rol: - // stack: n, x, retdest - SWAP1 - DUP1 - DUP3 - // stack: n, x, x, n, retdest - PUSH 32 - SUB - // stack: 32-n, x, x, n, retdest - SHR - // stack: x >> (32-n), x, n, retdest - SWAP2 - // stack: n, x, x >> (32-n), retdest - SHL - // stack: x << n, x >> (32-n), retdest - %as_u32 - // stack: u32(x << n), x >> (32-n), retdest - ADD // OR - // stack: u32(x << n) | (x >> (32-n)), retdest - SWAP1 - JUMP - -// def push_f(rnd): -// Fs = [F0, F1, F2, F3, F4, F4, F3, F2, F1, F0] -// acc = 0 -// for i, F in enumerate(Fs): -// acc += (i==rnd)*F -// return acc, rnd -// -// %this_f(i,F) enacts -// acc += (i==rnd)*F - -%macro push_f - // stack: rnd - PUSH 0 - %this_f(0,F0) - %this_f(1,F1) - %this_f(2,F2) - %this_f(3,F3) - %this_f(4,F4) - %this_f(5,F4) - %this_f(6,F3) - %this_f(7,F2) - %this_f(8,F1) - %this_f(9,F0) - // stack: F, rnd -%endmacro - -%macro this_f(i, F) - // stack: acc, rnd - DUP2 - // stack: rnd , acc, rnd - %eq_const($i) - // stack: rnd==i , acc, rnd - %mul_const($F) - // stack: (rnd==i)*F , acc, rnd - ADD - // stack: (rnd==j)*F + acc, rnd -%endmacro - -/// def F0(x, y, z): -/// return x ^ y ^ z - -global F0: - // stack: x , y , z, retdest - XOR - // stack: x ^ y , z, retdest - XOR - // stack: x ^ y ^ z, retdest - SWAP1 - JUMP - -/// def F1(x, y, z): -/// return (x & y) | (u32(~x) & z) - -global F1: - // stack: x, y, z, retdest - DUP1 - // stack: x, x, y, z, retdest - SWAP2 - // stack: y, x, x, z, retdest - AND - // stack: y & x, x, z, retdest - SWAP2 - // stack: z, x, y & x , retdest - SWAP1 - // stack: x, z, y & x , retdest - %not_u32 - // stack: ~x, z, y & x , retdest - AND - // stack: ~x & z , y & x , retdest - OR - // stack: (~x & z) | (y & x), retdest - SWAP1 - JUMP - -/// def F2(x, y, z): -/// return (x | u32(~y)) ^ z - -global F2: - // stack: x , y, z, retdest - SWAP1 - // stack: y , x, z, retdest - %not_u32 - // stack: ~y , x , z, retdest - OR - // stack: ~y | x , z, retdest - XOR - // stack: (~y | x) ^ z, retdest - SWAP1 - JUMP - -/// def F3(x, y, z): -/// return (x & z) | (u32(~z) & y) - -global F3: - // stack: x, y , z , retdest - DUP3 - // stack: z , x, y , z , retdest - AND - // stack: z & x, y , z , retdest - SWAP2 - // stack: z, y, z & x , retdest - %not_u32 - // stack: ~z , y, z & x , retdest - AND - // stack: ~z & y, z & x , retdest - OR - // stack: (~z & y) | (z & x), retdest - SWAP1 - JUMP - -/// def F4(x, y, z): -/// return x ^ (y | u32(~z)) - -global F4: - // stack: x, y, z, retdest - SWAP2 - // stack: z, y, x, retdest - %not_u32 - // stack: ~z, y, x, retdest - OR - // stack: ~z | y, x, retdest - XOR - // stack: (~z | y) ^ x, retdest - SWAP1 - JUMP diff --git a/evm/src/cpu/kernel/asm/hash/ripemd/main.asm b/evm/src/cpu/kernel/asm/hash/ripemd/main.asm deleted file mode 100644 index 19016127f9..0000000000 --- a/evm/src/cpu/kernel/asm/hash/ripemd/main.asm +++ /dev/null @@ -1,131 +0,0 @@ -/// Variables beginning with _ are in memory -/// -/// def ripemd160(_input): -/// STATE, count, _buffer = [0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0], 0, [0]*64 -/// STATE, count, _buffer = ripemd_update(STATE, count, _buffer, len(input) , bytes = _input ) -/// STATE, count, _buffer = ripemd_update(STATE, count, _buffer, padlength(len(input)), bytes = [0x80]+[0]*63) -/// STATE, count, _buffer = ripemd_update(STATE, count, _buffer, 8, bytes = size(len(_input))) -/// return process(STATE) -/// -/// The hardcoded memory structure, where each register is only a byte, is given as follows -/// { 0-63: buffer, 64-71: bytes(8*len(_input)), 72-135: [0x80]+[0]*63 } -/// -/// ripemd_update receives and return the stack in the form: -/// stack: STATE, count, length, virt -/// where virt is the virtual address of the bytes argument -/// - -global ripemd: - // stack: virt, length - %stack (virt, length) -> (length, 0x80, virt, length) - // stack: length, 0x80, virt, length - - // stack: length - %shl_const(3) - // stack: abcdefgh - DUP1 - %extract_and_store_byte(31, 64) - // stack: abcdefgh - DUP1 - %extract_and_store_byte(30, 65) - // stack: abcdefgh - DUP1 - %extract_and_store_byte(29, 66) - // stack: abcdefgh - DUP1 - %extract_and_store_byte(28, 67) - // stack: abcdefgh - DUP1 - %extract_and_store_byte(27, 68) - // stack: abcdefgh - DUP1 - %extract_and_store_byte(26, 69) - // stack: abcdefgh - DUP1 - %extract_and_store_byte(25, 70) - // stack: abcdefgh - %extract_and_store_byte(24, 71) - - // stack: 0x80 - %mstore_current_general(72) - - // stack: virt, length - %stack (virt, length) -> ( 0, length, virt, ripemd_1, ripemd_2, process) - // stack: count = 0, length, virt, ripemd_1, ripemd_2, process - %stack () -> (0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0) - // stack: STATE, count, length, virt, LABELS - %jump(ripemd_update) - -ripemd_1: - // stack: STATE, count, length , virt , LABELS - DUP7 - // stack: length, STATE, count, length , virt , LABELS - %padlength - // stack: padlength, STATE, count, length , virt , LABELS - SWAP7 - POP - // stack: STATE, count, length = padlength, virt , LABELS - %stack (STATE: 5, count, length, virt) -> (STATE, count, length, 72) - // STATE, count, length , virt = 72, LABELS - %jump(ripemd_update) -ripemd_2: - // stack: STATE, count, length , virt , LABELS - %stack (STATE: 5, count, length, virt) -> (STATE, count, 8, 64) - // stack: STATE, count, length = 8, virt = 64, LABELS - %jump(ripemd_update) -process: - // stack: a , b, c, d, e, count, length, virt - %reverse_bytes_u32 - %shl_const(128) - // stack: a', b, c, d, e, VARS - SWAP1 - %reverse_bytes_u32 - %shl_const(96) - ADD // OR - // stack: b' a', c, d, e, VARS - SWAP1 - %reverse_bytes_u32 - %shl_const(64) - ADD // OR - // stack: c' b' a', d, e, VARS - SWAP1 - %reverse_bytes_u32 - %shl_const(32) - ADD // OR - // stack: d' c' b' a', e, VARS - SWAP1 - %reverse_bytes_u32 - ADD // OR - // stack: e' d' c' b' a', VARS - %stack (result, VARS: 3, retdest) -> (retdest, result) - // stack: 0xdeadbeef, result - JUMP - - -/// def padlength(length): -/// t = length % 64 -/// return 56 + 64*(t > 55) - t - -%macro padlength - // stack: count - %mod_const(64) - // stack: t = count % 64 - PUSH 55 - DUP2 - // stack: t , 55 , t - GT - // stack: t > 55 , t - %mul_const(64) - %add_const(56) - // stack: 56 + 64*(t > 55), t - SUB -%endmacro - -%macro extract_and_store_byte(byte, offset) - // stack: xs - PUSH $byte - BYTE - // stack: xs[byte] - %mstore_current_general($offset) - // stack: -%endmacro diff --git a/evm/src/cpu/kernel/asm/hash/ripemd/update.asm b/evm/src/cpu/kernel/asm/hash/ripemd/update.asm deleted file mode 100644 index c5783cc71d..0000000000 --- a/evm/src/cpu/kernel/asm/hash/ripemd/update.asm +++ /dev/null @@ -1,134 +0,0 @@ -/// ripemd_update will receive and return the stack in the form: -/// stack: STATE, count, length, virt -/// -/// def ripemd_update(state, count, buffer, length, bytestring): -/// have = (count // 8) % 64 -/// need = 64 - have -/// shift = 0 -/// P = length >= need and have -/// Q = length >= need -/// if P: -/// update_1() -/// if Q: -/// update_2() -/// R = length > shift -/// if R: -/// buffer_update(virt + shift, have, length - shift) -/// -/// return state, count + 8*length, buffer - -global ripemd_update: - // stack: STATE, count, length, virt, retdest - %stack (STATE: 5, count, length, virt) -> (count, 8, 64, STATE, count, length, virt) - DIV - MOD - // stack: have, STATE, count, length, virt, retdest - DUP1 - PUSH 64 - SUB - PUSH 0 - // stack: shift, need, have, STATE, count, length, virt, retdest - %stack (shift, need, have, STATE: 5, count, length) -> (length, need, STATE, shift, need, have, count, length) - // stack: length, need, STATE, shift, need, have, count, length, virt, retdest - LT - ISZERO - // stack: Q, STATE, shift, need, have, count, length, virt, retdest - %stack (Q, STATE: 5, shift, need, have) -> (have, Q, Q, STATE, shift, need, have) - %gt_const(0) - AND - // stack: P, Q, STATE, shift, need, have, count, length, virt, retdest - %jumpi(update_1) - // stack: Q, STATE, shift, need, have, count, length, virt, retdest - %jumpi(update_2) -final_update: - // stack: STATE, shift, need, have, count, length, virt, retdest - %stack (STATE: 5, shift, need, have, count, length) -> (length, shift, return_step, STATE, shift, need, have, count, length) - SUB - // stack: ARGS: 2, STATE, shift, need, have, count, length, virt, retdest - %stack (ARGS: 2, STATE: 5, shift, need, have, count, length, virt) -> (shift, virt, have, ARGS, STATE, shift, need, have, count, length, virt) - ADD - // stack: ARGS: 4, STATE, shift, need, have, count, length, virt, retdest - %stack (ARGS: 4, STATE: 5, shift, need, have, count, length) -> (length, shift, ARGS, STATE, shift, need, have, count, length) - GT - // stack: R, ARGS: 4, STATE, shift, need, have, count, length, virt, retdest - %jumpi(buffer_update) - // stack: ARGS: 4, STATE, shift, need, have, count, length, virt, retdest - %pop3 - JUMP -return_step: - // stack: STATE, shift, need, have, count, length, virt, retdest - SWAP8 - DUP10 - %mul_const(8) - ADD - SWAP8 - // stack: STATE, shift, need, have, count, length, virt, retdest - %stack (STATE: 5, shift, need, have, count, length, virt, retdest) -> (retdest, STATE, count, length, virt) - JUMP - - -/// def update_1(): -/// buffer_update(virt, have, need) -/// shift = need -/// have = 0 -/// state = compress(state, buffer) - -update_1: - // stack: Q, STATE, shift, need, have, count, length, virt, retdest - %stack (Q, STATE: 5, shift, need, have, count, length, virt) -> (virt, have, need, update_1a, STATE, shift, need, have, count, length, virt) - %jump(buffer_update) -update_1a: - // stack: STATE, shift, need, have, count, length, virt, retdest - %stack (STATE: 5, shift, need, have) -> (STATE, 0, update_2, need, need, 0) - // stack: STATE, 0, update_2, shift = need, need, have = 0, count, length, virt, retdest - %jump(compress) - -/// def update_2(): -/// while length >= shift + 64: -/// shift += 64 -/// state = compress(state, bytestring[shift-64:]) - -update_2: - // stack: STATE, shift, need, have, count, length, virt, retdest - %stack (STATE: 5, shift, need, have, count, length) -> (64, shift, length, STATE, shift, need, have, count, length) - ADD - GT - // stack: cond, STATE, shift, need, have, count, length, virt, retdest - %jumpi(final_update) - SWAP5 - %add_const(64) - SWAP5 - %stack (STATE: 5, shift) -> (shift, 64, STATE, shift) - DUP13 - ADD - SUB - // stack: offset, STATE, shift, need, have, count, length, virt, retdest - %stack (offset, STATE: 5) -> (STATE, offset, update_2) - // stack: STATE, offset, update_2, shift, need, have, count, length, virt, retdest - %jump(compress) - - -/// def buffer_update(get, set, times): -/// for i in range(times): -/// buffer[set+i] = bytestring[get+i] - -buffer_update: - // stack: get , set , times , retdest - DUP2 - DUP2 - // stack: get, set, get , set , times , retdest - %mupdate_current_general - // stack: get , set , times , retdest - %increment - SWAP1 - %increment - SWAP1 - SWAP2 - %decrement - SWAP2 - // stack: get+1, set+1, times-1, retdest - DUP3 - %jumpi(buffer_update) - // stack: get , set , 0 , retdest - %pop3 - JUMP diff --git a/evm/src/cpu/kernel/asm/hash/sha2/compression.asm b/evm/src/cpu/kernel/asm/hash/sha2/compression.asm deleted file mode 100644 index a9467a00bc..0000000000 --- a/evm/src/cpu/kernel/asm/hash/sha2/compression.asm +++ /dev/null @@ -1,159 +0,0 @@ -// We use memory starting at 320 * num_blocks + 2 (after the message schedule -// space) as scratch space to store stack values. -%macro scratch_space_addr_from_num_blocks - // stack: num_blocks - %mul_const(320) - %add_const(2) - %build_current_general_address -%endmacro - -global sha2_compression: - // stack: message_schedule_addr, retdest - // Push the initial hash values; these constants are called H^(0) in the spec. - PUSH 0x1f83d9ab // H^(0)_6 - PUSH 0x9b05688c // H^(0)_5 - PUSH 0x510e527f // H^(0)_4 - PUSH 0xa54ff53a // H^(0)_3 - PUSH 0x3c6ef372 // H^(0)_2 - PUSH 0xbb67ae85 // H^(0)_1 - PUSH 0x6a09e667 // H^(0)_0 - PUSH 0x5be0cd19 // H^(0)_7 - // stack: h[0], a[0], b[0], c[0], d[0], e[0], f[0], g[0], message_schedule_addr, retdest - SWAP8 - // stack: message_schedule_addr, a[0], b[0], c[0], d[0], e[0], f[0], g[0], h[0], retdest - PUSH 0 - // stack: i=0, message_schedule_addr, a[0]..h[0], retdest - SWAP1 - // stack: message_schedule_addr, i=0, a[0]..h[0], retdest - %mload_current_general_no_offset - // stack: num_blocks, message_schedule_addr, i=0, a[0]..h[0], retdest - DUP1 - // stack: num_blocks, num_blocks, message_schedule_addr, i=0, a[0]..h[0], retdest - %scratch_space_addr_from_num_blocks - // stack: scratch_space_addr, num_blocks, message_schedule_addr, i=0, a[0]..h[0], retdest - SWAP1 - // stack: num_blocks, scratch_space_addr, message_schedule_addr, i=0, a[0]..h[0], retdest -compression_start_block: - // We keep the current values of the working variables saved at the end of the stack. - // These are the "initial values" to be added back in at the end of this block. - // stack: num_blocks, scratch_space_addr, message_schedule_addr, i=0, a[0]..h[0], retdest - %rep 8 - DUP12 - %endrep - // stack: a[0], b[0], c[0], d[0], e[0], f[0], g[0], h[0], num_blocks, scratch_space_addr, message_schedule_addr, i=0, a[0]..h[0], retdest -compression_loop: - // Update the eight working variables, using the next constant K[i] and the next message schedule chunk W[i]. - // stack: a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - DUP11 - // stack: message_schedule_addr, a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - DUP13 - // stack: i, message_schedule_addr, a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - %mul_const(4) - // stack: 4*i, message_schedule_addr, a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - ADD - // stack: message_schedule_addr + 4*i, a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - %mload_u32 - // stack: W[i], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - PUSH sha2_constants_k - // stack: sha2_constants_k, W[i], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - DUP14 - // stack: i, sha2_constants_k, W[i], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - %mul_const(4) - // stack: 4*i, sha2_constants_k, W[i], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - ADD - // stack: sha2_constants_k + 4*i, W[i], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - %mload_kernel_code_u32 - // stack: K[i], W[i], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - DUP10 - DUP10 - DUP10 - DUP10 - // stack: e[i], f[i], g[i], h[i], K[i], W[i], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - %sha2_temp_word1 - // stack: T1[i], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - DUP4 - DUP4 - DUP4 - // stack: a[i], b[i], c[i], T1[i], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - %sha2_temp_word2 - // stack: T2[i], T1[i], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - DUP6 - // stack: d[i], T2[i], T1[i], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - DUP3 - // stack: T1[i], d[i], T2[i], T1[i], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - %add_u32 - // stack: e[i+1]=T1[i]+d[i], T2[i], T1[i], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - SWAP2 - // stack: T2[i], T1[i], e[i+1], a[i], b[i], c[i], d[i], e[i], f[i], g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - %add_u32 - // stack: a[i+1]=T1[i]+T2[i], e[i+1], b[i+1]=a[i], c[i+1]=b[i], d[i+1]=c[i], d[i], f[i+1]=e[i], g[i+1]=f[i], h[i+1]=g[i], h[i], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - %stack (a, e, b, c, d, old_d, f, g, h, old_h) -> (a, b, c, d, e, f, g, h) - // stack: a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - DUP12 - // stack: i, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - %increment - // stack: i+1, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - DUP1 - // stack: i+1, i+1, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - %eq_const(64) - // stack: i+1==64, i+1, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - DUP1 - // stack: i+1==64, i+1==64, i+1, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - DUP12 - // stack: num_blocks, i+1==64, i+1==64, i+1, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - SUB - // stack: num_blocks new, i+1==64, i+1, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]..h[0], retdest - SWAP13 - // stack: message_schedule_addr, i+1==64, i+1, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks, scratch_space_addr, num_blocks new, i, a[0]..h[0], retdest - SWAP1 - // stack: i+1==64, message_schedule_addr, i+1, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks, scratch_space_addr, num_blocks new, i, a[0]..h[0], retdest - %mul_const(256) - // stack: (i+1==64)*256, message_schedule_addr, i+1, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks, scratch_space_addr, num_blocks new, i, a[0]..h[0], retdest - ADD - // stack: message_schedule_addr new, i+1, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks, scratch_space_addr, num_blocks new, i, a[0]..h[0], retdest - SWAP12 - // stack: num_blocks new, i+1, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks, scratch_space_addr, message_schedule_addr new, i, a[0]..h[0], retdest - SWAP10 - // stack: num_blocks, i+1, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks new, scratch_space_addr, message_schedule_addr new, i, new_a[0]..h[0], retdest - POP - // stack: i+1, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks new, scratch_space_addr, message_schedule_addr new, i, new_a[0]..h[0], retdest - %and_const(63) - // stack: (i+1)%64, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks new, scratch_space_addr, message_schedule_addr new, i, a[0]..h[0], retdest - SWAP12 - // stack: i, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks new, scratch_space_addr, message_schedule_addr new, (i+1)%64, a[0]..h[0], retdest - POP - // stack: a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks new, scratch_space_addr, message_schedule_addr new, (i+1)%64, a[0]..h[0], retdest - DUP12 - // stack: (i+1)%64, a[i+1], b[i+1], c[i+1], d[i+1], e[i+1], f[i+1], g[i+1], h[i+1], num_blocks new, scratch_space_addr, message_schedule_addr new, (i+1)%64, a[0]..h[0], retdest - %jumpi(compression_loop) -compression_end_block: - // Add the initial values of the eight working variables (from the start of this block's compression) back into them. - // stack: a[64], b[64], c[64], d[64], e[64], f[64], g[64], h[64], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0], b[0], c[0], d[0], e[0], f[0], g[0], h[0], retdest - PUSH 0 - // stack: 0, a[64], b[64], c[64], d[64], e[64], f[64], g[64], h[64], num_blocks, scratch_space_addr, message_schedule_addr, i, a[0], b[0], c[0], d[0], e[0], f[0], g[0], h[0], retdest - %rep 8 - SWAP13 - %add_u32 - SWAP12 - %endrep - // stack: 0, num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]+a[64], b[0]+b[64], c[0]+c[64], d[0]+d[64], e[0]+e[64], f[0]+f[64], g[0]+g[64], h[0]+h[64], retdest - POP - // stack: num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]+a[64], b[0]+b[64], c[0]+c[64], d[0]+d[64], e[0]+e[64], f[0]+f[64], g[0]+g[64], h[0]+h[64], retdest - DUP1 - // stack: num_blocks, num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]+a[64], b[0]+b[64], c[0]+c[64], d[0]+d[64], e[0]+e[64], f[0]+f[64], g[0]+g[64], h[0]+h[64], retdest - ISZERO - // In this case, we've finished all the blocks. - %jumpi(compression_end) - // stack: num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]+a[64], b[0]+b[64], c[0]+c[64], d[0]+d[64], e[0]+e[64], f[0]+f[64], g[0]+g[64], h[0]+h[64], retdest - %jump(compression_start_block) -compression_end: - // stack: num_blocks, scratch_space_addr, message_schedule_addr, i, a[0]+a[64], b[0]+b[64], c[0]+c[64], d[0]+d[64], e[0]+e[64], f[0]+f[64], g[0]+g[64], h[0]+h[64], retdest - %pop4 - // stack: a[0]+a[64], b[0]+b[64], c[0]+c[64], d[0]+d[64], e[0]+e[64], f[0]+f[64], g[0]+g[64], h[0]+h[64], retdest - %rep 7 - %shl_const(32) - ADD // OR - %endrep - // stack: sha2_result = concat(a[0]+a[64], b[0]+b[64], c[0]+c[64], d[0]+d[64], e[0]+e[64], f[0]+f[64], g[0]+g[64], h[0]+h[64]), retdest - SWAP1 - JUMP diff --git a/evm/src/cpu/kernel/asm/hash/sha2/constants.asm b/evm/src/cpu/kernel/asm/hash/sha2/constants.asm deleted file mode 100644 index 6ce4d907b2..0000000000 --- a/evm/src/cpu/kernel/asm/hash/sha2/constants.asm +++ /dev/null @@ -1,65 +0,0 @@ -global sha2_constants_k: - BYTES 66, 138, 47, 152 - BYTES 113, 55, 68, 145 - BYTES 181, 192, 251, 207 - BYTES 233, 181, 219, 165 - BYTES 57, 86, 194, 91 - BYTES 89, 241, 17, 241 - BYTES 146, 63, 130, 164 - BYTES 171, 28, 94, 213 - BYTES 216, 7, 170, 152 - BYTES 18, 131, 91, 1 - BYTES 36, 49, 133, 190 - BYTES 85, 12, 125, 195 - BYTES 114, 190, 93, 116 - BYTES 128, 222, 177, 254 - BYTES 155, 220, 6, 167 - BYTES 193, 155, 241, 116 - BYTES 228, 155, 105, 193 - BYTES 239, 190, 71, 134 - BYTES 15, 193, 157, 198 - BYTES 36, 12, 161, 204 - BYTES 45, 233, 44, 111 - BYTES 74, 116, 132, 170 - BYTES 92, 176, 169, 220 - BYTES 118, 249, 136, 218 - BYTES 152, 62, 81, 82 - BYTES 168, 49, 198, 109 - BYTES 176, 3, 39, 200 - BYTES 191, 89, 127, 199 - BYTES 198, 224, 11, 243 - BYTES 213, 167, 145, 71 - BYTES 6, 202, 99, 81 - BYTES 20, 41, 41, 103 - BYTES 39, 183, 10, 133 - BYTES 46, 27, 33, 56 - BYTES 77, 44, 109, 252 - BYTES 83, 56, 13, 19 - BYTES 101, 10, 115, 84 - BYTES 118, 106, 10, 187 - BYTES 129, 194, 201, 46 - BYTES 146, 114, 44, 133 - BYTES 162, 191, 232, 161 - BYTES 168, 26, 102, 75 - BYTES 194, 75, 139, 112 - BYTES 199, 108, 81, 163 - BYTES 209, 146, 232, 25 - BYTES 214, 153, 6, 36 - BYTES 244, 14, 53, 133 - BYTES 16, 106, 160, 112 - BYTES 25, 164, 193, 22 - BYTES 30, 55, 108, 8 - BYTES 39, 72, 119, 76 - BYTES 52, 176, 188, 181 - BYTES 57, 28, 12, 179 - BYTES 78, 216, 170, 74 - BYTES 91, 156, 202, 79 - BYTES 104, 46, 111, 243 - BYTES 116, 143, 130, 238 - BYTES 120, 165, 99, 111 - BYTES 132, 200, 120, 20 - BYTES 140, 199, 2, 8 - BYTES 144, 190, 255, 250 - BYTES 164, 80, 108, 235 - BYTES 190, 249, 163, 247 - BYTES 198, 113, 120, 242 diff --git a/evm/src/cpu/kernel/asm/hash/sha2/main.asm b/evm/src/cpu/kernel/asm/hash/sha2/main.asm deleted file mode 100644 index 53967f8a17..0000000000 --- a/evm/src/cpu/kernel/asm/hash/sha2/main.asm +++ /dev/null @@ -1,56 +0,0 @@ -global sha2: - // stack: virt, num_bytes, retdest - %build_current_general_address - // stack: addr, num_bytes, retdest - DUP1 SWAP2 - // stack: num_bytes, addr, addr, retdest - MSTORE_GENERAL - // stack: addr, retdest - - -// Precondition: input is in memory, starting at addr of kernel general segment, of the form -// num_bytes, x[0], x[1], ..., x[num_bytes - 1] -// Postcodition: output is in memory, starting at 0, of the form -// num_blocks, block0[0], ..., block0[63], block1[0], ..., blocklast[63] -global sha2_pad: - // stack: addr, retdest - MLOAD_GENERAL - // stack: num_bytes, retdest - // STEP 1: append 1 - // insert 128 (= 1 << 7) at x[num_bytes+1] - // stack: num_bytes, retdest - PUSH 0x80 - // stack: 128, num_bytes, retdest - DUP2 - // stack: num_bytes, 128, num_bytes, retdest - %increment - // stack: num_bytes+1, 128, num_bytes, retdest - %mstore_current_general - // stack: num_bytes, retdest - // STEP 2: calculate num_blocks := (num_bytes+8)//64 + 1 - DUP1 - // stack: num_bytes, num_bytes, retdest - %add_const(8) - %shr_const(6) - - %increment - // stack: num_blocks = (num_bytes+8)//64 + 1, num_bytes, retdest - // STEP 3: calculate length := num_bytes*8 - SWAP1 - // stack: num_bytes, num_blocks, retdest - %mul_const(8) - // stack: length = num_bytes*8, num_blocks, retdest - // STEP 4: write length to x[num_blocks*64-7..num_blocks*64] - DUP2 - // stack: num_blocks, length, num_blocks, retdest - %mul_const(64) - // stack: last_addr = num_blocks*64, length, num_blocks, retdest - %sha2_write_length - // stack: num_blocks, retdest - DUP1 - // stack: num_blocks, num_blocks, retdest - // STEP 5: write num_blocks to x[0] - %mstore_current_general_no_offset - // stack: num_blocks, retdest - %message_schedule_addr_from_num_blocks - %jump(sha2_gen_all_message_schedules) diff --git a/evm/src/cpu/kernel/asm/hash/sha2/message_schedule.asm b/evm/src/cpu/kernel/asm/hash/sha2/message_schedule.asm deleted file mode 100644 index 66fa67a9b7..0000000000 --- a/evm/src/cpu/kernel/asm/hash/sha2/message_schedule.asm +++ /dev/null @@ -1,219 +0,0 @@ -// We put the message schedule in memory starting at 64 * num_blocks + 2. -%macro message_schedule_addr_from_num_blocks - // stack: num_blocks - %mul_const(64) - %add_const(2) - %build_current_general_address -%endmacro - -// Precondition: stack contains address of one message block, followed by output address -// Postcondition: 256 bytes starting at given output address contain the 64 32-bit chunks -// of message schedule (in four-byte increments) -gen_message_schedule_from_block: - // stack: block_addr, output_addr, retdest - DUP1 - // stack: block_addr, block_addr, output_addr, retdest - %add_const(32) - // stack: block_addr + 32, block_addr, output_addr, retdest - SWAP1 - // stack: block_addr, block_addr + 32, output_addr, retdest - %mload_u256 - // stack: block[0], block_addr + 32, output_addr, retdest - SWAP1 - // stack: block_addr + 32, block[0], output_addr, retdest - %mload_u256 - // stack: block[1], block[0], output_addr, retdest - SWAP2 - // stack: output_addr, block[0], block[1], retdest - %add_const(28) - PUSH 8 - // stack: counter=8, output_addr + 28, block[0], block[1], retdest -gen_message_schedule_from_block_0_loop: - // Split the first half (256 bits) of the block into the first eight (32-bit) chunks of the message sdchedule. - // stack: counter, output_addr, block[0], block[1], retdest - SWAP2 - // stack: block[0], output_addr, counter, block[1], retdest - DUP1 - // stack: block[0], block[0], output_addr, counter, block[1], retdest - %shr_const(32) - // stack: block[0] >> 32, block[0], output_addr, counter, block[1], retdest - SWAP1 - // stack: block[0], block[0] >> 32, output_addr, counter, block[1], retdest - %as_u32 - // stack: block[0] % (1 << 32), block[0] >> 32, output_addr, counter, block[1], retdest - DUP3 - // stack: output_addr, block[0] % (1 << 32), block[0] >> 32, output_addr, counter, block[1], retdest - %mstore_u32 - // stack: block[0] >> 32, output_addr, counter, block[1], retdest - SWAP1 - // stack: output_addr, block[0] >> 32, counter, block[1], retdest - %sub_const(4) - // stack: output_addr - 4, block[0] >> 32, counter, block[1], retdest - SWAP1 - // stack: block[0] >> 32, output_addr - 4, counter, block[1], retdest - SWAP2 - // stack: counter, output_addr - 4, block[0] >> 32, block[1], retdest - %decrement - DUP1 - %jumpi(gen_message_schedule_from_block_0_loop) -gen_message_schedule_from_block_0_end: - // stack: old counter=0, output_addr, block[0], block[1], retdest - POP - // stack: output_addr, block[0], block[1], retdest - %stack (out, b0, b1) -> (out, 8, b1, b0) - // stack: output_addr, counter=8, block[1], block[0], retdest - %add_const(64) - // stack: output_addr + 64, counter, block[1], block[0], retdest - SWAP1 - // stack: counter, output_addr + 64, block[1], block[0], retdest -gen_message_schedule_from_block_1_loop: - // Split the second half (256 bits) of the block into the next eight (32-bit) chunks of the message sdchedule. - // stack: counter, output_addr, block[1], block[0], retdest - SWAP2 - // stack: block[1], output_addr, counter, block[0], retdest - DUP1 - // stack: block[1], block[1], output_addr, counter, block[0], retdest - %shr_const(32) - // stack: block[1] >> 32, block[1], output_addr, counter, block[0], retdest - SWAP1 - // stack: block[1], block[1] >> 32, output_addr, counter, block[0], retdest - %as_u32 - // stack: block[1] % (1 << 32), block[1] >> 32, output_addr, counter, block[0], retdest - DUP3 - // stack: output_addr, block[1] % (1 << 32), block[1] >> 32, output_addr, counter, block[0], retdest - %mstore_u32 - // stack: block[1] >> 32, output_addr, counter, block[0], retdest - SWAP1 - // stack: output_addr, block[1] >> 32, counter, block[0], retdest - %sub_const(4) - // stack: output_addr - 4, block[1] >> 32, counter, block[0], retdest - SWAP1 - // stack: block[1] >> 32, output_addr - 4, counter, block[0], retdest - SWAP2 - // stack: counter, output_addr - 4, block[1] >> 32, block[0], retdest - %decrement - DUP1 - %jumpi(gen_message_schedule_from_block_1_loop) -gen_message_schedule_from_block_1_end: - // stack: old counter=0, output_addr, block[1], block[0], retdest - POP - // stack: output_addr, block[0], block[1], retdest - PUSH 48 - // stack: counter=48, output_addr, block[0], block[1], retdest - SWAP1 - // stack: output_addr, counter, block[0], block[1], retdest - %add_const(36) - // stack: output_addr + 36, counter, block[0], block[1], retdest - SWAP1 - // stack: counter, output_addr + 36, block[0], block[1], retdest -gen_message_schedule_remaining_loop: - // Generate the next 48 chunks of the message schedule, one at a time, from prior chunks. - // stack: counter, output_addr, block[0], block[1], retdest - SWAP1 - // stack: output_addr, counter, block[0], block[1], retdest - PUSH 8 - DUP2 - // stack: output_addr, 2*4, output_addr, counter, block[0], block[1], retdest - SUB - // stack: output_addr - 2*4, output_addr, counter, block[0], block[1], retdest - %mload_u32 - // stack: x[output_addr - 2*4], output_addr, counter, block[0], block[1], retdest - %sha2_sigma_1 - // stack: sigma_1(x[output_addr - 2*4]), output_addr, counter, block[0], block[1], retdest - SWAP1 - // stack: output_addr, sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - PUSH 28 - DUP2 - // stack: output_addr, 7*4, output_addr, sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - SUB - // stack: output_addr - 7*4, output_addr, sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - %mload_u32 - // stack: x[output_addr - 7*4], output_addr, sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - SWAP1 - // stack: output_addr, x[output_addr - 7*4], sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - PUSH 60 - DUP2 - // stack: output_addr, 15*4, output_addr, x[output_addr - 7*4], sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - SUB - // stack: output_addr - 15*4, output_addr, x[output_addr - 7*4], sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - %mload_u32 - // stack: x[output_addr - 15*4], output_addr, x[output_addr - 7*4], sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - %sha2_sigma_0 - // stack: sigma_0(x[output_addr - 15*4]), output_addr, x[output_addr - 7*4], sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - SWAP1 - // stack: output_addr, sigma_0(x[output_addr - 15*4]), x[output_addr - 7*4], sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - PUSH 64 - DUP2 - // stack: output_addr, 16*4, output_addr, sigma_0(x[output_addr - 15*4]), x[output_addr - 7*4], sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - SUB - // stack: output_addr - 16*4, output_addr, sigma_0(x[output_addr - 15*4]), x[output_addr - 7*4], sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - %mload_u32 - // stack: x[output_addr - 16*4], output_addr, sigma_0(x[output_addr - 15*4]), x[output_addr - 7*4], sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - SWAP1 - // stack: output_addr, x[output_addr - 16*4], sigma_0(x[output_addr - 15*4]), x[output_addr - 7*4], sigma_1(x[output_addr - 2*4]), counter, block[0], block[1], retdest - SWAP4 - // stack: sigma_1(x[output_addr - 2*4]), x[output_addr - 16*4], sigma_0(x[output_addr - 15*4]), x[output_addr - 7*4], output_addr, counter, block[0], block[1], retdest - %add_u32 - %add_u32 - %add_u32 - // stack: sigma_1(x[output_addr - 2*4]) + x[output_addr - 16*4] + sigma_0(x[output_addr - 15*4]) + x[output_addr - 7*4], output_addr, counter, block[0], block[1], retdest - DUP2 - // stack: output_addr, sigma_1(x[output_addr - 2*4]) + x[output_addr - 16*4] + sigma_0(x[output_addr - 15*4]) + x[output_addr - 7*4], output_addr, counter, block[0], block[1], retdest - %mstore_u32 - // stack: output_addr, counter, block[0], block[1], retdest - %add_const(4) - // stack: output_addr + 4, counter, block[0], block[1], retdest - SWAP1 - // stack: counter, output_addr + 4, block[0], block[1], retdest - %decrement - // stack: counter - 1, output_addr + 4, block[0], block[1], retdest - DUP1 - %jumpi(gen_message_schedule_remaining_loop) -gen_message_schedule_remaining_end: - // stack: counter=0, output_addr, block[0], block[1], retdest - %pop4 - JUMP - -// Precodition: memory, starting at 0, contains num_blocks, block0[0], ..., block0[63], block1[0], ..., blocklast[63] -// stack contains output_addr -// Postcondition: starting at output_addr, set of 256 bytes per block -// each contains the 64 32-bit chunks of the message schedule for that block (in four-byte increments) -global sha2_gen_all_message_schedules: - // stack: output_addr, retdest - DUP1 - // stack: output_addr, output_addr, retdest - %mload_current_general_no_offset - // stack: num_blocks, output_addr, output_addr, retdest - PUSH 1 - // stack: cur_offset = 1, counter = num_blocks, output_addr, output_addr, retdest - %build_current_general_address - // stack: cur_addr, counter, output_addr, output_addr, retdest -gen_all_message_schedules_loop: - // stack: cur_addr, counter, cur_output_addr, output_addr, retdest - PUSH gen_all_message_schedules_loop_end - // stack: new_retdest = gen_all_message_schedules_loop_end, cur_addr, counter, cur_output_addr, output_addr, retdest - DUP4 - // stack: cur_output_addr, new_retdest, cur_addr, counter, cur_output_addr, output_addr, retdest - DUP3 - // stack: cur_addr, cur_output_addr, new_retdest, cur_addr, counter, cur_output_addr, output_addr, retdest - %jump(gen_message_schedule_from_block) -gen_all_message_schedules_loop_end: - // stack: cur_addr, counter, cur_output_addr, output_addr, retdest - %add_const(64) - // stack: cur_addr + 64, counter, cur_output_addr, output_addr, retdest - SWAP1 - %decrement - SWAP1 - // stack: cur_addr + 64, counter - 1, cur_output_addr, output_addr, retdest - SWAP2 - %add_const(256) - SWAP2 - // stack: cur_addr + 64, counter - 1, cur_output_addr + 256, output_addr, retdest - DUP2 - // stack: counter - 1, cur_addr + 64, counter - 1, cur_output_addr + 256, output_addr, retdest - %jumpi(gen_all_message_schedules_loop) -gen_all_message_schedules_end: - // stack: cur_addr + 64, counter - 1, cur_output_addr + 256, output_addr, retdest - %pop3 - // stack: output_addr, retdest - %jump(sha2_compression) diff --git a/evm/src/cpu/kernel/asm/hash/sha2/ops.asm b/evm/src/cpu/kernel/asm/hash/sha2/ops.asm deleted file mode 100644 index d50e5c9a89..0000000000 --- a/evm/src/cpu/kernel/asm/hash/sha2/ops.asm +++ /dev/null @@ -1,143 +0,0 @@ -// 32-bit right rotation -%macro rotr(rot) - // stack: value - PUSH $rot - // stack: rot, value - DUP2 - DUP2 - // stack: rot, value, rot, value - SHR - // stack: value >> rot, rot, value - %stack (shifted, rot, value) -> (rot, value, shifted) - // stack: rot, value, value >> rot - PUSH 32 - SUB - // stack: 32 - rot, value, value >> rot - SHL - // stack: value << (32 - rot), value >> rot - %as_u32 - // stack: (value << (32 - rot)) % (1 << 32), value >> rot - ADD -%endmacro - -%macro sha2_sigma_0 - // stack: x - DUP1 - // stack: x, x - %rotr(7) - // stack: rotr(x, 7), x - SWAP1 - // stack: x, rotr(x, 7) - DUP1 - // stack: x, x, rotr(x, 7) - %rotr(18) - // stack: rotr(x, 18), x, rotr(x, 7) - SWAP1 - // stack: x, rotr(x, 18), rotr(x, 7) - %shr_const(3) - // stack: shr(x, 3), rotr(x, 18), rotr(x, 7) - XOR - XOR -%endmacro - -%macro sha2_sigma_1 - // stack: x - DUP1 - // stack: x, x - %rotr(17) - // stack: rotr(x, 17), x - SWAP1 - // stack: x, rotr(x, 17) - DUP1 - // stack: x, x, rotr(x, 17) - %rotr(19) - // stack: rotr(x, 19), x, rotr(x, 17) - SWAP1 - // stack: x, rotr(x, 19), rotr(x, 17) - PUSH 10 - SHR - // stack: shr(x, 10), rotr(x, 19), rotr(x, 17) - XOR - XOR -%endmacro - -%macro sha2_bigsigma_0 - // stack: x - DUP1 - // stack: x, x - %rotr(2) - // stack: rotr(x, 2), x - SWAP1 - // stack: x, rotr(x, 2) - DUP1 - // stack: x, x, rotr(x, 2) - %rotr(13) - // stack: rotr(x, 13), x, rotr(x, 2) - SWAP1 - // stack: x, rotr(x, 13), rotr(x, 2) - %rotr(22) - // stack: rotr(x, 22), rotr(x, 13), rotr(x, 2) - XOR - XOR -%endmacro - -%macro sha2_bigsigma_1 - // stack: x - DUP1 - // stack: x, x - %rotr(6) - // stack: rotr(x, 6), x - SWAP1 - // stack: x, rotr(x, 6) - DUP1 - // stack: x, x, rotr(x, 6) - %rotr(11) - // stack: rotr(x, 11), x, rotr(x, 6) - SWAP1 - // stack: x, rotr(x, 11), rotr(x, 6) - %rotr(25) - // stack: rotr(x, 25), rotr(x, 11), rotr(x, 6) - XOR - XOR -%endmacro - -%macro sha2_choice - // stack: x, y, z - DUP1 - // stack: x, x, y, z - NOT - // stack: not x, x, y, z - SWAP1 - // stack: x, not x, y, z - SWAP3 - // stack: z, not x, y, x - AND - // stack: (not x) and z, y, x - SWAP2 - // stack: x, y, (not x) and z - AND - // stack: x and y, (not x) and z - OR -%endmacro - -%macro sha2_majority - // stack: x, y, z - DUP1 - // stack: x, x, y, z - DUP3 - // stack: y, x, x, y, z - DUP5 - // stack: z, y, x, x, y, z - AND - // stack: z and y, x, x, y, z - SWAP4 - // stack: z, x, x, y, z and y - AND - // stack: z and x, x, y, z and y - SWAP2 - // stack: y, x, z and x, z and y - AND - // stack: y and x, z and x, z and y - OR - OR -%endmacro diff --git a/evm/src/cpu/kernel/asm/hash/sha2/temp_words.asm b/evm/src/cpu/kernel/asm/hash/sha2/temp_words.asm deleted file mode 100644 index ed610947f2..0000000000 --- a/evm/src/cpu/kernel/asm/hash/sha2/temp_words.asm +++ /dev/null @@ -1,32 +0,0 @@ -// "T_1" in the SHA-256 spec -%macro sha2_temp_word1 - // stack: e, f, g, h, K[i], W[i] - DUP1 - // stack: e, e, f, g, h, K[i], W[i] - %sha2_bigsigma_1 - // stack: Sigma_1(e), e, f, g, h, K[i], W[i] - %stack (sig, e, f, g) -> (e, f, g, sig) - // stack: e, f, g, Sigma_1(e), h, K[i], W[i] - %sha2_choice - // stack: Ch(e, f, g), Sigma_1(e), h, K[i], W[i] - %add_u32 - %add_u32 - %add_u32 - %add_u32 - // stack: Ch(e, f, g) + Sigma_1(e) + h + K[i] + W[i] -%endmacro - -// "T_2" in the SHA-256 spec -%macro sha2_temp_word2 - // stack: a, b, c - DUP1 - // stack: a, a, b, c - %sha2_bigsigma_0 - // stack: Sigma_0(a), a, b, c - SWAP3 - // stack: c, a, b, Sigma_0(a) - %sha2_majority - // stack: Maj(c, a, b), Sigma_0(a) - %add_u32 - // stack: Maj(c, a, b) + Sigma_0(a) -%endmacro diff --git a/evm/src/cpu/kernel/asm/hash/sha2/write_length.asm b/evm/src/cpu/kernel/asm/hash/sha2/write_length.asm deleted file mode 100644 index 9c2707b8d1..0000000000 --- a/evm/src/cpu/kernel/asm/hash/sha2/write_length.asm +++ /dev/null @@ -1,35 +0,0 @@ -%macro sha2_write_length - // stack: last_addr_offset, length - %build_current_general_address - SWAP1 - // stack: length, last_addr - DUP1 - // stack: length, length, last_addr - %and_const(0xff) - // stack: length % (1 << 8), length, last_addr - DUP3 - // stack: last_addr, length % (1 << 8), length, last_addr - %swap_mstore - - %rep 7 - // For i = 0 to 6 - // stack: length >> (8 * i), last_addr - i - 1 - SWAP1 - %decrement - SWAP1 - // stack: length >> (8 * i), last_addr - i - 2 - %shr_const(8) - // stack: length >> (8 * (i + 1)), last_addr - i - 2 - PUSH 256 - DUP2 - // stack: length >> (8 * (i + 1)), 256, length >> (8 * (i + 1)), last_addr - i - 2 - MOD - // stack: (length >> (8 * (i + 1))) % (1 << 8), length >> (8 * (i + 1)), last_addr - i - 2 - DUP3 - // stack: last_addr - i - 2, (length >> (8 * (i + 1))) % (1 << 8), length >> (8 * (i + 1)), last_addr - i - 2 - %swap_mstore - %endrep - - %pop2 - // stack: (empty) -%endmacro diff --git a/evm/src/cpu/kernel/asm/journal/account_created.asm b/evm/src/cpu/kernel/asm/journal/account_created.asm deleted file mode 100644 index 4748d5cbcb..0000000000 --- a/evm/src/cpu/kernel/asm/journal/account_created.asm +++ /dev/null @@ -1,13 +0,0 @@ -// struct AccountCreated { address } - -%macro journal_add_account_created - %journal_add_1(@JOURNAL_ENTRY_ACCOUNT_CREATED) -%endmacro - -global revert_account_created: - // stack: entry_type, ptr, retdest - POP - %journal_load_1 - // stack: address, retdest - %delete_account - JUMP diff --git a/evm/src/cpu/kernel/asm/journal/account_destroyed.asm b/evm/src/cpu/kernel/asm/journal/account_destroyed.asm deleted file mode 100644 index 3806a891dc..0000000000 --- a/evm/src/cpu/kernel/asm/journal/account_destroyed.asm +++ /dev/null @@ -1,32 +0,0 @@ -// struct AccountDestroyed { address, target, prev_balance } - -%macro journal_add_account_destroyed - %journal_add_3(@JOURNAL_ENTRY_ACCOUNT_DESTROYED) -%endmacro - -global revert_account_destroyed: - // stack: entry_type, ptr, retdest - POP - %journal_load_3 - // stack: address, target, prev_balance, retdest - PUSH revert_account_destroyed_contd DUP2 - %jump(remove_selfdestruct_list) -revert_account_destroyed_contd: - // stack: address, target, prev_balance, retdest - SWAP1 - // Remove `prev_balance` from `target`'s balance. - // stack: target, address, prev_balance, retdest - %mpt_read_state_trie - %add_const(1) - // stack: target_balance_ptr, address, prev_balance, retdest - DUP3 - DUP2 %mload_trie_data - // stack: target_balance, prev_balance, target_balance_ptr, address, prev_balance, retdest - SUB SWAP1 %mstore_trie_data - // Set `address`'s balance to `prev_balance`. - // stack: address, prev_balance, retdest - %mpt_read_state_trie - %add_const(1) - %mstore_trie_data - JUMP - diff --git a/evm/src/cpu/kernel/asm/journal/account_loaded.asm b/evm/src/cpu/kernel/asm/journal/account_loaded.asm deleted file mode 100644 index 6c3c4ba045..0000000000 --- a/evm/src/cpu/kernel/asm/journal/account_loaded.asm +++ /dev/null @@ -1,19 +0,0 @@ -// struct AccountLoaded { address } - -%macro journal_add_account_loaded - %journal_add_1(@JOURNAL_ENTRY_ACCOUNT_LOADED) -%endmacro - -global revert_account_loaded: - // stack: entry_type, ptr, retdest - POP - %journal_load_1 - // stack: address, retdest - DUP1 %eq_const(@RIP160) %jumpi(ripemd) - %jump(remove_accessed_addresses) - -// The address 0x3 shouldn't become unloaded. -// See https://github.com/ethereum/EIPs/issues/716. -ripemd: - // stack: address, retdest - POP JUMP diff --git a/evm/src/cpu/kernel/asm/journal/account_touched.asm b/evm/src/cpu/kernel/asm/journal/account_touched.asm deleted file mode 100644 index a5aea2194f..0000000000 --- a/evm/src/cpu/kernel/asm/journal/account_touched.asm +++ /dev/null @@ -1,19 +0,0 @@ -// struct AccountTouched { address } - -%macro journal_add_account_touched - %journal_add_1(@JOURNAL_ENTRY_ACCOUNT_TOUCHED) -%endmacro - -global revert_account_touched: - // stack: entry_type, ptr, retdest - POP - %journal_load_1 - // stack: address, retdest - DUP1 %eq_const(@RIP160) %jumpi(ripemd) - %jump(remove_touched_addresses) - -// The address 0x3 shouldn't become untouched. -// See https://github.com/ethereum/EIPs/issues/716. -ripemd: - // stack: address, retdest - POP JUMP diff --git a/evm/src/cpu/kernel/asm/journal/balance_transfer.asm b/evm/src/cpu/kernel/asm/journal/balance_transfer.asm deleted file mode 100644 index a9a5894133..0000000000 --- a/evm/src/cpu/kernel/asm/journal/balance_transfer.asm +++ /dev/null @@ -1,24 +0,0 @@ -// struct BalanceTransfer { from, to, balance } - -%macro journal_add_balance_transfer - // stack: from, to, balance - DUP3 ISZERO %jumpi(%%zero) - %journal_add_3(@JOURNAL_ENTRY_BALANCE_TRANSFER) - %jump(%%after) -%%zero: - // stack: from, to, balance - %pop3 -%%after: - // stack: (empty) -%endmacro - -global revert_balance_transfer: - // stack: entry_type, ptr, retdest - POP - %journal_load_3 - // stack: from, to, balance, retdest - SWAP1 - // stack: to, from, balance, retdest - %transfer_eth - %jumpi(panic) // This should never happen. - JUMP diff --git a/evm/src/cpu/kernel/asm/journal/code_change.asm b/evm/src/cpu/kernel/asm/journal/code_change.asm deleted file mode 100644 index 5bb637c726..0000000000 --- a/evm/src/cpu/kernel/asm/journal/code_change.asm +++ /dev/null @@ -1,18 +0,0 @@ -// struct CodeChange { address, prev_codehash } - -%macro journal_add_code_change - %journal_add_2(@JOURNAL_ENTRY_CODE_CHANGE) -%endmacro - -global revert_code_change: - // stack: entry_ptr, ptr, retdest - POP - %journal_load_2 - // stack: address, prev_codehash, retdest - %mpt_read_state_trie - // stack: account_ptr, prev_codehash, retdest - %add_const(3) - // stack: codehash_ptr, prev_codehash, retdest - %mstore_trie_data - // stack: retdest - JUMP diff --git a/evm/src/cpu/kernel/asm/journal/journal.asm b/evm/src/cpu/kernel/asm/journal/journal.asm deleted file mode 100644 index 9ba4350878..0000000000 --- a/evm/src/cpu/kernel/asm/journal/journal.asm +++ /dev/null @@ -1,210 +0,0 @@ -%macro journal_size - %mload_global_metadata(@GLOBAL_METADATA_JOURNAL_LEN) -%endmacro - -%macro mstore_journal - // stack: virtual, value - %mstore_kernel(@SEGMENT_JOURNAL) - // stack: (empty) -%endmacro - -%macro mload_journal - // stack: virtual - %mload_kernel(@SEGMENT_JOURNAL) - // stack: value -%endmacro - -%macro append_journal - // stack: pointer - %journal_size - // stack: journal_size, pointer - SWAP1 DUP2 - // stack: journal_size, pointer, journal_size - %mstore_journal - // stack: journal_size - %increment - %mstore_global_metadata(@GLOBAL_METADATA_JOURNAL_LEN) -%endmacro - -%macro journal_data_size - %mload_global_metadata(@GLOBAL_METADATA_JOURNAL_DATA_LEN) -%endmacro - -%macro mstore_journal_data - // stack: virtual, value - %mstore_kernel(@SEGMENT_JOURNAL_DATA) - // stack: (empty) -%endmacro - -%macro mload_journal_data - // stack: virtual - %mload_kernel(@SEGMENT_JOURNAL_DATA) - // stack: value -%endmacro - -%macro append_journal_data - // stack: value - %journal_data_size - // stack: size, value - SWAP1 DUP2 - // stack: size, value, size - %mstore_journal_data - // stack: size - %increment - %mstore_global_metadata(@GLOBAL_METADATA_JOURNAL_DATA_LEN) -%endmacro - -%macro journal_add_1(type) - // stack: w - %journal_data_size - // stack: ptr, w - PUSH $type %append_journal_data - // stack: ptr, w - SWAP1 - // stack: w, ptr - %append_journal_data - // stack: ptr - %append_journal -%endmacro - -%macro journal_add_2(type) - // stack: w, x - %journal_data_size - // stack: ptr, w, x - PUSH $type %append_journal_data - // stack: ptr, w, x - SWAP1 %append_journal_data - // stack: ptr, x - SWAP1 %append_journal_data - // stack: ptr - %append_journal -%endmacro - -%macro journal_add_3(type) - // stack: w, x, y - %journal_data_size - // stack: ptr, w, x, y - PUSH $type %append_journal_data - // stack: ptr, w, x, y - SWAP1 %append_journal_data - // stack: ptr, x, y - SWAP1 %append_journal_data - // stack: ptr, y - SWAP1 %append_journal_data - // stack: ptr - %append_journal -%endmacro - -%macro journal_add_4(type) - // stack: w, x, y, z - %journal_data_size - // stack: ptr, w, x, y, z - PUSH $type %append_journal_data - // stack: ptr, w, x, y, z - SWAP1 %append_journal_data - // stack: ptr, x, y, z - SWAP1 %append_journal_data - // stack: ptr, y, z - SWAP1 %append_journal_data - // stack: ptr, z - SWAP1 %append_journal_data - // stack: ptr - %append_journal -%endmacro - -%macro journal_load_1 - // ptr - %add_const(1) - %mload_journal_data - // w -%endmacro - -%macro journal_load_2 - // ptr - DUP1 - %add_const(2) - %mload_journal_data - // x, ptr - SWAP1 - %add_const(1) - %mload_journal_data - // w, x -%endmacro - -%macro journal_load_3 - // ptr - DUP1 - %add_const(3) - %mload_journal_data - // y, ptr - SWAP1 - DUP1 - // ptr, ptr, y - %add_const(2) - %mload_journal_data - // x, ptr, y - SWAP1 - %add_const(1) - %mload_journal_data - // w, x, y -%endmacro - -%macro journal_load_4 - // ptr - DUP1 - %add_const(4) - %mload_journal_data - // z, ptr - SWAP1 - DUP1 - // ptr, ptr, z - %add_const(3) - %mload_journal_data - // y, ptr, z - SWAP1 - DUP1 - // ptr, ptr, y, z - %add_const(2) - %mload_journal_data - // x, ptr, y, z - SWAP1 - %add_const(1) - %mload_journal_data - // w, x, y, z -%endmacro - -%macro current_checkpoint - %mload_global_metadata(@GLOBAL_METADATA_CURRENT_CHECKPOINT) -%endmacro - - -%macro checkpoint - // stack: (empty) - %current_checkpoint - // stack: current_checkpoint - DUP1 - PUSH @SEGMENT_JOURNAL_CHECKPOINTS - %build_kernel_address - %journal_size - // stack: journal_size, addr, current_checkpoint - MSTORE_GENERAL - // stack: current_checkpoint - %mload_context_metadata(@CTX_METADATA_CHECKPOINTS_LEN) - // stack: i, current_checkpoint - DUP2 DUP2 %mstore_current(@SEGMENT_CONTEXT_CHECKPOINTS) - // stack: i, current_checkpoint - %increment - %mstore_context_metadata(@CTX_METADATA_CHECKPOINTS_LEN) - // stack: current_checkpoint - %increment - %mstore_global_metadata(@GLOBAL_METADATA_CURRENT_CHECKPOINT) - // stack: (empty) -%endmacro - -%macro pop_checkpoint - PUSH 1 - %mload_context_metadata(@CTX_METADATA_CHECKPOINTS_LEN) - // stack: i - SUB - %mstore_context_metadata(@CTX_METADATA_CHECKPOINTS_LEN) -%endmacro diff --git a/evm/src/cpu/kernel/asm/journal/log.asm b/evm/src/cpu/kernel/asm/journal/log.asm deleted file mode 100644 index e1794397b7..0000000000 --- a/evm/src/cpu/kernel/asm/journal/log.asm +++ /dev/null @@ -1,21 +0,0 @@ -// struct Log { logs_data_len, logs_payload_len } - -%macro journal_add_log - %journal_add_2(@JOURNAL_ENTRY_LOG) -%endmacro - -global revert_log: - // stack: entry_type, ptr, retdest - POP - // First, reduce the number of logs. - PUSH 1 - %mload_global_metadata(@GLOBAL_METADATA_LOGS_LEN) - SUB - %mstore_global_metadata(@GLOBAL_METADATA_LOGS_LEN) - // stack: ptr, retdest - // Second, restore payload length. - %journal_load_2 - // stack: prev_logs_data_len, prev_payload_len, retdest - %mstore_global_metadata(@GLOBAL_METADATA_LOGS_DATA_LEN) - %mstore_global_metadata(@GLOBAL_METADATA_LOGS_PAYLOAD_LEN) - JUMP diff --git a/evm/src/cpu/kernel/asm/journal/nonce_change.asm b/evm/src/cpu/kernel/asm/journal/nonce_change.asm deleted file mode 100644 index 3ab8f13677..0000000000 --- a/evm/src/cpu/kernel/asm/journal/nonce_change.asm +++ /dev/null @@ -1,17 +0,0 @@ -// struct NonceChange { address, prev_nonce } - -%macro journal_add_nonce_change - %journal_add_2(@JOURNAL_ENTRY_NONCE_CHANGE) -%endmacro - -global revert_nonce_change: - // stack: entry_type, ptr, retdest - POP - %journal_load_2 - // stack: address, prev_nonce, retdest - %mpt_read_state_trie - // stack: nonce_ptr, prev_nonce retdest - %mstore_trie_data - // stack: retdest - JUMP - diff --git a/evm/src/cpu/kernel/asm/journal/refund.asm b/evm/src/cpu/kernel/asm/journal/refund.asm deleted file mode 100644 index b0e34cc614..0000000000 --- a/evm/src/cpu/kernel/asm/journal/refund.asm +++ /dev/null @@ -1,15 +0,0 @@ -// struct Refund { amount } - -%macro journal_refund - %journal_add_1(@JOURNAL_ENTRY_REFUND) -%endmacro - -global revert_refund: - // stack: entry_type, ptr, retdest - POP - %journal_load_1 - // stack: amount, retdest - %mload_global_metadata(@GLOBAL_METADATA_REFUND_COUNTER) - SUB - %mstore_global_metadata(@GLOBAL_METADATA_REFUND_COUNTER) - JUMP diff --git a/evm/src/cpu/kernel/asm/journal/revert.asm b/evm/src/cpu/kernel/asm/journal/revert.asm deleted file mode 100644 index 857bf612b2..0000000000 --- a/evm/src/cpu/kernel/asm/journal/revert.asm +++ /dev/null @@ -1,91 +0,0 @@ -%macro revert - // stack: journal_size - %decrement - %stack (journal_size_m_1) -> (journal_size_m_1, %%after, journal_size_m_1) - %mload_journal - // stack: ptr, %%after, journal_size-1 - DUP1 %mload_journal_data - // stack: entry_type, ptr, %%after, journal_size-1 - DUP1 %eq_const(@JOURNAL_ENTRY_ACCOUNT_LOADED) %jumpi(revert_account_loaded) - DUP1 %eq_const(@JOURNAL_ENTRY_ACCOUNT_DESTROYED) %jumpi(revert_account_destroyed) - DUP1 %eq_const(@JOURNAL_ENTRY_ACCOUNT_TOUCHED) %jumpi(revert_account_touched) - DUP1 %eq_const(@JOURNAL_ENTRY_BALANCE_TRANSFER) %jumpi(revert_balance_transfer) - DUP1 %eq_const(@JOURNAL_ENTRY_NONCE_CHANGE) %jumpi(revert_nonce_change) - DUP1 %eq_const(@JOURNAL_ENTRY_STORAGE_CHANGE) %jumpi(revert_storage_change) - DUP1 %eq_const(@JOURNAL_ENTRY_STORAGE_LOADED) %jumpi(revert_storage_loaded) - DUP1 %eq_const(@JOURNAL_ENTRY_CODE_CHANGE) %jumpi(revert_code_change) - DUP1 %eq_const(@JOURNAL_ENTRY_REFUND) %jumpi(revert_refund) - DUP1 %eq_const(@JOURNAL_ENTRY_ACCOUNT_CREATED) %jumpi(revert_account_created) - DUP1 %eq_const(@JOURNAL_ENTRY_LOG) %jumpi(revert_log) - PANIC // This should never happen. -%%after: - // stack: journal_size-1 -%endmacro - -global revert_batch: - // stack: target_size, retdest - %journal_size - // stack: journal_size, target_size, retdest - DUP2 DUP2 LT %jumpi(panic) // Sanity check to avoid infinite loop. -while_loop: - // stack: journal_size, target_size, retdest - DUP2 DUP2 EQ %jumpi(revert_batch_done) - // stack: journal_size, target_size, retdest - %revert - // stack: journal_size-1, target_size, retdest - %jump(while_loop) - -revert_batch_done: - // stack: journal_size, target_size, retdest - %mstore_global_metadata(@GLOBAL_METADATA_JOURNAL_LEN) - POP JUMP - -revert_one_checkpoint: - // stack: current_checkpoint, retdest - DUP1 ISZERO %jumpi(first_checkpoint) - // stack: current_checkpoint, retdest - %decrement - // stack: current_checkpoint-1, retdest - DUP1 %mload_kernel(@SEGMENT_JOURNAL_CHECKPOINTS) - // stack: target_size, current_checkpoints-1, retdest - %jump(do_revert) -first_checkpoint: - // stack: current_checkpoint, retdest - %decrement - // stack: current_checkpoint-1, retdest - PUSH 0 - // stack: target_size, current_checkpoints-1, retdest -do_revert: - %stack (target_size, current_checkpoints_m_1, retdest) -> (target_size, after_revert, current_checkpoints_m_1, retdest) - %jump(revert_batch) -after_revert: - // stack: current_checkpoint-1, retdest - SWAP1 JUMP - - -global revert_checkpoint: - // stack: retdest - PUSH 1 %mload_context_metadata(@CTX_METADATA_CHECKPOINTS_LEN) SUB - %mload_current(@SEGMENT_CONTEXT_CHECKPOINTS) - // stack: target_checkpoint, retdest - %current_checkpoint - // stack: current_checkpoint, target_checkpoint, retdest - DUP2 DUP2 LT %jumpi(panic) // Sanity check that current_cp >= target_cp. This should never happen. -while: - // stack: current_checkpoint, target_checkpoint, retdest - DUP2 DUP2 EQ %jumpi(revert_checkpoint_done) - %stack (current_checkpoint) -> (current_checkpoint, while) - %jump(revert_one_checkpoint) -revert_checkpoint_done: - // stack: current_checkpoint, target_checkpoint, retdest - POP - %mstore_global_metadata(@GLOBAL_METADATA_CURRENT_CHECKPOINT) - %pop_checkpoint - JUMP - -%macro revert_checkpoint - PUSH %%after - %jump(revert_checkpoint) -%%after: - // stack: (empty) -%endmacro diff --git a/evm/src/cpu/kernel/asm/journal/storage_change.asm b/evm/src/cpu/kernel/asm/journal/storage_change.asm deleted file mode 100644 index 752674d1e1..0000000000 --- a/evm/src/cpu/kernel/asm/journal/storage_change.asm +++ /dev/null @@ -1,57 +0,0 @@ -// struct StorageChange { address, slot, prev_value } - -%macro journal_add_storage_change - %journal_add_3(@JOURNAL_ENTRY_STORAGE_CHANGE) -%endmacro - -global revert_storage_change: - // stack: entry_type, ptr, retdest - POP - %journal_load_3 - // stack: address, slot, prev_value, retdest - DUP3 ISZERO %jumpi(delete) - // stack: address, slot, prev_value, retdest - SWAP1 %slot_to_storage_key - // stack: storage_key, address, prev_value, retdest - PUSH 64 // storage_key has 64 nibbles - // stack: 64, storage_key, address, prev_value, retdest - DUP3 %mpt_read_state_trie - DUP1 ISZERO %jumpi(panic) - // stack: account_ptr, 64, storage_key, address, prev_value, retdest - %add_const(2) - // stack: storage_root_ptr_ptr, 64, storage_key, address, prev_value, retdest - %mload_trie_data - %get_trie_data_size - DUP6 %append_to_trie_data - %stack (prev_value_ptr, storage_root_ptr, num_nibbles, storage_key, address, prev_value, retdest) -> - (storage_root_ptr, num_nibbles, storage_key, prev_value_ptr, new_storage_root, address, retdest) - %jump(mpt_insert) - -delete: - // stack: address, slot, prev_value, retdest - SWAP2 POP - %stack (slot, address, retdest) -> (slot, new_storage_root, address, retdest) - %slot_to_storage_key - // stack: storage_key, new_storage_root, address, retdest - PUSH 64 // storage_key has 64 nibbles - // stack: 64, storage_key, new_storage_root, address, retdest - DUP4 %mpt_read_state_trie - DUP1 ISZERO %jumpi(panic) - // stack: account_ptr, 64, storage_key, new_storage_root, address, retdest - %add_const(2) - // stack: storage_root_ptr_ptr, 64, storage_key, new_storage_root, address, retdest - %mload_trie_data - // stack: storage_root_ptr, 64, storage_key, new_storage_root, address, retdest - %jump(mpt_delete) - -new_storage_root: - // stack: new_storage_root_ptr, address, retdest - DUP2 %mpt_read_state_trie - // stack: account_ptr, new_storage_root_ptr, address, retdest - - // Update account with our new storage root pointer. - %add_const(2) - // stack: account_storage_root_ptr_ptr, new_storage_root_ptr, address, retdest - %mstore_trie_data - // stack: address, retdest - POP JUMP diff --git a/evm/src/cpu/kernel/asm/journal/storage_loaded.asm b/evm/src/cpu/kernel/asm/journal/storage_loaded.asm deleted file mode 100644 index 9d1f37453a..0000000000 --- a/evm/src/cpu/kernel/asm/journal/storage_loaded.asm +++ /dev/null @@ -1,12 +0,0 @@ -// struct StorageLoaded { address, slot } - -%macro journal_add_storage_loaded - %journal_add_2(@JOURNAL_ENTRY_STORAGE_LOADED) -%endmacro - -global revert_storage_loaded: - // stack: entry_type, ptr, retdest - POP - %journal_load_2 - // stack: address, slot, retdest - %jump(remove_accessed_storage_keys) diff --git a/evm/src/cpu/kernel/asm/main.asm b/evm/src/cpu/kernel/asm/main.asm deleted file mode 100644 index d78152f4be..0000000000 --- a/evm/src/cpu/kernel/asm/main.asm +++ /dev/null @@ -1,96 +0,0 @@ -global main: - // First, hash the kernel code - %mload_global_metadata(@GLOBAL_METADATA_KERNEL_LEN) - PUSH 0 - // stack: addr, len - KECCAK_GENERAL - // stack: hash - %mload_global_metadata(@GLOBAL_METADATA_KERNEL_HASH) - // stack: expected_hash, hash - %assert_eq - - // Initialise the shift table - %shift_table_init - - // Initialize the RLP DATA pointer to its initial position (ctx == virt == 0, segment = RLP) - PUSH @SEGMENT_RLP_RAW - %mstore_global_metadata(@GLOBAL_METADATA_RLP_DATA_SIZE) - - // Encode constant nodes - %initialize_rlp_segment - - // Initialize the state, transaction and receipt trie root pointers. - PROVER_INPUT(trie_ptr::state) - %mstore_global_metadata(@GLOBAL_METADATA_STATE_TRIE_ROOT) - PROVER_INPUT(trie_ptr::txn) - %mstore_global_metadata(@GLOBAL_METADATA_TXN_TRIE_ROOT) - PROVER_INPUT(trie_ptr::receipt) - %mstore_global_metadata(@GLOBAL_METADATA_RECEIPT_TRIE_ROOT) - -global hash_initial_tries: - // We compute the length of the trie data segment in `mpt_hash` so that we - // can check the value provided by the prover. - // We initialize the segment length with 1 because the segment contains - // the null pointer `0` when the tries are empty. - PUSH 1 - %mpt_hash_state_trie %mload_global_metadata(@GLOBAL_METADATA_STATE_TRIE_DIGEST_BEFORE) %assert_eq - // stack: trie_data_len - %mpt_hash_txn_trie %mload_global_metadata(@GLOBAL_METADATA_TXN_TRIE_DIGEST_BEFORE) %assert_eq - // stack: trie_data_len - %mpt_hash_receipt_trie %mload_global_metadata(@GLOBAL_METADATA_RECEIPT_TRIE_DIGEST_BEFORE) %assert_eq - // stack: trie_data_full_len - %mstore_global_metadata(@GLOBAL_METADATA_TRIE_DATA_SIZE) - -global start_txn: - // stack: (empty) - // The special case of an empty trie (i.e. for the first transaction) - // is handled outside of the kernel. - %mload_global_metadata(@GLOBAL_METADATA_TXN_NUMBER_BEFORE) - // stack: txn_nb - DUP1 %scalar_to_rlp - // stack: txn_counter, txn_nb - DUP1 %num_bytes %mul_const(2) - // stack: num_nibbles, txn_counter, txn_nb - %increment_bounded_rlp - // stack: txn_counter, num_nibbles, next_txn_counter, next_num_nibbles, txn_nb - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_GAS_USED_BEFORE) - - // stack: init_gas_used, txn_counter, num_nibbles, next_txn_counter, next_num_nibbles, txn_nb - - // If the prover has no txn for us to process, halt. - PROVER_INPUT(no_txn) - %jumpi(execute_withdrawals) - - // Call route_txn. When we return, we will process the txn receipt. - PUSH txn_after - // stack: retdest, prev_gas_used, txn_counter, num_nibbles, next_txn_counter, next_num_nibbles, txn_nb - DUP4 DUP4 - - %jump(route_txn) - -global txn_after: - // stack: success, leftover_gas, cur_cum_gas, prev_txn_counter, prev_num_nibbles, txn_counter, num_nibbles, txn_nb - %process_receipt - // stack: new_cum_gas, txn_counter, num_nibbles, txn_nb - SWAP3 %increment SWAP3 - %jump(execute_withdrawals_post_stack_op) - -global execute_withdrawals: - // stack: cum_gas, txn_counter, num_nibbles, next_txn_counter, next_num_nibbles, txn_nb - %stack (cum_gas, txn_counter, num_nibbles, next_txn_counter, next_num_nibbles) -> (cum_gas, txn_counter, num_nibbles) -execute_withdrawals_post_stack_op: - %withdrawals - -global hash_final_tries: - // stack: cum_gas, txn_counter, num_nibbles, txn_nb - // Check that we end up with the correct `cum_gas`, `txn_nb` and bloom filter. - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_GAS_USED_AFTER) %assert_eq - DUP3 %mload_global_metadata(@GLOBAL_METADATA_TXN_NUMBER_AFTER) %assert_eq - %pop3 - PUSH 1 // initial trie data length - %mpt_hash_state_trie %mload_global_metadata(@GLOBAL_METADATA_STATE_TRIE_DIGEST_AFTER) %assert_eq - %mpt_hash_txn_trie %mload_global_metadata(@GLOBAL_METADATA_TXN_TRIE_DIGEST_AFTER) %assert_eq - %mpt_hash_receipt_trie %mload_global_metadata(@GLOBAL_METADATA_RECEIPT_TRIE_DIGEST_AFTER) %assert_eq - // We don't need the trie data length here. - POP - %jump(halt) diff --git a/evm/src/cpu/kernel/asm/memory/core.asm b/evm/src/cpu/kernel/asm/memory/core.asm deleted file mode 100644 index 070e474f6e..0000000000 --- a/evm/src/cpu/kernel/asm/memory/core.asm +++ /dev/null @@ -1,474 +0,0 @@ -// Load a big-endian u32, consisting of 4 bytes (c_3, c_2, c_1, c_0). -%macro mload_u32 - // stack: addr - %stack (addr) -> (addr, 4) - MLOAD_32BYTES -%endmacro - -// Load a little-endian u32, consisting of 4 bytes (c_0, c_1, c_2, c_3). -%macro mload_u32_LE - // stack: addr - DUP1 - MLOAD_GENERAL - // stack: c0, addr - DUP2 - %increment - MLOAD_GENERAL - %shl_const(8) - ADD - // stack: c0 | (c1 << 8), addr - DUP2 - %add_const(2) - MLOAD_GENERAL - %shl_const(16) - ADD - // stack: c0 | (c1 << 8) | (c2 << 16), addr - SWAP1 - %add_const(3) - MLOAD_GENERAL - %shl_const(24) - ADD // OR - // stack: c0 | (c1 << 8) | (c2 << 16) | (c3 << 24) -%endmacro - -// Load a little-endian u64, consisting of 8 bytes (c_0, ..., c_7). -%macro mload_u64_LE - // stack: addr - DUP1 - %mload_u32_LE - // stack: lo, addr - SWAP1 - %add_const(4) - %mload_u32_LE - // stack: hi, lo - %shl_const(32) - // stack: hi << 32, lo - ADD // OR - // stack: (hi << 32) | lo -%endmacro - -// Load a big-endian u256. -%macro mload_u256 - // stack: addr - %stack (addr) -> (addr, 32) - MLOAD_32BYTES -%endmacro - -// Store a big-endian u32, consisting of 4 bytes (c_3, c_2, c_1, c_0). -%macro mstore_u32 - // stack: addr, value - MSTORE_32BYTES_4 - // stack: offset - POP -%endmacro - -// Load a value from the given segment of the current context's memory space. -// Note that main memory values are one byte each, but in general memory values -// can be 256 bits. This macro deals with a single address (unlike MLOAD), so -// if it is used with main memory, it will load a single byte. -%macro mload_current(segment) - // stack: offset - PUSH $segment - // stack: segment, offset - GET_CONTEXT - // stack: context, segment, offset - %build_address - MLOAD_GENERAL - // stack: value -%endmacro - -// Store a value to the given segment of the current context's memory space. -// Note that main memory values are one byte each, but in general memory values -// can be 256 bits. This macro deals with a single address (unlike MSTORE), so -// if it is used with main memory, it will store a single byte. -%macro mstore_current(segment) - // stack: offset, value - PUSH $segment - // stack: segment, offset, value - GET_CONTEXT - // stack: context, segment, offset, value - %build_address - SWAP1 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -%macro mstore_current(segment, offset) - // stack: value - PUSH $offset - // stack: offset, value - PUSH $segment - // stack: segment, offset, value - GET_CONTEXT - // stack: context, segment, offset, value - %build_address - SWAP1 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -// Load a single byte from user code. -%macro mload_current_code - // stack: offset - // SEGMENT_CODE == 0 - GET_CONTEXT ADD - // stack: addr - MLOAD_GENERAL - // stack: value -%endmacro - -// Load a single value from the kernel general memory, in the current context (not the kernel's context). -%macro mload_current_general - // stack: offset - %mload_current(@SEGMENT_KERNEL_GENERAL) - // stack: value -%endmacro - -// Load a single value from the kernel general memory, in the current context (not the kernel's context). -%macro mload_current_general_no_offset - // stack: - %build_current_general_address_no_offset - MLOAD_GENERAL - // stack: value -%endmacro - -// Load a big-endian u32 from kernel general memory in the current context. -%macro mload_current_general_u32 - // stack: offset - %build_current_general_address - %mload_u32 - // stack: value -%endmacro - -// Load a little-endian u32 from kernel general memory in the current context. -%macro mload_current_general_u32_LE - // stack: offset - %build_current_general_address - %mload_u32_LE - // stack: value -%endmacro - -// Load a little-endian u64 from kernel general memory in the current context. -%macro mload_current_general_u64_LE - // stack: offset - %build_current_general_address - %mload_u64_LE - // stack: value -%endmacro - -// Load a u256 from kernel general memory in the current context. -%macro mload_current_general_u256 - // stack: offset - %build_current_general_address - %mload_u256 - // stack: value -%endmacro - -// Store a single value to kernel general memory in the current context. -%macro mstore_current_general - // stack: offset, value - %build_current_general_address - SWAP1 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -// Store a single value to kernel general memory in the current context. -%macro mstore_current_general_no_offset - // stack: value - %build_current_general_address_no_offset - SWAP1 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -%macro mstore_current_general(offset) - // stack: value - PUSH $offset - // stack: offset, value - %mstore_current_general - // stack: (empty) -%endmacro - -// Store a big-endian u32 to kernel general memory in the current context. -%macro mstore_current_general_u32 - // stack: offset, value - %build_current_general_address - %mstore_u32 - // stack: (empty) -%endmacro - -// set offset i to offset j in kernel general -%macro mupdate_current_general - // stack: j, i - %mload_current_general - // stack: x, i - SWAP1 - %mstore_current_general - // stack: (empty) -%endmacro - -// Load a single value from the given segment of kernel (context 0) memory. -%macro mload_kernel(segment) - // stack: offset - PUSH $segment - // stack: segment, offset - %build_kernel_address - MLOAD_GENERAL - // stack: value -%endmacro - -// Load a single value from the given segment of kernel (context 0) memory. -%macro mload_kernel_no_offset(segment) - // stack: empty - PUSH $segment - // stack: addr - MLOAD_GENERAL - // stack: value -%endmacro - -// Store a single value from the given segment of kernel (context 0) memory. -%macro mstore_kernel(segment) - // stack: offset, value - PUSH $segment - // stack: segment, offset, value - %build_kernel_address - // stack: addr, value - SWAP1 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -// Store a single value from the given segment of kernel (context 0) memory. -%macro mstore_kernel_no_offset(segment) - // stack: value - PUSH $segment - // stack: addr, value - SWAP1 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -// Store a single value from the given segment of kernel (context 0) memory. -%macro mstore_kernel(segment, offset) - // stack: value - PUSH $offset - // stack: offset, value - PUSH $segment - // stack: segment, offset, value - %build_kernel_address - // stack: addr, value - SWAP1 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -// Load from the kernel a big-endian u32, consisting of 4 bytes (c_3, c_2, c_1, c_0) -%macro mload_kernel_u32(segment) - // stack: offset - PUSH $segment - // stack: segment, offset - %build_kernel_address - %mload_u32 -%endmacro - -// Load from the kernel a little-endian u32, consisting of 4 bytes (c_0, c_1, c_2, c_3). -%macro mload_kernel_u32_LE(segment) - // stack: offset - PUSH $segment - // stack: segment, offset - %build_kernel_address - %mload_u32_LE -%endmacro - -// Load from the kernel a little-endian u64, consisting of 8 bytes (c_0, ..., c_7). -%macro mload_kernel_u64_LE(segment) - // stack: offset - PUSH $segment - // stack: segment, offset - %build_kernel_address - %mload_u64_LE -%endmacro - -// Load a u256 (big-endian) from the kernel. -%macro mload_kernel_u256(segment) - // stack: offset - PUSH $segment - // stack: segment, offset - %build_kernel_address - %mload_u256 -%endmacro - -// Store a big-endian u32, consisting of 4 bytes (c_3, c_2, c_1, c_0), -// to the kernel. -%macro mstore_kernel_u32(segment) - // stack: offset, value - PUSH $segment - // stack: segment, offset, value - %build_kernel_address - // stack: addr, value - %mstore_u32 -%endmacro - -// Load a single byte from kernel code. -%macro mload_kernel_code - // stack: offset - // ctx == SEGMENT_CODE == 0 - MLOAD_GENERAL - // stack: value -%endmacro - -%macro mload_kernel_code(label) - // stack: shift - PUSH $label - ADD - // stack: label + shift - %mload_kernel_code - // stack: byte -%endmacro - -// Load a big-endian u32, consisting of 4 bytes (c_3, c_2, c_1, c_0), -// from kernel code. -%macro mload_kernel_code_u32 - // stack: offset - // ctx == SEGMENT_CODE == 0 - %mload_u32 - // stack: value -%endmacro - -%macro mload_kernel_code_u32(label) - // stack: u32_shift - %mul_const(4) - // stack: byte_shift - PUSH $label - ADD - // stack: offset - // ctx == SEGMENT_CODE == 0 - %mload_u32 - // stack: value -%endmacro - -// Load a single value from kernel general memory. -%macro mload_kernel_general - // stack: offset - %mload_kernel(@SEGMENT_KERNEL_GENERAL) - // stack: value -%endmacro - -// Load a single value from kernel general memory. -%macro mload_kernel_general(offset) - PUSH $offset - %mload_kernel(@SEGMENT_KERNEL_GENERAL) - // stack: value -%endmacro - -// Load a big-endian u32, consisting of 4 bytes (c_3, c_2, c_1, c_0), -// from kernel general memory. -%macro mload_kernel_general_u32 - // stack: offset - %mload_kernel_u32(@SEGMENT_KERNEL_GENERAL) - // stack: value -%endmacro - -// Load a little-endian u32, consisting of 4 bytes (c_0, c_1, c_2, c_3), -// from kernel general memory. -%macro mload_kernel_general_u32_LE - // stack: offset - %mload_kernel_u32_LE(@SEGMENT_KERNEL_GENERAL) - // stack: value -%endmacro - -// Load a little-endian u64, consisting of 8 bytes -// (c_0, c_1, c_2, c_3, c_4, c_5, c_6, c_7), from kernel general memory. -%macro mload_kernel_general_u64_LE - // stack: offset - %mload_kernel_u64_LE(@SEGMENT_KERNEL_GENERAL) - // stack: value -%endmacro - -// Load a u256 (big-endian) from kernel code. -%macro mload_kernel_code_u256 - // stack: offset - // ctx == SEGMENT_CODE == 0 - %mload_u256 - // stack: value -%endmacro - -// Load a u256 (big-endian) from kernel general memory. -%macro mload_kernel_general_u256 - // stack: offset - %mload_kernel_u256(@SEGMENT_KERNEL_GENERAL) - // stack: value -%endmacro - -// Store a single byte to kernel code. -%macro mstore_kernel_code - // stack: offset, value - // ctx == SEGMENT_CODE == 0 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -// Store a big-endian u32, consisting of 4 bytes (c_3, c_2, c_1, c_0), -// to kernel code. -%macro mstore_kernel_code_u32 - // stack: offset, value - // ctx == SEGMENT_CODE == 0 - %mstore_u32 -%endmacro - -%macro swap_mstore - // stack: addr, value - SWAP1 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -%macro mstore_kernel_general - // stack: offset, value - %mstore_kernel(@SEGMENT_KERNEL_GENERAL) - // stack: (empty) -%endmacro - -%macro mstore_kernel_general(offset) - // stack: value - PUSH $offset - // stack: offset, value - %mstore_kernel_general - // stack: (empty) -%endmacro - -// Store a big-endian u32, consisting of 4 bytes (c_3, c_2, c_1, c_0), -// to kernel general memory. -%macro mstore_kernel_general_u32 - // stack: offset, value - %mstore_kernel_u32(@SEGMENT_KERNEL_GENERAL) -%endmacro - -// Load a single value from kernel general 2 memory. -%macro mload_kernel_general_2 - // stack: offset - %mload_kernel(@SEGMENT_KERNEL_GENERAL_2) - // stack: value -%endmacro - -// Load a single value from kernel general memory. -%macro mload_kernel_general_2(offset) - PUSH $offset - %mload_kernel(@SEGMENT_KERNEL_GENERAL_2) - // stack: value -%endmacro - -%macro mstore_kernel_general_2 - // stack: offset, value - %mstore_kernel(@SEGMENT_KERNEL_GENERAL_2) - // stack: (empty) -%endmacro - -%macro mstore_kernel_general_2(offset) - // stack: value - PUSH $offset - // stack: offset, value - %mstore_kernel_general_2 - // stack: (empty) -%endmacro diff --git a/evm/src/cpu/kernel/asm/memory/memcpy.asm b/evm/src/cpu/kernel/asm/memory/memcpy.asm deleted file mode 100644 index a7819bf6e8..0000000000 --- a/evm/src/cpu/kernel/asm/memory/memcpy.asm +++ /dev/null @@ -1,106 +0,0 @@ -// Copies `count` values from SRC to DST. -global memcpy: - // stack: DST, SRC, count, retdest - DUP3 - // stack: count, DST, SRC, count, retdest - ISZERO - // stack: count == 0, DST, SRC, count, retdest - %jumpi(memcpy_finish) - // stack: DST, SRC, count, retdest - DUP1 - - // Copy the next value. - DUP3 - // stack: SRC, DST, DST, SRC, count, retdest - MLOAD_GENERAL - // stack: value, DST, DST, SRC, count, retdest - MSTORE_GENERAL - // stack: DST, SRC, count, retdest - - // Increment dst_addr. - %increment - // Increment src_addr. - SWAP1 - %increment - SWAP1 - // Decrement count. - PUSH 1 DUP4 SUB SWAP3 POP - - // Continue the loop. - %jump(memcpy) - -%macro memcpy - %stack (dst, src, count) -> (dst, src, count, %%after) - %jump(memcpy) -%%after: -%endmacro - -// Similar logic to memcpy, but optimized for copying sequences of bytes. -global memcpy_bytes: - // stack: DST, SRC, count, retdest - - // Handle small case - DUP3 - // stack: count, DST, SRC, count, retdest - %lt_const(0x21) - // stack: count <= 32, DST, SRC, count, retdest - %jumpi(memcpy_bytes_finish) - - // We will pack 32 bytes into a U256 from the source, and then unpack it at the destination. - // Copy the next chunk of bytes. - // stack: DST, SRC, count, retdest - PUSH 32 - DUP3 - // stack: SRC, 32, DST, SRC, count, retdest - MLOAD_32BYTES - // stack: value, DST, SRC, count, retdest - SWAP1 - // stack: DST, value, SRC, count, retdest - MSTORE_32BYTES_32 - // stack: DST', SRC, count, retdest - // Increment SRC by 32. - SWAP1 - %add_const(0x20) - SWAP1 - // Decrement count by 32. - PUSH 32 DUP4 SUB SWAP3 POP - - // Continue the loop. - %jump(memcpy_bytes) - -memcpy_bytes_finish: - // stack: DST, SRC, count, retdest - - // Handle empty case - DUP3 - // stack: count, DST, SRC, count, retdest - ISZERO - // stack: count == 0, DST, SRC, count, retdest - %jumpi(memcpy_finish) - - // stack: DST, SRC, count, retdest - - // Copy the last chunk of `count` bytes. - DUP3 - DUP1 - DUP4 - // stack: SRC, count, count, DST, SRC, count, retdest - MLOAD_32BYTES - // stack: value, count, DST, SRC, count, retdest - DUP3 - // stack: DST, value, count, DST, SRC, count, retdest - %mstore_unpacking - // stack: new_offset, DST, SRC, count, retdest - POP - -memcpy_finish: - // stack: DST, SRC, count, retdest - %pop3 - // stack: retdest - JUMP - -%macro memcpy_bytes - %stack (dst, src, count) -> (dst, src, count, %%after) - %jump(memcpy_bytes) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/memory/memset.asm b/evm/src/cpu/kernel/asm/memory/memset.asm deleted file mode 100644 index 792aeabc68..0000000000 --- a/evm/src/cpu/kernel/asm/memory/memset.asm +++ /dev/null @@ -1,49 +0,0 @@ -// Sets `count` values to 0 at DST. -global memset: - // stack: DST, count, retdest - - // Handle small case - DUP2 - // stack: count, DST, count, retdest - %lt_const(0x21) - // stack: count <= 32, DST, count, retdest - %jumpi(memset_finish) - - // stack: DST, count, retdest - PUSH 0 - SWAP1 - // stack: DST, 0, count, retdest - MSTORE_32BYTES_32 - // stack: DST', count, retdest - // Decrement count. - PUSH 32 DUP3 SUB SWAP2 POP - - // Continue the loop. - %jump(memset) - -memset_finish: - // stack: DST, final_count, retdest - - // Handle empty case - DUP2 - // stack: final_count, DST, final_count, retdest - ISZERO - // stack: final_count == 0, DST, final_count, retdest - %jumpi(memset_bytes_empty) - - // stack: DST, final_count, retdest - DUP2 - PUSH 0 - DUP3 - // stack: DST, 0, final_count, DST, final_count, retdest - %mstore_unpacking - // stack: DST, final_count, retdest - %pop3 - // stack: retdest - JUMP - -memset_bytes_empty: - // stack: DST, 0, retdest - %pop2 - // stack: retdest - JUMP diff --git a/evm/src/cpu/kernel/asm/memory/metadata.asm b/evm/src/cpu/kernel/asm/memory/metadata.asm deleted file mode 100644 index e69e292b64..0000000000 --- a/evm/src/cpu/kernel/asm/memory/metadata.asm +++ /dev/null @@ -1,436 +0,0 @@ -// Load the given global metadata field from memory. -%macro mload_global_metadata(field) - // Global metadata are already scaled by their corresponding segment, - // effectively making them the direct memory position to read from / - // write to. - - // stack: (empty) - PUSH $field - MLOAD_GENERAL - // stack: value -%endmacro - -// Store the given global metadata field to memory. -%macro mstore_global_metadata(field) - // Global metadata are already scaled by their corresponding segment, - // effectively making them the direct memory position to read from / - // write to. - - // stack: value - PUSH $field - SWAP1 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -// Load the given context metadata field from memory. -%macro mload_context_metadata(field) - // Context metadata are already scaled by their corresponding segment, - // effectively making them the direct memory position to read from / - // write to. - - // stack: (empty) - PUSH $field - GET_CONTEXT - ADD - // stack: addr - MLOAD_GENERAL - // stack: value -%endmacro - -// Store the given context metadata field to memory. -%macro mstore_context_metadata(field) - // Context metadata are already scaled by their corresponding segment, - // effectively making them the direct memory position to read from / - // write to. - - // stack: value - PUSH $field - GET_CONTEXT - ADD - // stack: addr, value - SWAP1 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -// Store the given context metadata field to memory. -%macro mstore_context_metadata(field, value) - // Context metadata are already scaled by their corresponding segment, - // effectively making them the direct memory position to read from / - // write to. - - PUSH $field - GET_CONTEXT - ADD - // stack: addr - PUSH $value - // stack: value, addr - MSTORE_GENERAL - // stack: (empty) -%endmacro - -%macro mstore_parent_context_metadata(field) - // Context metadata are already scaled by their corresponding segment, - // effectively making them the direct memory position to read from / - // write to. - - // stack: value - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - - // stack: parent_ctx, value - PUSH $field ADD - // stack: addr, value - SWAP1 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -%macro mstore_parent_context_metadata(field, value) - // Context metadata are already scaled by their corresponding segment, - // effectively making them the direct memory position to read from / - // write to. - - // stack: (empty) - %mload_context_metadata(@CTX_METADATA_PARENT_CONTEXT) - - // stack: parent_ctx - PUSH $field ADD - // stack: addr - PUSH $value - // stack: value, addr - MSTORE_GENERAL - // stack: (empty) -%endmacro - -%macro address - %mload_context_metadata(@CTX_METADATA_ADDRESS) -%endmacro - -global sys_address: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %address - // stack: address, kexit_info - SWAP1 - EXIT_KERNEL - -%macro caller - %mload_context_metadata(@CTX_METADATA_CALLER) -%endmacro - -global sys_caller: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %caller - // stack: caller, kexit_info - SWAP1 - EXIT_KERNEL - -%macro callvalue - %mload_context_metadata(@CTX_METADATA_CALL_VALUE) -%endmacro - -%macro codesize - %mload_context_metadata(@CTX_METADATA_CODE_SIZE) -%endmacro - -global sys_codesize: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %codesize - // stack: codesize, kexit_info - SWAP1 - EXIT_KERNEL - -global sys_callvalue: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %callvalue - // stack: callvalue, kexit_info - SWAP1 - EXIT_KERNEL - -%macro mem_words - %mload_context_metadata(@CTX_METADATA_MEM_WORDS) -%endmacro - -%macro msize - %mem_words - %mul_const(32) -%endmacro - -global sys_msize: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %msize - // stack: msize, kexit_info - SWAP1 - EXIT_KERNEL - -%macro calldatasize - %mload_context_metadata(@CTX_METADATA_CALLDATA_SIZE) -%endmacro - -global sys_calldatasize: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %calldatasize - // stack: calldatasize, kexit_info - SWAP1 - EXIT_KERNEL - -%macro returndatasize - %mload_context_metadata(@CTX_METADATA_RETURNDATA_SIZE) -%endmacro - -global sys_returndatasize: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %returndatasize - // stack: returndatasize, kexit_info - SWAP1 - EXIT_KERNEL - -%macro coinbase - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_BENEFICIARY) -%endmacro - -global sys_coinbase: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %coinbase - // stack: coinbase, kexit_info - SWAP1 - EXIT_KERNEL - -%macro timestamp - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_TIMESTAMP) -%endmacro - -global sys_timestamp: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %timestamp - // stack: timestamp, kexit_info - SWAP1 - EXIT_KERNEL - -%macro blocknumber - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_NUMBER) -%endmacro - -global sys_number: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %blocknumber - // stack: blocknumber, kexit_info - SWAP1 - EXIT_KERNEL - -%macro blockgaslimit - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_GAS_LIMIT) -%endmacro - -global sys_gaslimit: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %blockgaslimit - // stack: blockgaslimit, kexit_info - SWAP1 - EXIT_KERNEL - -%macro blockchainid - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_CHAIN_ID) -%endmacro - -global sys_chainid: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %blockchainid - // stack: chain_id, kexit_info - SWAP1 - EXIT_KERNEL - -%macro basefee - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_BASE_FEE) -%endmacro - -global sys_basefee: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %basefee - // stack: basefee, kexit_info - SWAP1 - EXIT_KERNEL - -global sys_blockhash: - // stack: kexit_info, block_number - %charge_gas_const(@GAS_BLOCKHASH) - SWAP1 - // stack: block_number, kexit_info - %blockhash - // stack: blockhash, kexit_info - SWAP1 - EXIT_KERNEL - -global blockhash: - // stack: block_number, retdest - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_NUMBER) - // stack: cur_block_number, block_number, retdest - // Check for an overflow, since we're incrementing `block_number` afterwards. - DUP2 %eq_const(@U256_MAX) %jumpi(zero_hash) - // stack: cur_block_number, block_number, retdest - DUP1 DUP3 %increment GT %jumpi(zero_hash) // if block_number >= cur_block_number - // stack: cur_block_number, block_number, retdest - DUP2 PUSH 256 ADD - // stack: block_number+256, cur_block_number, block_number, retdest - DUP2 GT %jumpi(zero_hash) // if cur_block_number > block_number + 256 - // If we are here, the provided block number is correct - SUB - // stack: cur_block_number - block_number, retdest - PUSH 256 SUB - // stack: block_hash_number, retdest - %mload_kernel(@SEGMENT_BLOCK_HASHES) - SWAP1 JUMP - -%macro blockhash - // stack: block_number - %stack (block_number) -> (block_number, %%after) - %jump(blockhash) -%%after: -%endmacro - -zero_hash: - // stack: cur_block_number, block_number, retdest - %pop2 - PUSH 0 SWAP1 - JUMP - -%macro update_mem_words - // stack: num_words, kexit_info - %mem_words - // stack: old_num_words, num_words, kexit_info - DUP2 DUP2 GT - // stack: old_num_words > num_words, old_num_words, num_words, kexit_info - %jumpi(%%no_update) - // stack: old_num_words, num_words, kexit_info - %memory_cost - // stack: old_cost, num_words, kexit_info - SWAP1 - // stack: num_words, old_cost, kexit_info - DUP1 %mstore_context_metadata(@CTX_METADATA_MEM_WORDS) - // stack: num_words, old_cost, kexit_info - %memory_cost - // stack: new_cost, old_cost, kexit_info - SUB - // stack: additional_cost, kexit_info - %charge_gas - %jump(%%end) -%%no_update: - // stack: old_num_words, num_words, kexit_info - %pop2 -%%end: - // stack: kexit_info -%endmacro - -%macro update_mem_bytes - // stack: num_bytes, kexit_info - %num_bytes_to_num_words - // stack: num_words, kexit_info - %update_mem_words - // stack: kexit_info -%endmacro - -%macro num_bytes_to_num_words - // stack: num_bytes - %add_const(31) - // stack: 31 + num_bytes - %shr_const(5) - // stack: (num_bytes + 31) / 32 -%endmacro - -%macro memory_cost - // stack: num_words - DUP1 - // stack: num_words, msize - %mul_const(@GAS_MEMORY) - // stack: num_words * GAS_MEMORY, msize - SWAP1 - // stack: num_words, num_words * GAS_MEMORY - %square - %shr_const(9) - // stack: num_words^2 / 512, num_words * GAS_MEMORY - ADD - // stack: cost = num_words^2 / 512 + num_words * GAS_MEMORY -%endmacro - -// Faults if the given offset is "unreasonable", i.e. the associated memory expansion cost -// would exceed any reasonable block limit. -// We do this to avoid overflows in future gas-related calculations. -%macro ensure_reasonable_offset - // stack: offset - // The memory expansion cost, (50000000 / 32)^2 / 512, is around 2^32 gas, - // i.e. greater than any reasonable block limit. - %gt_const(50000000) - // stack: is_unreasonable - %jumpi(fault_exception) - // stack: (empty) -%endmacro - -// Convenience macro for checking if the current context is static. -// Called before state-changing opcodes. -%macro check_static - %mload_context_metadata(@CTX_METADATA_STATIC) - %jumpi(fault_exception) -%endmacro - -// Adds the two top elements of the stack, and faults in case of overflow. -%macro add_or_fault - // stack: x, y - DUP2 ADD - // stack: sum, y - DUP1 SWAP2 - // stack: y, sum, sum - GT - // stack: is_overflow, sum - %jumpi(fault_exception) - // stack: sum -%endmacro - -%macro call_depth - %mload_global_metadata(@GLOBAL_METADATA_CALL_STACK_DEPTH) -%endmacro - -%macro increment_call_depth - %mload_global_metadata(@GLOBAL_METADATA_CALL_STACK_DEPTH) - %increment - %mstore_global_metadata(@GLOBAL_METADATA_CALL_STACK_DEPTH) -%endmacro - -%macro decrement_call_depth - PUSH 1 - %mload_global_metadata(@GLOBAL_METADATA_CALL_STACK_DEPTH) - SUB - %mstore_global_metadata(@GLOBAL_METADATA_CALL_STACK_DEPTH) -%endmacro - -global sys_prevrandao: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - %mload_global_metadata(@GLOBAL_METADATA_BLOCK_RANDOM) - %stack (random, kexit_info) -> (kexit_info, random) - EXIT_KERNEL diff --git a/evm/src/cpu/kernel/asm/memory/packing.asm b/evm/src/cpu/kernel/asm/memory/packing.asm deleted file mode 100644 index a1bf5a09ad..0000000000 --- a/evm/src/cpu/kernel/asm/memory/packing.asm +++ /dev/null @@ -1,321 +0,0 @@ -// Methods for encoding integers as bytes in memory, as well as the reverse, -// decoding bytes as integers. All big-endian unless specified. - -global mload_packing_u64_LE: - // stack: addr, retdest - DUP1 MLOAD_GENERAL - DUP2 %add_const(1) MLOAD_GENERAL %shl_const( 8) ADD - DUP2 %add_const(2) MLOAD_GENERAL %shl_const(16) ADD - DUP2 %add_const(3) MLOAD_GENERAL %shl_const(24) ADD - DUP2 %add_const(4) MLOAD_GENERAL %shl_const(32) ADD - DUP2 %add_const(5) MLOAD_GENERAL %shl_const(40) ADD - DUP2 %add_const(6) MLOAD_GENERAL %shl_const(48) ADD - DUP2 %add_const(7) MLOAD_GENERAL %shl_const(56) ADD - %stack (value, addr, retdest) -> (retdest, value) - JUMP - -%macro mload_packing_u64_LE - %stack (addr) -> (addr, %%after) - %jump(mload_packing_u64_LE) -%%after: -%endmacro - -// Pre stack: addr, value, len, retdest -// Post stack: addr' -global mstore_unpacking: - // stack: addr, value, len, retdest - DUP3 ISZERO - // stack: len == 0, addr, value, len, retdest - %jumpi(mstore_unpacking_empty) - %stack(addr, value, len, retdest) -> (len, addr, value, retdest) - PUSH 3 - // stack: BYTES_PER_JUMP, len, addr, value, retdest - MUL - // stack: jump_offset, addr, value, retdest - PUSH mstore_unpacking_0 - // stack: mstore_unpacking_0, jump_offset, addr, value, retdest - ADD - // stack: address_unpacking, addr, value, retdest - JUMP - -mstore_unpacking_empty: - %stack(addr, value, len, retdest) -> (retdest, addr) - JUMP - -// This case can never be reached. It's only here to offset the table correctly. -mstore_unpacking_0: - %rep 3 - PANIC - %endrep -mstore_unpacking_1: - // stack: addr, value, retdest - MSTORE_32BYTES_1 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_2: - // stack: addr, value, retdest - MSTORE_32BYTES_2 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_3: - // stack: addr, value, retdest - MSTORE_32BYTES_3 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_4: - // stack: addr, value, retdest - MSTORE_32BYTES_4 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_5: - // stack: addr, value, retdest - MSTORE_32BYTES_5 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_6: - // stack: addr, value, retdest - MSTORE_32BYTES_6 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_7: - // stack: addr, value, retdest - MSTORE_32BYTES_7 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_8: - // stack: addr, value, retdest - MSTORE_32BYTES_8 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_9: - // stack: addr, value, retdest - MSTORE_32BYTES_9 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_10: - // stack: addr, value, retdest - MSTORE_32BYTES_10 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_11: - // stack: addr, value, retdest - MSTORE_32BYTES_11 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_12: - // stack: addr, value, retdest - MSTORE_32BYTES_12 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_13: - // stack: addr, value, retdest - MSTORE_32BYTES_13 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_14: - // stack: addr, value, retdest - MSTORE_32BYTES_14 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_15: - // stack: addr, value, retdest - MSTORE_32BYTES_15 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_16: - // stack: addr, value, retdest - MSTORE_32BYTES_16 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_17: - // stack: addr, value, retdest - MSTORE_32BYTES_17 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_18: - // stack: addr, value, retdest - MSTORE_32BYTES_18 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_19: - // stack: addr, value, retdest - MSTORE_32BYTES_19 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_20: - // stack: addr, value, retdest - MSTORE_32BYTES_20 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_21: - // stack: addr, value, retdest - MSTORE_32BYTES_21 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_22: - // stack: addr, value, retdest - MSTORE_32BYTES_22 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_23: - // stack: addr, value, retdest - MSTORE_32BYTES_23 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_24: - // stack: addr, value, retdest - MSTORE_32BYTES_24 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_25: - // stack: addr, value, retdest - MSTORE_32BYTES_25 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_26: - // stack: addr, value, retdest - MSTORE_32BYTES_26 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_27: - // stack: addr, value, retdest - MSTORE_32BYTES_27 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_28: - // stack: addr, value, retdest - MSTORE_32BYTES_28 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_29: - // stack: addr, value, retdest - MSTORE_32BYTES_29 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_30: - // stack: addr, value, retdest - MSTORE_32BYTES_30 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_31: - // stack: addr, value, retdest - MSTORE_32BYTES_31 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP -mstore_unpacking_32: - // stack: addr, value, retdest - MSTORE_32BYTES_32 - // stack: addr', retdest - SWAP1 - // stack: retdest, addr' - JUMP - -%macro mstore_unpacking - %stack (addr, value, len) -> (addr, value, len, %%after) - %jump(mstore_unpacking) -%%after: -%endmacro - -// Pre stack: addr, value, retdest -// Post stack: addr' -global mstore_unpacking_u64_LE: - %stack (addr, value) -> (0xff, value, addr, addr, value) - AND - MSTORE_GENERAL // First byte - DUP1 %add_const(1) - %stack (new_addr, addr, value) -> (0xff00, value, new_addr, addr, value) - AND %shr_const(8) - MSTORE_GENERAL // Second byte - DUP1 %add_const(2) - %stack (new_addr, addr, value) -> (0xff0000, value, new_addr, addr, value) - AND %shr_const(16) - MSTORE_GENERAL // Third byte - DUP1 %add_const(3) - %stack (new_addr, addr, value) -> (0xff000000, value, new_addr, addr, value) - AND %shr_const(24) - MSTORE_GENERAL // Fourth byte - DUP1 %add_const(4) - %stack (new_addr, addr, value) -> (0xff00000000, value, new_addr, addr, value) - AND %shr_const(32) - MSTORE_GENERAL // Fifth byte - DUP1 %add_const(5) - %stack (new_addr, addr, value) -> (0xff0000000000, value, new_addr, addr, value) - AND %shr_const(40) - MSTORE_GENERAL // Sixth byte - DUP1 %add_const(6) - %stack (new_addr, addr, value) -> (0xff000000000000, value, new_addr, addr, value) - AND %shr_const(48) - MSTORE_GENERAL // Seventh byte - DUP1 %add_const(7) - %stack (new_addr, addr, value) -> (0xff00000000000000, value, new_addr, addr, value) - AND %shr_const(56) - MSTORE_GENERAL // Eighth byte - %pop2 JUMP - -%macro mstore_unpacking_u64_LE - %stack (addr, value) -> (addr, value, %%after) - %jump(mstore_unpacking_u64_LE) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/memory/syscalls.asm b/evm/src/cpu/kernel/asm/memory/syscalls.asm deleted file mode 100644 index d20f2d0e6c..0000000000 --- a/evm/src/cpu/kernel/asm/memory/syscalls.asm +++ /dev/null @@ -1,256 +0,0 @@ -global sys_mload: - // stack: kexit_info, offset - DUP2 %ensure_reasonable_offset - // stack: kexit_info, offset - %charge_gas_const(@GAS_VERYLOW) - // stack: kexit_info, offset - DUP2 %add_const(32) - // stack: expanded_num_bytes, kexit_info, offset - %update_mem_bytes - // stack: kexit_info, offset - %stack(kexit_info, offset) -> (offset, 32, kexit_info) - PUSH @SEGMENT_MAIN_MEMORY - GET_CONTEXT - %build_address - // stack: addr, len, kexit_info - MLOAD_32BYTES - %stack (value, kexit_info) -> (kexit_info, value) - EXIT_KERNEL - -global sys_mstore: - // stack: kexit_info, offset, value - DUP2 %ensure_reasonable_offset - // stack: kexit_info, offset, value - %charge_gas_const(@GAS_VERYLOW) - // stack: kexit_info, offset, value - DUP2 %add_const(32) - // stack: expanded_num_bytes, kexit_info, offset, value - %update_mem_bytes - // stack: kexit_info, offset, value - %stack(kexit_info, offset, value) -> (offset, value, kexit_info) - PUSH @SEGMENT_MAIN_MEMORY - GET_CONTEXT - %build_address - // stack: addr, value, kexit_info - MSTORE_32BYTES_32 - POP - // stack: kexit_info - EXIT_KERNEL - -global sys_mstore8: - // stack: kexit_info, offset, value - DUP2 %ensure_reasonable_offset - // stack: kexit_info, offset, value - %charge_gas_const(@GAS_VERYLOW) - // stack: kexit_info, offset, value - DUP2 %increment - // stack: expanded_num_bytes, kexit_info, offset, value - %update_mem_bytes - // stack: kexit_info, offset, value - %stack (kexit_info, offset, value) -> (value, 0x100, offset, kexit_info) - MOD SWAP1 - %mstore_current(@SEGMENT_MAIN_MEMORY) - // stack: kexit_info - EXIT_KERNEL - -global sys_calldataload: - // stack: kexit_info, i - %charge_gas_const(@GAS_VERYLOW) - // stack: kexit_info, i - %mload_context_metadata(@CTX_METADATA_CALLDATA_SIZE) - %stack (calldata_size, kexit_info, i) -> (calldata_size, i, kexit_info, i) - LT %jumpi(calldataload_large_offset) - %stack (kexit_info, i) -> (@SEGMENT_CALLDATA, i, 32, kexit_info) - GET_CONTEXT - %build_address - // stack: addr, 32, kexit_info - MLOAD_32BYTES -sys_calldataload_after_mload_packing: - // stack: value, kexit_info - SWAP1 - EXIT_KERNEL - PANIC -calldataload_large_offset: - %stack (kexit_info, i) -> (kexit_info, 0) - EXIT_KERNEL - -// Macro for {CALLDATA, RETURNDATA}COPY (W_copy in Yellow Paper). -%macro wcopy(segment, context_metadata_size) - // stack: kexit_info, dest_offset, offset, size - %wcopy_charge_gas - - %stack (kexit_info, dest_offset, offset, size) -> (dest_offset, size, kexit_info, dest_offset, offset, size) - %add_or_fault - // stack: expanded_num_bytes, kexit_info, dest_offset, offset, size, kexit_info - DUP1 %ensure_reasonable_offset - %update_mem_bytes - - %mload_context_metadata($context_metadata_size) - // stack: total_size, kexit_info, dest_offset, offset, size - DUP4 - // stack: offset, total_size, kexit_info, dest_offset, offset, size - GT %jumpi(wcopy_large_offset) - - // stack: kexit_info, dest_offset, offset, size - GET_CONTEXT - PUSH $segment - // stack: segment, context, kexit_info, dest_offset, offset, size - %jump(wcopy_within_bounds) -%endmacro - -%macro wcopy_charge_gas - // stack: kexit_info, dest_offset, offset, size - PUSH @GAS_VERYLOW - DUP5 - // stack: size, Gverylow, kexit_info, dest_offset, offset, size - ISZERO %jumpi(wcopy_empty) - // stack: Gverylow, kexit_info, dest_offset, offset, size - DUP5 %num_bytes_to_num_words %mul_const(@GAS_COPY) ADD %charge_gas -%endmacro - - -codecopy_within_bounds: - // stack: total_size, segment, src_ctx, kexit_info, dest_offset, offset, size - POP -wcopy_within_bounds: - // stack: segment, src_ctx, kexit_info, dest_offset, offset, size - GET_CONTEXT - %stack (context, segment, src_ctx, kexit_info, dest_offset, offset, size) -> - (src_ctx, segment, offset, @SEGMENT_MAIN_MEMORY, dest_offset, context, size, wcopy_after, kexit_info) - %build_address - SWAP3 %build_address - // stack: DST, SRC, size, wcopy_after, kexit_info - %jump(memcpy_bytes) - -wcopy_empty: - // stack: Gverylow, kexit_info, dest_offset, offset, size - %charge_gas - %stack (kexit_info, dest_offset, offset, size) -> (kexit_info) - EXIT_KERNEL - - -codecopy_large_offset: - // stack: total_size, src_ctx, kexit_info, dest_offset, offset, size - %pop2 -wcopy_large_offset: - // offset is larger than the size of the {CALLDATA,CODE,RETURNDATA}. So we just have to write zeros. - // stack: kexit_info, dest_offset, offset, size - GET_CONTEXT - %stack (context, kexit_info, dest_offset, offset, size) -> - (context, @SEGMENT_MAIN_MEMORY, dest_offset, size, wcopy_after, kexit_info) - %build_address - %jump(memset) - -wcopy_after: - // stack: kexit_info - EXIT_KERNEL - -// Pre stack: kexit_info, dest_offset, offset, size -// Post stack: (empty) -global sys_calldatacopy: - %wcopy(@SEGMENT_CALLDATA, @CTX_METADATA_CALLDATA_SIZE) - -// Pre stack: kexit_info, dest_offset, offset, size -// Post stack: (empty) -global sys_returndatacopy: - DUP4 DUP4 %add_or_fault // Overflow check - %mload_context_metadata(@CTX_METADATA_RETURNDATA_SIZE) LT %jumpi(fault_exception) // Data len check - - %wcopy(@SEGMENT_RETURNDATA, @CTX_METADATA_RETURNDATA_SIZE) - -// Pre stack: kexit_info, dest_offset, offset, size -// Post stack: (empty) -global sys_codecopy: - // stack: kexit_info, dest_offset, offset, size - %wcopy_charge_gas - - %stack (kexit_info, dest_offset, offset, size) -> (dest_offset, size, kexit_info, dest_offset, offset, size) - %add_or_fault - // stack: expanded_num_bytes, kexit_info, dest_offset, offset, size, kexit_info - DUP1 %ensure_reasonable_offset - %update_mem_bytes - - GET_CONTEXT - %mload_context_metadata(@CTX_METADATA_CODE_SIZE) - // stack: code_size, ctx, kexit_info, dest_offset, offset, size - %codecopy_after_checks(@SEGMENT_CODE) - - -// Pre stack: kexit_info, address, dest_offset, offset, size -// Post stack: (empty) -global sys_extcodecopy: - %stack (kexit_info, address, dest_offset, offset, size) - -> (address, dest_offset, offset, size, kexit_info) - %u256_to_addr DUP1 %insert_accessed_addresses - // stack: cold_access, address, dest_offset, offset, size, kexit_info - PUSH @GAS_COLDACCOUNTACCESS_MINUS_WARMACCESS - MUL - PUSH @GAS_WARMACCESS - ADD - // stack: Gaccess, address, dest_offset, offset, size, kexit_info - - DUP5 - // stack: size, Gaccess, address, dest_offset, offset, size, kexit_info - ISZERO %jumpi(sys_extcodecopy_empty) - - // stack: Gaccess, address, dest_offset, offset, size, kexit_info - DUP5 %num_bytes_to_num_words %mul_const(@GAS_COPY) ADD - %stack (gas, address, dest_offset, offset, size, kexit_info) -> (gas, kexit_info, address, dest_offset, offset, size) - %charge_gas - - %stack (kexit_info, address, dest_offset, offset, size) -> (dest_offset, size, kexit_info, address, dest_offset, offset, size) - %add_or_fault - // stack: expanded_num_bytes, kexit_info, address, dest_offset, offset, size - DUP1 %ensure_reasonable_offset - %update_mem_bytes - - %next_context_id - - %stack (ctx, kexit_info, address, dest_offset, offset, size) -> - (address, ctx, extcodecopy_contd, ctx, kexit_info, dest_offset, offset, size) - %jump(load_code) - -sys_extcodecopy_empty: - %stack (Gaccess, address, dest_offset, offset, size, kexit_info) -> (Gaccess, kexit_info) - %charge_gas - EXIT_KERNEL - -extcodecopy_contd: - // stack: code_size, ctx, kexit_info, dest_offset, offset, size - %codecopy_after_checks(@SEGMENT_CODE) - - -// The internal logic is similar to wcopy, but handles range overflow differently. -// It is used for both CODECOPY and EXTCODECOPY. -%macro codecopy_after_checks(segment) - // stack: total_size, src_ctx, kexit_info, dest_offset, offset, size - DUP1 DUP6 - // stack: offset, total_size, total_size, src_ctx, kexit_info, dest_offset, offset, size - GT %jumpi(codecopy_large_offset) - - PUSH $segment SWAP1 - // stack: total_size, segment, src_ctx, kexit_info, dest_offset, offset, size - DUP1 DUP8 DUP8 ADD - // stack: offset + size, total_size, total_size, segment, src_ctx, kexit_info, dest_offset, offset, size - LT %jumpi(codecopy_within_bounds) - - // stack: total_size, segment, src_ctx, kexit_info, dest_offset, offset, size - DUP7 DUP7 ADD - // stack: offset + size, total_size, segment, src_ctx, kexit_info, dest_offset, offset, size - SUB // extra_size = offset + size - total_size - // stack: extra_size, segment, src_ctx, kexit_info, dest_offset, offset, size - DUP1 DUP8 SUB - // stack: copy_size = size - extra_size, extra_size, segment, src_ctx, kexit_info, dest_offset, offset, size - - // Compute the new dest_offset after actual copies, at which we will start padding with zeroes. - DUP1 DUP7 ADD - // stack: new_dest_offset, copy_size, extra_size, segment, src_ctx, kexit_info, dest_offset, offset, size - - GET_CONTEXT - %stack (context, new_dest_offset, copy_size, extra_size, segment, src_ctx, kexit_info, dest_offset, offset, size) -> - (src_ctx, segment, offset, @SEGMENT_MAIN_MEMORY, dest_offset, context, copy_size, wcopy_large_offset, kexit_info, new_dest_offset, offset, extra_size) - %build_address - SWAP3 %build_address - // stack: DST, SRC, copy_size, wcopy_large_offset, kexit_info, new_dest_offset, offset, extra_size - %jump(memcpy_bytes) -%endmacro diff --git a/evm/src/cpu/kernel/asm/memory/txn_fields.asm b/evm/src/cpu/kernel/asm/memory/txn_fields.asm deleted file mode 100644 index a8c1c0788f..0000000000 --- a/evm/src/cpu/kernel/asm/memory/txn_fields.asm +++ /dev/null @@ -1,39 +0,0 @@ -// Load the given normalized transaction field from memory. -%macro mload_txn_field(field) - // Transaction fields are already scaled by their corresponding segment, - // effectively making them the direct memory position to read from / - // write to. - - // stack: (empty) - PUSH $field - // stack: addr - MLOAD_GENERAL - // stack: value -%endmacro - -// Store the given normalized transaction field to memory. -%macro mstore_txn_field(field) - // Transaction fields are already scaled by their corresponding segment, - // effectively making them the direct memory position to read from / - // write to. - - // stack: value - PUSH $field - // stack: addr, value - SWAP1 - MSTORE_GENERAL - // stack: (empty) -%endmacro - -%macro origin - %mload_txn_field(@TXN_FIELD_ORIGIN) -%endmacro - -global sys_origin: - // stack: kexit_info - %charge_gas_const(@GAS_BASE) - // stack: kexit_info - %origin - // stack: origin, kexit_info - SWAP1 - EXIT_KERNEL diff --git a/evm/src/cpu/kernel/asm/mpt/accounts.asm b/evm/src/cpu/kernel/asm/mpt/accounts.asm deleted file mode 100644 index 0ee987b4c1..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/accounts.asm +++ /dev/null @@ -1,21 +0,0 @@ -// Return a pointer to the current account's data in the state trie. -%macro current_account_data - %address %mpt_read_state_trie - // stack: account_ptr - // account_ptr should be non-null as long as the prover provided the proper - // Merkle data. But a bad prover may not have, and we don't want return a - // null pointer for security reasons. - DUP1 ISZERO %jumpi(panic) - // stack: account_ptr -%endmacro - -// Returns a pointer to the root of the storage trie associated with the current account. -%macro current_storage_trie - // stack: (empty) - %current_account_data - // stack: account_ptr - %add_const(2) - // stack: storage_root_ptr_ptr - %mload_trie_data - // stack: storage_root_ptr -%endmacro diff --git a/evm/src/cpu/kernel/asm/mpt/delete/delete.asm b/evm/src/cpu/kernel/asm/mpt/delete/delete.asm deleted file mode 100644 index 913ba1fcfb..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/delete/delete.asm +++ /dev/null @@ -1,45 +0,0 @@ -// Return a copy of the given node with the given key deleted. -// Assumes that the key is in the trie. -// -// Pre stack: node_ptr, num_nibbles, key, retdest -// Post stack: updated_node_ptr -global mpt_delete: - // stack: node_ptr, num_nibbles, key, retdest - DUP1 %mload_trie_data - // stack: node_type, node_ptr, num_nibbles, key, retdest - // Increment node_ptr, so it points to the node payload instead of its type. - SWAP1 %increment SWAP1 - // stack: node_type, node_payload_ptr, num_nibbles, key, retdest - - DUP1 %eq_const(@MPT_NODE_BRANCH) %jumpi(mpt_delete_branch) - DUP1 %eq_const(@MPT_NODE_EXTENSION) %jumpi(mpt_delete_extension) - DUP1 %eq_const(@MPT_NODE_LEAF) %jumpi(mpt_delete_leaf) - %eq_const(@MPT_NODE_EMPTY) %jumpi(panic) // This should never happen. - PANIC - -mpt_delete_leaf: - // stack: node_type, node_payload_ptr, num_nibbles, key, retdest - %pop4 - PUSH 0 // empty node ptr - SWAP1 JUMP - -global delete_account: - %stack (address, retdest) -> (address, delete_account_save, retdest) - %addr_to_state_key - // stack: key, delete_account_save, retdest - PUSH 64 - // stack: 64, key, delete_account_save, retdest - %mload_global_metadata(@GLOBAL_METADATA_STATE_TRIE_ROOT) - // stack: state_root_prt, 64, key, delete_account_save, retdest - %jump(mpt_delete) -delete_account_save: - // stack: updated_state_root_ptr, retdest - %mstore_global_metadata(@GLOBAL_METADATA_STATE_TRIE_ROOT) - JUMP - -%macro delete_account - %stack (address) -> (address, %%after) - %jump(delete_account) -%%after: - // stack: (empty) -%endmacro \ No newline at end of file diff --git a/evm/src/cpu/kernel/asm/mpt/delete/delete_branch.asm b/evm/src/cpu/kernel/asm/mpt/delete/delete_branch.asm deleted file mode 100644 index 64187ac83a..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/delete/delete_branch.asm +++ /dev/null @@ -1,130 +0,0 @@ -// Delete from a branch node. -// Algorithm is roughly: -// - Delete `(num_nibbles-1, key[1:])` from `branch[key[0]]`. -// - If the returned node is non-empty, update the branch node and return it. -// - Otherwise, count the number of non-empty children of the branch node. -// - If there are more than one, update the branch node and return it. -// - If there is exactly one, transform the branch node into an leaf/extension node and return it. -// Assumes that `num_nibbles>0` and that the value of the branch node is zero. -// TODO: May need to revisit these assumptions depending on how the receipt trie is implemented. -global mpt_delete_branch: - // stack: node_type, node_payload_ptr, num_nibbles, key, retdest - POP - // stack: node_payload_ptr, num_nibbles, key, retdest - DUP2 ISZERO %jumpi(panic) // This should never happen. - DUP3 DUP3 - // stack: num_nibbles, key, node_payload_ptr, num_nibbles, key, retdest - %split_first_nibble - %stack (first_nibble, num_nibbles, key, node_payload_ptr, old_num_nibbles, old_key) -> - (node_payload_ptr, first_nibble, num_nibbles, key, after_mpt_delete_branch, first_nibble, node_payload_ptr) - ADD - // stack: child_ptr_ptr, num_nibbles, key, after_mpt_delete_branch, first_nibble, node_payload_ptr, retdest - %mload_trie_data - %jump(mpt_delete) - -after_mpt_delete_branch: - // stack: updated_child_ptr, first_nibble, node_payload_ptr, retdest - // If the updated child is empty, check if we need to normalize the branch node. - DUP1 %mload_trie_data ISZERO %jumpi(maybe_normalize_branch) - -// Set `branch[first_nibble] = updated_child_ptr`. -update_branch: - // stack: updated_child_ptr, first_nibble, node_payload_ptr, retdest - DUP3 DUP3 ADD - // stack: node_payload_ptr+first_nibble, updated_child_ptr, first_nibble, node_payload_ptr, retdest - %mstore_trie_data - %stack (first_nibble, node_payload_ptr, retdest) -> (node_payload_ptr, 1, retdest) - SUB - // stack: node_ptr, retdest - SWAP1 - JUMP - -// The updated child is empty. Count how many non-empty children the branch node has. -// If it's one, transform the branch node into an leaf/extension node and return it. -maybe_normalize_branch: - // stack: updated_child_ptr, first_nibble, node_payload_ptr, retdest - PUSH 0 - PUSH @SEGMENT_KERNEL_GENERAL - MSTORE_32BYTES_2 - POP - // stack: updated_child_ptr, first_nibble, node_payload_ptr, retdest - PUSH 0 -// Loop from i=0..16 excluding `first_nibble` and store the number of non-empty children in -// KernelGeneral[0]. Also store the last non-empty child in KernelGeneral[1]. -loop: - // stack: i, updated_child_ptr, first_nibble, node_payload_ptr, retdest - DUP1 DUP4 EQ %jumpi(loop_eq_first_nibble) - // stack: i, updated_child_ptr, first_nibble, node_payload_ptr, retdest - DUP1 %eq_const(16) %jumpi(loop_end) - DUP1 DUP5 ADD %mload_trie_data %mload_trie_data ISZERO ISZERO %jumpi(loop_non_empty) - // stack: i, updated_child_ptr, first_nibble, node_payload_ptr, retdest - %increment %jump(loop) -loop_eq_first_nibble: - // stack: i, updated_child_ptr, first_nibble, node_payload_ptr, retdest - %increment %jump(loop) -loop_non_empty: - // stack: i, updated_child_ptr, first_nibble, node_payload_ptr, retdest - %mload_kernel_no_offset(@SEGMENT_KERNEL_GENERAL) %increment %mstore_kernel_no_offset(@SEGMENT_KERNEL_GENERAL) - PUSH 1 PUSH @SEGMENT_KERNEL_GENERAL %build_kernel_address - DUP2 - MSTORE_GENERAL - %increment %jump(loop) -loop_end: - // stack: i, updated_child_ptr, first_nibble, node_payload_ptr, retdest - POP - // stack: updated_child_ptr, first_nibble, node_payload_ptr, retdest - // If there's more than one non-empty child, simply update the branch node. - %mload_kernel_no_offset(@SEGMENT_KERNEL_GENERAL) %gt_const(1) %jumpi(update_branch) - %mload_kernel_no_offset(@SEGMENT_KERNEL_GENERAL) ISZERO %jumpi(panic) // This should never happen. - // Otherwise, transform the branch node into a leaf/extension node. - // stack: updated_child_ptr, first_nibble, node_payload_ptr, retdest - %mload_kernel_general(1) - // stack: i, updated_child_ptr, first_nibble, node_payload_ptr, retdest - DUP4 ADD %mload_trie_data - // stack: only_child_ptr, updated_child_ptr, first_nibble, node_payload_ptr, retdest - DUP1 %mload_trie_data %eq_const(@MPT_NODE_BRANCH) %jumpi(maybe_normalize_branch_branchhash) - DUP1 %mload_trie_data %eq_const(@MPT_NODE_HASH) %jumpi(maybe_normalize_branch_branchhash) - DUP1 %mload_trie_data %eq_const(@MPT_NODE_EXTENSION) %jumpi(maybe_normalize_branch_leafext) - DUP1 %mload_trie_data %eq_const(@MPT_NODE_LEAF) %jumpi(maybe_normalize_branch_leafext) - PANIC // This should never happen. - -// The only child of the branch node is a branch node or a hash node. -// Transform the branch node into an extension node of length 1. -// This assumes that the hash node does not contain a leaf or an extension node (in which case this implementation is incorrect). -maybe_normalize_branch_branchhash: - // stack: only_child_ptr, updated_child_ptr, first_nibble, node_payload_ptr, retdest - %get_trie_data_size // pointer to the extension node we're about to create - // stack: extension_ptr, only_child_ptr, updated_child_ptr, first_nibble, node_payload_ptr, retdest - PUSH @MPT_NODE_EXTENSION %append_to_trie_data - // stack: extension_ptr, only_child_ptr, updated_child_ptr, first_nibble, node_payload_ptr, retdest - PUSH 1 %append_to_trie_data // Append node_len to our node - // stack: extension_ptr, only_child_ptr, updated_child_ptr, first_nibble, node_payload_ptr, retdest - %mload_kernel_general(1) %append_to_trie_data // Append node_key to our node - // stack: extension_ptr, only_child_ptr, updated_child_ptr, first_nibble, node_payload_ptr, retdest - SWAP1 %append_to_trie_data // Append updated_child_node_ptr to our node - %stack (extension_ptr, updated_child_ptr, first_nibble, node_payload_ptr, retdest) -> (retdest, extension_ptr) - JUMP - -// The only child of the branch node is a leaf/extension node. -// Transform the branch node into an leaf/extension node of length 1+len(child). -// For that, return the modified child as the new node. -maybe_normalize_branch_leafext: - // stack: only_child_ptr, updated_child_ptr, first_nibble, node_payload_ptr, retdest - DUP1 %increment %mload_trie_data - // stack: child_len, only_child_ptr, updated_child_ptr, first_nibble, node_payload_ptr, retdest - DUP2 %add_const(2) %mload_trie_data - // stack: child_key, child_len, only_child_ptr, updated_child_ptr, first_nibble, node_payload_ptr, retdest - %mload_kernel_general(1) - %stack (i, child_key, child_len, only_child_ptr, updated_child_ptr, first_nibble, node_payload_ptr) -> - (1, i, child_len, child_key, only_child_ptr) - %merge_nibbles - // stack: len, key, only_child_ptr,retdest - DUP3 - // stack: node_ptr, len, key, only_child_ptr, retdest - SWAP1 DUP2 - // stack: node_ptr, len, node_ptr, key, only_child_ptr, retdest - %increment %mstore_trie_data // Change len in the child node - // stack: node_ptr, key, only_child_ptr, retdest - %add_const(2) %mstore_trie_data // Change key in the child node - // stack: node_ptr, retdest - SWAP1 JUMP diff --git a/evm/src/cpu/kernel/asm/mpt/delete/delete_extension.asm b/evm/src/cpu/kernel/asm/mpt/delete/delete_extension.asm deleted file mode 100644 index 0627fcba6a..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/delete/delete_extension.asm +++ /dev/null @@ -1,79 +0,0 @@ -// Delete from an extension node. -// Algorithm is roughly: -// - Let `k = length(node)` -// - Delete `(num_nibbles-k, key[k:])` from `node.child`. -// - If the returned child node is a branch node, the current node is replaced with an extension node with updated child. -// - If the returned child node is an extension node, we merge the two extension nodes into one extension node. -// - If the returned child node is a leaf node, we merge the two nodes into one leaf node. -global mpt_delete_extension: - // stack: node_type, node_payload_ptr, num_nibbles, key, retdest - POP - // stack: node_payload_ptr, num_nibbles, key, retdest - DUP1 %mload_trie_data - // stack: node_len, node_payload_ptr, num_nibbles, key, retdest - DUP2 %increment %mload_trie_data - %stack (node_key, node_len, node_payload_ptr, num_nibbles, key, retdest) -> - (node_len, num_nibbles, key, node_payload_ptr, node_len, node_key, retdest) - %truncate_nibbles - // stack: num_nibbles, key, node_payload_ptr, node_len, node_key, retdest - SWAP2 - // stack: node_payload_ptr, key, num_nibbles, node_len, node_key, retdest - DUP1 %add_const(2) %mload_trie_data - %stack (node_child_ptr, node_payload_ptr, key, num_nibbles, node_len, node_key, retdest) -> - (node_child_ptr, num_nibbles, key, after_mpt_delete_extension, node_payload_ptr, node_len, node_key, retdest) - %jump(mpt_delete) - -after_mpt_delete_extension: - // stack: updated_child_node_ptr, node_payload_ptr, node_len, node_key, retdest - DUP1 %mload_trie_data - // stack: child_type, updated_child_node_ptr, node_payload_ptr, node_len, node_key, retdest - DUP1 %eq_const(@MPT_NODE_BRANCH) %jumpi(after_mpt_delete_extension_branch) - DUP1 %eq_const(@MPT_NODE_EXTENSION) %jumpi(after_mpt_delete_extension_extension) - DUP1 %eq_const(@MPT_NODE_LEAF) %jumpi(after_mpt_delete_extension_leaf) - %eq_const(@MPT_NODE_EMPTY) %jumpi(panic) // This should never happen. - PANIC - -after_mpt_delete_extension_branch: - // stack: child_type, updated_child_node_ptr, node_payload_ptr, node_len, node_key, retdest - POP - // stack: updated_child_node_ptr, node_payload_ptr, node_len, node_key, retdest - DUP2 %add_const(2) %mstore_trie_data - // stack: node_payload_ptr, node_len, node_key, retdest - %decrement - %stack (extension_ptr, node_len, node_key, retdest) -> (retdest, extension_ptr) - JUMP - -after_mpt_delete_extension_extension: - // stack: child_type, updated_child_node_ptr, node_payload_ptr, node_len, node_key, retdest - POP SWAP1 POP - // stack: updated_child_node_ptr, node_len, node_key, retdest - DUP1 %increment %mload_trie_data - // stack: child_len, updated_child_node_ptr, node_len, node_key, retdest - DUP2 %add_const(2) %mload_trie_data - // stack: child_key, child_len, updated_child_node_ptr, node_len, node_key, retdest - %stack (child_key, child_len, updated_child_node_ptr, node_len, node_key) -> (node_len, node_key, child_len, child_key, updated_child_node_ptr) - %merge_nibbles - // stack: len, key, updated_child_node_ptr, retdest - DUP3 %increment %mstore_trie_data // Change len - // stack: key, updated_child_node_ptr, retdest - DUP2 %add_const(2) %mstore_trie_data // Change key - // stack: extension_ptr, retdest - SWAP1 JUMP - -// Essentially the same as `after_mpt_delete_extension_extension`. TODO: Could merge in a macro or common function. -after_mpt_delete_extension_leaf: - // stack: child_type, updated_child_node_ptr, node_payload_ptr, node_len, node_key, retdest - POP SWAP1 POP - // stack: updated_child_node_ptr, node_len, node_key, retdest - DUP1 %increment %mload_trie_data - // stack: child_len, updated_child_node_ptr, node_len, node_key, retdest - DUP2 %add_const(2) %mload_trie_data - // stack: child_key, child_len, updated_child_node_ptr, node_len, node_key, retdest - %stack (child_key, child_len, updated_child_node_ptr, node_len, node_key) -> (node_len, node_key, child_len, child_key, updated_child_node_ptr) - %merge_nibbles - // stack: len, key, updated_child_node_ptr, retdest - DUP3 %increment %mstore_trie_data // Change len - // stack: key, updated_child_node_ptr, retdest - DUP2 %add_const(2) %mstore_trie_data // Change key - // stack: updated_child_node_ptr, retdest - SWAP1 JUMP diff --git a/evm/src/cpu/kernel/asm/mpt/hash/hash.asm b/evm/src/cpu/kernel/asm/mpt/hash/hash.asm deleted file mode 100644 index 9acde9ce78..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/hash/hash.asm +++ /dev/null @@ -1,288 +0,0 @@ -// Computes the Merkle root of the given trie node. -// -// encode_value is a function which should take as input -// - the position within @SEGMENT_RLP_RAW to write to, -// - the offset of a value within @SEGMENT_TRIE_DATA, -// - a return address, and -// - the current length of @SEGMENT_TRIE_DATA -// It should serialize the value, write it to @SEGMENT_RLP_RAW starting at the -// given position, and return an updated position (the next unused offset) as well -// as an updated length for @SEGMENT_TRIE_DATA. -// -// Given the initial length of the `TrieData` segment, it also updates the length -// for the current trie. -// -// Pre stack: node_ptr, encode_value, cur_len, retdest -// Post stack: hash, new_len -global mpt_hash: - // stack: node_ptr, encode_value, cur_len, retdest - %stack (node_ptr, encode_value, cur_len) -> (node_ptr, encode_value, cur_len, mpt_hash_hash_if_rlp) - %jump(encode_or_hash_node) -mpt_hash_hash_if_rlp: - // stack: result, result_len, new_len, retdest - // If result_len < 32, then we have an RLP blob, and we need to hash it. - DUP2 %lt_const(32) %jumpi(mpt_hash_hash_rlp) - // Otherwise, we already have a hash, so just return it. - // stack: result, result_len, new_len, retdest - %stack (result, result_len, new_len, retdest) -> (retdest, result, new_len) - JUMP -mpt_hash_hash_rlp: - // stack: result, result_len, new_len, retdest - %stack (result, result_len, new_len) - -> (@SEGMENT_RLP_RAW, result, result_len, mpt_hash_hash_rlp_after_unpacking, result_len, new_len) - // stack: addr, result, result_len, mpt_hash_hash_rlp_after_unpacking, result_len, new_len - %jump(mstore_unpacking) -mpt_hash_hash_rlp_after_unpacking: - // stack: result_addr, result_len, new_len, retdest - POP PUSH @SEGMENT_RLP_RAW // ctx == virt == 0 - // stack: result_addr, result_len, new_len, retdest - KECCAK_GENERAL - // stack: hash, new_len, retdest - %stack(hash, new_len, retdest) -> (retdest, hash, new_len) - JUMP - -// Given a trie node, return its RLP encoding if it is is less than 32 bytes, -// otherwise return the Keccak256 hash of its RLP encoding. -// -// The result is given as a (value, length) pair, where the length is given -// in bytes. -// -// Pre stack: node_ptr, encode_value, cur_len, retdest -// Post stack: result, result_len, cur_len -global encode_or_hash_node: - DUP1 %mload_trie_data - - // Check if we're dealing with a concrete node, i.e. not a hash node. - // stack: node_type, node_ptr, encode_value, cur_len, retdest - DUP1 - PUSH @MPT_NODE_HASH - SUB - %jumpi(encode_or_hash_concrete_node) - - // If we got here, node_type == @MPT_NODE_HASH. - // Load the hash and return (hash, 32). - // stack: node_type, node_ptr, encode_value, cur_len, retdest - POP - - // stack: node_ptr, encode_value, cur_len, retdest - %increment // Skip over node type prefix - // stack: hash_ptr, encode_value, cur_len, retdest - %mload_trie_data - // stack: hash, encode_value, cur_len, retdest - // Update the length of the `TrieData` segment: there are only two - // elements in a hash node. - SWAP2 %add_const(2) - %stack (cur_len, encode_value, hash, retdest) -> (retdest, hash, 32, cur_len) - JUMP -encode_or_hash_concrete_node: - %stack (node_type, node_ptr, encode_value, cur_len) -> (node_type, node_ptr, encode_value, cur_len, maybe_hash_node) - %jump(encode_node) -maybe_hash_node: - // stack: result_addr, result_len, cur_len, retdest - DUP2 %lt_const(32) - %jumpi(pack_small_rlp) - - // result_len >= 32, so we hash the result. - // stack: result_addr, result_len, cur_len, retdest - KECCAK_GENERAL - %stack (hash, cur_len, retdest) -> (retdest, hash, 32, cur_len) - JUMP -pack_small_rlp: - // stack: result_ptr, result_len, cur_len, retdest - %stack (result_ptr, result_len, cur_len) - -> (result_ptr, result_len, result_len, cur_len) - MLOAD_32BYTES -after_packed_small_rlp: - %stack (result, result_len, cur_len, retdest) -> (retdest, result, result_len, cur_len) - JUMP - -// RLP encode the given trie node, and return an (pointer, length) pair -// indicating where the data lives within @SEGMENT_RLP_RAW. -// -// Pre stack: node_type, node_ptr, encode_value, cur_len, retdest -// Post stack: result_ptr, result_len, cur_len -encode_node: - // stack: node_type, node_ptr, encode_value, cur_len, retdest - // Increment node_ptr, so it points to the node payload instead of its type. - SWAP1 %increment SWAP1 - // stack: node_type, node_payload_ptr, encode_value, cur_len, retdest - - DUP1 %eq_const(@MPT_NODE_EMPTY) %jumpi(encode_node_empty) - DUP1 %eq_const(@MPT_NODE_BRANCH) %jumpi(encode_node_branch) - DUP1 %eq_const(@MPT_NODE_EXTENSION) %jumpi(encode_node_extension) - DUP1 %eq_const(@MPT_NODE_LEAF) %jumpi(encode_node_leaf) - - // If we got here, node_type is either @MPT_NODE_HASH, which should have - // been handled earlier in encode_or_hash_node, or something invalid. - PANIC - -global encode_node_empty: - // stack: node_type, node_payload_ptr, encode_value, cur_len, retdest - %pop3 - %stack (cur_len, retdest) -> (retdest, @ENCODED_EMPTY_NODE_POS, 1, cur_len) - JUMP - -global encode_node_branch: - // stack: node_type, node_payload_ptr, encode_value, cur_len, retdest - POP - - // `TrieData` stores the node type, 16 children pointers, and a value pointer. - SWAP2 %add_const(18) SWAP2 - // stack: node_payload_ptr, encode_value, cur_len, retdest - - // Allocate a block of RLP memory - %alloc_rlp_block DUP1 - // stack: rlp_pos, rlp_start, node_payload_ptr, encode_value, cur_len retdest - - // Call encode_or_hash_node on each child - %encode_child(0) %encode_child(1) %encode_child(2) %encode_child(3) - %encode_child(4) %encode_child(5) %encode_child(6) %encode_child(7) - %encode_child(8) %encode_child(9) %encode_child(10) %encode_child(11) - %encode_child(12) %encode_child(13) %encode_child(14) %encode_child(15) - - // stack: rlp_pos', rlp_start, node_payload_ptr, encode_value, cur_len, retdest - - %stack (rlp_pos, rlp_start, node_payload_ptr) - -> (node_payload_ptr, rlp_pos, rlp_start) - %add_const(16) - // stack: value_ptr_ptr, rlp_pos', rlp_start, encode_value, cur_len, retdest - %mload_trie_data - // stack: value_ptr, rlp_pos', rlp_start, encode_value, cur_len, retdest - DUP1 %jumpi(encode_node_branch_with_value) - - // No value; append the empty string (0x80). - // stack: value_ptr, rlp_pos', rlp_start, encode_value, cur_len, retdest - %stack (value_ptr, rlp_pos, rlp_start, encode_value) -> (0x80, rlp_pos, rlp_pos, rlp_start) - MSTORE_GENERAL - // stack: rlp_pos', rlp_start, cur_len, retdest - %increment - // stack: rlp_pos'', rlp_start, cur_len, retdest - %jump(encode_node_branch_prepend_prefix) -encode_node_branch_with_value: - // stack: value_ptr, rlp_pos', rlp_start, encode_value, cur_len, retdest - %stack (value_ptr, rlp_pos, rlp_start, encode_value, cur_len) - -> (encode_value, rlp_pos, value_ptr, cur_len, encode_node_branch_after_value, rlp_start) - JUMP // call encode_value -encode_node_branch_after_value: - // stack: rlp_pos'', cur_len, rlp_start, retdest - %stack(rlp_pos, cur_len, rlp_start, retdest) -> (rlp_pos, rlp_start, cur_len, retdest) -encode_node_branch_prepend_prefix: - // stack: rlp_pos'', rlp_start, cur_len, retdest - %prepend_rlp_list_prefix - // stack: rlp_prefix_start, rlp_len, cur_len, retdest - %stack (rlp_prefix_start, rlp_len, cur_len, retdest) - -> (retdest, rlp_prefix_start, rlp_len, cur_len) - JUMP - - -// Part of the encode_node_branch function. Encodes the i'th child. -%macro encode_child(i) - // stack: rlp_pos, rlp_start, node_payload_ptr, encode_value, cur_len, retdest - PUSH %%after_encode - DUP6 DUP6 DUP6 - // stack: node_payload_ptr, encode_value, cur_len, %%after_encode, rlp_pos, rlp_start, node_payload_ptr, encode_value, cur_len, retdest - %add_const($i) %mload_trie_data - // stack: child_i_ptr, encode_value, cur_len, %%after_encode, rlp_pos, rlp_start, node_payload_ptr, encode_value, cur_len, retdest - %jump(encode_or_hash_node) -%%after_encode: - // stack: result, result_len, cur_len, rlp_pos, rlp_start, node_payload_ptr, encode_value, old_len, retdest - // If result_len != 32, result is raw RLP, with an appropriate RLP prefix already. - SWAP1 - PUSH 32 DUP2 SUB - %jumpi(%%unpack) - // Otherwise, result is a hash, and we need to add the prefix 0x80 + 32 = 160. - // stack: result_len, result, cur_len, rlp_pos, rlp_start, node_payload_ptr, encode_value, old_len, retdest - DUP4 // rlp_pos - PUSH 160 - MSTORE_GENERAL - SWAP3 %increment SWAP3 // rlp_pos += 1 -%%unpack: - %stack (result_len, result, cur_len, rlp_pos, rlp_start, node_payload_ptr, encode_value, old_len, retdest) - -> (rlp_pos, result, result_len, %%after_unpacking, - rlp_start, node_payload_ptr, encode_value, cur_len, retdest) - %jump(mstore_unpacking) -%%after_unpacking: - // stack: rlp_pos', rlp_start, node_payload_ptr, encode_value, cur_len, retdest -%endmacro - -global encode_node_extension: - // stack: node_type, node_payload_ptr, encode_value, cur_len, retdest - SWAP3 %add_const(4) SWAP3 - %stack (node_type, node_payload_ptr, encode_value, cur_len) - -> (node_payload_ptr, encode_value, cur_len, encode_node_extension_after_encode_child, node_payload_ptr) - %add_const(2) %mload_trie_data - // stack: child_ptr, encode_value, cur_len, encode_node_extension_after_encode_child, node_payload_ptr, retdest - %jump(encode_or_hash_node) -encode_node_extension_after_encode_child: - // stack: result, result_len, cur_len, node_payload_ptr, retdest - %stack (result, result_len, cur_len, node_payload_ptr) -> (result, result_len, node_payload_ptr, cur_len) - %alloc_rlp_block - // stack: rlp_start, result, result_len, node_payload_ptr, cur_len, retdest - PUSH encode_node_extension_after_hex_prefix // retdest - PUSH 0 // terminated - // stack: terminated, encode_node_extension_after_hex_prefix, rlp_start, result, result_len, node_payload_ptr, cur_len, retdest - DUP6 %increment %mload_trie_data // Load the packed_nibbles field, which is at index 1. - // stack: packed_nibbles, terminated, encode_node_extension_after_hex_prefix, rlp_start, result, result_len, node_payload_ptr, cur_len, retdest - DUP7 %mload_trie_data // Load the num_nibbles field, which is at index 0. - // stack: num_nibbles, packed_nibbles, terminated, encode_node_extension_after_hex_prefix, rlp_start, result, result_len, node_payload_ptr, cur_len, retdest - DUP5 - // stack: rlp_start, num_nibbles, packed_nibbles, terminated, encode_node_extension_after_hex_prefix, rlp_start, result, result_len, node_payload_ptr, cur_len, retdest - %jump(hex_prefix_rlp) -encode_node_extension_after_hex_prefix: - // stack: rlp_pos, rlp_start, result, result_len, node_payload_ptr, cur_len, retdest - // If result_len != 32, result is raw RLP, with an appropriate RLP prefix already. - PUSH 32 DUP5 SUB - %jumpi(encode_node_extension_unpack) - // Otherwise, result is a hash, and we need to add the prefix 0x80 + 32 = 160. - DUP1 // rlp_pos - PUSH 160 - MSTORE_GENERAL - %increment // rlp_pos += 1 -encode_node_extension_unpack: - %stack (rlp_pos, rlp_start, result, result_len, node_payload_ptr, cur_len) - -> (rlp_pos, result, result_len, encode_node_extension_after_unpacking, rlp_start, cur_len) - %jump(mstore_unpacking) -encode_node_extension_after_unpacking: - // stack: rlp_pos, rlp_start, cur_len, retdest - %prepend_rlp_list_prefix - %stack (rlp_prefix_start_pos, rlp_len, cur_len, retdest) - -> (retdest, rlp_prefix_start_pos, rlp_len, cur_len) - JUMP - -global encode_node_leaf: - // stack: node_type, node_payload_ptr, encode_value, cur_len, retdest - POP - // stack: node_payload_ptr, encode_value, cur_len, retdest - %alloc_rlp_block - PUSH encode_node_leaf_after_hex_prefix // retdest - PUSH 1 // terminated - // stack: terminated, encode_node_leaf_after_hex_prefix, rlp_start, node_payload_ptr, encode_value, cur_len, retdest - DUP4 %increment %mload_trie_data // Load the packed_nibbles field, which is at index 1. - // stack: packed_nibbles, terminated, encode_node_leaf_after_hex_prefix, rlp_start, node_payload_ptr, encode_value, cur_len, retdest - DUP5 %mload_trie_data // Load the num_nibbles field, which is at index 0. - // stack: num_nibbles, packed_nibbles, terminated, encode_node_leaf_after_hex_prefix, rlp_start, node_payload_ptr, encode_value, cur_len, retdest - DUP5 - // stack: rlp_start, num_nibbles, packed_nibbles, terminated, encode_node_leaf_after_hex_prefix, rlp_start, node_payload_ptr, encode_value, cur_len, retdest - %jump(hex_prefix_rlp) -encode_node_leaf_after_hex_prefix: - // stack: rlp_pos, rlp_start, node_payload_ptr, encode_value, cur_len, retdest - SWAP2 - %add_const(2) // The value pointer starts at index 3, after num_nibbles and packed_nibbles. - // stack: value_ptr_ptr, rlp_start, rlp_pos, encode_value, cur_len, retdest - %mload_trie_data - // stack: value_ptr, rlp_start, rlp_pos, encode_value, cur_len, retdest - %stack (value_ptr, rlp_start, rlp_pos, encode_value, cur_len, retdest) - -> (encode_value, rlp_pos, value_ptr, cur_len, encode_node_leaf_after_encode_value, rlp_start, retdest) - JUMP -encode_node_leaf_after_encode_value: - // stack: rlp_end_pos, cur_len, rlp_start, retdest - // `TrieData` holds the node type, the number of nibbles, the nibbles, - // the pointer to the value and the value. - // We add 4 for the node type, the number of nibbles, the nibbles - // and the pointer to the value. - SWAP1 %add_const(4) - %stack(cur_len, rlp_end_pos, rlp_start, retdest) -> (rlp_end_pos, rlp_start, cur_len, retdest) - %prepend_rlp_list_prefix - %stack (rlp_prefix_start_pos, rlp_len, cur_len, retdest) - -> (retdest, rlp_prefix_start_pos, rlp_len, cur_len) - JUMP diff --git a/evm/src/cpu/kernel/asm/mpt/hash/hash_trie_specific.asm b/evm/src/cpu/kernel/asm/mpt/hash/hash_trie_specific.asm deleted file mode 100644 index cd07c01fdc..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/hash/hash_trie_specific.asm +++ /dev/null @@ -1,355 +0,0 @@ -// Hashing logic specific to a particular trie. - -global mpt_hash_state_trie: - // stack: cur_len, retdest - PUSH encode_account - %mload_global_metadata(@GLOBAL_METADATA_STATE_TRIE_ROOT) - // stack: node_ptr, encode_account, cur_len, retdest - %jump(mpt_hash) - -%macro mpt_hash_state_trie - // stack: cur_len - PUSH %%after - SWAP1 - %jump(mpt_hash_state_trie) -%%after: -%endmacro - -global mpt_hash_storage_trie: - // stack: node_ptr, cur_len, retdest - %stack (node_ptr, cur_len) -> (node_ptr, encode_storage_value, cur_len) - %jump(mpt_hash) - -%macro mpt_hash_storage_trie - %stack (node_ptr, cur_len) -> (node_ptr, cur_len, %%after) - %jump(mpt_hash_storage_trie) -%%after: -%endmacro - -global mpt_hash_txn_trie: - // stack: cur_len, retdest - PUSH encode_txn - %mload_global_metadata(@GLOBAL_METADATA_TXN_TRIE_ROOT) - // stack: node_ptr, encode_txn, cur_len, retdest - %jump(mpt_hash) - -%macro mpt_hash_txn_trie - // stack: cur_len - PUSH %%after - SWAP1 - %jump(mpt_hash_txn_trie) -%%after: -%endmacro - -global mpt_hash_receipt_trie: - // stack: cur_len, retdest - PUSH encode_receipt - %mload_global_metadata(@GLOBAL_METADATA_RECEIPT_TRIE_ROOT) - // stack: node_ptr, encode_receipt, cur_len, retdest - %jump(mpt_hash) - -%macro mpt_hash_receipt_trie - // stack: cur_len - PUSH %%after - SWAP1 - %jump(mpt_hash_receipt_trie) -%%after: -%endmacro - -global encode_account: - // stack: rlp_addr, value_ptr, cur_len, retdest - // First, we compute the length of the RLP data we're about to write. - // We also update the length of the trie data segment. - // The nonce and balance fields are variable-length, so we need to load them - // to determine their contribution, while the other two fields are fixed - // 32-bytes integers. - - // First, we add 4 to the trie data length, for the nonce, - // the balance, the storage pointer and the code hash. - SWAP2 %add_const(4) SWAP2 - - // Now, we start the encoding. - // stack: rlp_addr, value_ptr, cur_len, retdest - DUP2 %mload_trie_data // nonce = value[0] - %rlp_scalar_len - // stack: nonce_rlp_len, rlp_addr, value_ptr, cur_len, retdest - DUP3 %increment %mload_trie_data // balance = value[1] - %rlp_scalar_len - // stack: balance_rlp_len, nonce_rlp_len, rlp_addr, value_ptr, cur_len, retdest - PUSH 66 // storage_root and code_hash fields each take 1 + 32 bytes - ADD ADD - // stack: payload_len, rlp_addr, value_ptr, cur_len, retdest - SWAP1 - // stack: rlp_addr, payload_len, value_ptr, cur_len, retdest - DUP2 %rlp_list_len - // stack: list_len, rlp_addr, payload_len, value_ptr, cur_len, retdest - SWAP1 - // stack: rlp_addr, list_len, payload_len, value_ptr, cur_len, retdest - %encode_rlp_multi_byte_string_prefix - // stack: rlp_pos_2, payload_len, value_ptr, cur_len, retdest - %encode_rlp_list_prefix - // stack: rlp_pos_3, value_ptr, cur_len, retdest - DUP2 %mload_trie_data // nonce = value[0] - // stack: nonce, rlp_pos_3, value_ptr, cur_len, retdest - SWAP1 %encode_rlp_scalar - // stack: rlp_pos_4, value_ptr, cur_len, retdest - DUP2 %increment %mload_trie_data // balance = value[1] - // stack: balance, rlp_pos_4, value_ptr, cur_len, retdest - SWAP1 %encode_rlp_scalar - // stack: rlp_pos_5, value_ptr, cur_len, retdest - DUP3 - DUP3 %add_const(2) %mload_trie_data // storage_root_ptr = value[2] - // stack: storage_root_ptr, cur_len, rlp_pos_5, value_ptr, cur_len, retdest - - - PUSH debug_after_hash_storage_trie - POP - - // Hash storage trie. - %mpt_hash_storage_trie - // stack: storage_root_digest, new_len, rlp_pos_5, value_ptr, cur_len, retdest - %stack(storage_root_digest, new_len, rlp_pos_five, value_ptr, cur_len) -> (rlp_pos_five, storage_root_digest, value_ptr, new_len) - %encode_rlp_256 - // stack: rlp_pos_6, value_ptr, new_len, retdest - SWAP1 %add_const(3) %mload_trie_data // code_hash = value[3] - // stack: code_hash, rlp_pos_6, new_len, retdest - SWAP1 %encode_rlp_256 - // stack: rlp_pos_7, new_len, retdest - %stack(rlp_pos_7, new_len, retdest) -> (retdest, rlp_pos_7, new_len) - JUMP - -global encode_txn: - // stack: rlp_addr, value_ptr, cur_len, retdest - - // Load the txn_rlp_len which is at the beginning of value_ptr - DUP2 %mload_trie_data - // stack: txn_rlp_len, rlp_addr, value_ptr, cur_len, retdest - // We need to add 1+txn_rlp_len to the length of the trie data. - SWAP3 DUP4 %increment ADD - // stack: new_len, rlp_addr, value_ptr, txn_rlp_len, retdest - SWAP3 - SWAP2 %increment - // stack: txn_rlp_ptr=value_ptr+1, rlp_addr, txn_rlp_len, new_len, retdest - - %stack (txn_rlp_ptr, rlp_addr, txn_rlp_len) -> (rlp_addr, txn_rlp_len, txn_rlp_len, txn_rlp_ptr) - // Encode the txn rlp prefix - // stack: rlp_addr, txn_rlp_len, txn_rlp_len, txn_rlp_ptr, cur_len, retdest - %encode_rlp_multi_byte_string_prefix - // copy txn_rlp to the new block - // stack: rlp_addr, txn_rlp_len, txn_rlp_ptr, new_len, retdest - %stack (rlp_addr, txn_rlp_len, txn_rlp_ptr) -> ( - @SEGMENT_TRIE_DATA, txn_rlp_ptr, // src addr. Kernel has context 0 - rlp_addr, // dest addr - txn_rlp_len, // mcpy len - txn_rlp_len, rlp_addr) - %build_kernel_address - SWAP1 - // stack: DST, SRC, txn_rlp_len, txn_rlp_len, rlp_addr, new_len, retdest - %memcpy_bytes - ADD - // stack new_rlp_addr, new_len, retdest - %stack(new_rlp_addr, new_len, retdest) -> (retdest, new_rlp_addr, new_len) - JUMP - -// We assume a receipt in memory is stored as: -// [payload_len, status, cum_gas_used, bloom, logs_payload_len, num_logs, [logs]]. -// A log is [payload_len, address, num_topics, [topics], data_len, [data]]. -global encode_receipt: - // stack: rlp_addr, value_ptr, cur_len, retdest - // First, we add 261 to the trie data length for all values before the logs besides the type. - // These are: the payload length, the status, cum_gas_used, the bloom filter (256 elements), - // the length of the logs payload and the length of the logs. - SWAP2 %add_const(261) SWAP2 - // There is a double encoding! - // What we compute is: - // - either RLP(RLP(receipt)) for Legacy transactions - // - or RLP(txn_type||RLP(receipt)) for transactions of type 1 or 2. - // First encode the wrapper prefix. - DUP2 %mload_trie_data - // stack: first_value, rlp_addr, value_ptr, cur_len, retdest - // The first value is either the transaction type or the payload length. - // Since the receipt contains at least the 256-bytes long bloom filter, payload_len > 3. - DUP1 %lt_const(3) %jumpi(encode_nonzero_receipt_type) - // If we are here, then the first byte is the payload length. - %rlp_list_len - // stack: rlp_receipt_len, rlp_addr, value_ptr, cur_len, retdest - SWAP1 %encode_rlp_multi_byte_string_prefix - // stack: rlp_addr, value_ptr, cur_len, retdest - -encode_receipt_after_type: - // stack: rlp_addr, payload_len_ptr, cur_len, retdest - // Then encode the receipt prefix. - // `payload_ptr` is either `value_ptr` or `value_ptr+1`, depending on the transaction type. - DUP2 %mload_trie_data - // stack: payload_len, rlp_addr, payload_len_ptr, cur_len, retdest - SWAP1 %encode_rlp_list_prefix - // stack: rlp_addr, payload_len_ptr, cur_len, retdest - // Encode status. - DUP2 %increment %mload_trie_data - // stack: status, rlp_addr, payload_len_ptr, cur_len, retdest - SWAP1 %encode_rlp_scalar - // stack: rlp_addr, payload_len_ptr, cur_len, retdest - // Encode cum_gas_used. - DUP2 %add_const(2) %mload_trie_data - // stack: cum_gas_used, rlp_addr, payload_len_ptr, cur_len, retdest - SWAP1 %encode_rlp_scalar - // stack: rlp_addr, payload_len_ptr, cur_len, retdest - // Encode bloom. - PUSH 256 // Bloom length. - DUP3 %add_const(3) PUSH @SEGMENT_TRIE_DATA %build_kernel_address // MPT src address. - DUP3 - // stack: rlp_addr, SRC, 256, rlp_addr, payload_len_ptr, cur_len, retdest - %encode_rlp_string - // stack: rlp_addr, old_rlp_pos, payload_len_ptr, cur_len, retdest - SWAP1 POP - // stack: rlp_addr, payload_len_ptr, cur_len, retdest - // Encode logs prefix. - DUP2 %add_const(259) %mload_trie_data - // stack: logs_payload_len, rlp_addr, payload_len_ptr, cur_len, retdest - SWAP1 %encode_rlp_list_prefix - // stack: rlp_addr, payload_len_ptr, cur_len, retdest - DUP2 %add_const(261) - // stack: logs_ptr, rlp_addr, payload_len_ptr, cur_len, retdest - DUP3 %add_const(260) %mload_trie_data - // stack: num_logs, logs_ptr, rlp_addr, payload_len_ptr, cur_len, retdest - PUSH 0 - -encode_receipt_logs_loop: - // stack: i, num_logs, current_log_ptr, rlp_addr, payload_len_ptr, cur_len, retdest - DUP2 DUP2 EQ - // stack: i == num_logs, i, num_logs, current_log_ptr, rlp_addr, payload_len_ptr, cur_len, retdest - %jumpi(encode_receipt_end) - // We add 4 to the trie data length for the fixed size elements in the current log. - SWAP5 %add_const(4) SWAP5 - // stack: i, num_logs, current_log_ptr, rlp_addr, payload_len_ptr, cur_len, retdest - DUP3 DUP5 - // stack: rlp_addr, current_log_ptr, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len, retdest - // Encode log prefix. - DUP2 %mload_trie_data - // stack: payload_len, rlp_addr, current_log_ptr, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len, retdest - SWAP1 %encode_rlp_list_prefix - // stack: rlp_addr, current_log_ptr, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len, retdest - // Encode address. - DUP2 %increment %mload_trie_data - // stack: address, rlp_addr, current_log_ptr, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len, retdest - SWAP1 %encode_rlp_160 - // stack: rlp_addr, current_log_ptr, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len, retdest - DUP2 %add_const(2) %mload_trie_data - // stack: num_topics, rlp_addr, current_log_ptr, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len, retdest - // Encode topics prefix. - DUP1 %mul_const(33) - // stack: topics_payload_len, num_topics, rlp_addr, current_log_ptr, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len, retdest - DUP3 %encode_rlp_list_prefix - // stack: new_rlp_pos, num_topics, rlp_addr, current_log_ptr, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len, retdest - SWAP2 POP - // stack: num_topics, rlp_addr, current_log_ptr, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len, retdest - - // Add `num_topics` to the length of the trie data segment. - DUP1 SWAP9 - // stack: cur_len, num_topics, rlp_addr, current_log_ptr, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, num_topics, retdest - ADD SWAP8 - - // stack: num_topics, rlp_addr, current_log_ptr, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len', retdest - SWAP2 %add_const(3) - // stack: topics_ptr, rlp_addr, num_topics, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len', retdest - PUSH 0 - -encode_receipt_topics_loop: - // stack: j, topics_ptr, rlp_addr, num_topics, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len', retdest - DUP4 DUP2 EQ - // stack: j == num_topics, j, topics_ptr, rlp_addr, num_topics, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len', retdest - %jumpi(encode_receipt_topics_end) - // stack: j, topics_ptr, rlp_addr, num_topics, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len', retdest - DUP2 DUP2 ADD - %mload_trie_data - // stack: current_topic, j, topics_ptr, rlp_addr, num_topics, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len', retdest - DUP4 - // stack: rlp_addr, current_topic, j, topics_ptr, rlp_addr, num_topics, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len', retdest - %encode_rlp_256 - // stack: new_rlp_pos, j, topics_ptr, rlp_addr, num_topics, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len', retdest - SWAP3 POP - // stack: j, topics_ptr, new_rlp_pos, num_topics, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len', retdest - %increment - %jump(encode_receipt_topics_loop) - -encode_receipt_topics_end: - // stack: num_topics, topics_ptr, rlp_addr, num_topics, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len', retdest - ADD - // stack: data_len_ptr, rlp_addr, num_topics, i, num_logs, current_log_ptr, old_rlp_pos, payload_len_ptr, cur_len', retdest - SWAP5 POP - // stack: rlp_addr, num_topics, i, num_logs, data_len_ptr, old_rlp_pos, payload_len_ptr, cur_len', retdest - SWAP5 POP - // stack: num_topics, i, num_logs, data_len_ptr, rlp_addr, payload_len_ptr, cur_len', retdest - POP - // stack: i, num_logs, data_len_ptr, rlp_addr, payload_len_ptr, cur_len', retdest - // Encode data prefix. - DUP3 %mload_trie_data - // stack: data_len, i, num_logs, data_len_ptr, rlp_addr, payload_len_ptr, cur_len', retdest - - // Add `data_len` to the length of the trie data. - DUP1 SWAP7 ADD SWAP6 - - // stack: data_len, i, num_logs, data_len_ptr, rlp_addr, payload_len_ptr, cur_len'', retdest - DUP4 %increment DUP2 ADD - // stack: next_log_ptr, data_len, i, num_logs, data_len_ptr, rlp_addr, payload_len_ptr, cur_len'', retdest - SWAP4 %increment - // stack: data_ptr, data_len, i, num_logs, next_log_ptr, rlp_addr, payload_len_ptr, cur_len'', retdest - PUSH @SEGMENT_TRIE_DATA %build_kernel_address - // stack: SRC, data_len, i, num_logs, next_log_ptr, rlp_addr, payload_len_ptr, cur_len'', retdest - DUP6 - // stack: rlp_addr, SRC, data_len, i, num_logs, next_log_ptr, rlp_addr, payload_len_ptr, cur_len'', retdest - %encode_rlp_string - // stack: new_rlp_pos, i, num_logs, next_log_ptr, rlp_addr, payload_len_ptr, cur_len'', retdest - SWAP4 POP - // stack: i, num_logs, next_log_ptr, new_rlp_pos, payload_len_ptr, cur_len'', retdest - %increment - %jump(encode_receipt_logs_loop) - -encode_receipt_end: - // stack: num_logs, num_logs, current_log_ptr, rlp_addr, payload_len_ptr, cur_len'', retdest - %pop3 - // stack: rlp_addr, payload_len_ptr, cur_len'', retdest - SWAP1 POP - // stack: rlp_addr, cur_len'', retdest - %stack(rlp_addr, new_len, retdest) -> (retdest, rlp_addr, new_len) - JUMP - -encode_nonzero_receipt_type: - // stack: txn_type, rlp_addr, value_ptr, cur_len, retdest - // We have a nonlegacy receipt, so the type is also stored in the trie data segment. - SWAP3 %increment SWAP3 - // stack: txn_type, rlp_addr, value_ptr, cur_len, retdest - DUP3 %increment %mload_trie_data - // stack: payload_len, txn_type, rlp_addr, value_ptr, retdest - // The transaction type is encoded in 1 byte - %increment %rlp_list_len - // stack: rlp_receipt_len, txn_type, rlp_addr, value_ptr, retdest - DUP3 %encode_rlp_multi_byte_string_prefix - // stack: rlp_addr, txn_type, old_rlp_addr, value_ptr, retdest - DUP1 DUP3 - MSTORE_GENERAL - %increment - // stack: rlp_addr, txn_type, old_rlp_addr, value_ptr, retdest - %stack (rlp_addr, txn_type, old_rlp_addr, value_ptr, retdest) -> (rlp_addr, value_ptr, retdest) - // We replace `value_ptr` with `paylaod_len_ptr` so we can encode the rest of the data more easily - SWAP1 %increment SWAP1 - // stack: rlp_addr, payload_len_ptr, retdest - %jump(encode_receipt_after_type) - -global encode_storage_value: - // stack: rlp_addr, value_ptr, cur_len, retdest - SWAP1 %mload_trie_data SWAP1 - - // A storage value is a scalar, so we only need to add 1 to the trie data length. - SWAP2 %increment SWAP2 - - // stack: rlp_addr, value, cur_len, retdest - // The YP says storage trie is a map "... to the RLP-encoded 256-bit integer values" - // which seems to imply that this should be %encode_rlp_256. But %encode_rlp_scalar - // causes the tests to pass, so it seems storage values should be treated as variable- - // length after all. - %doubly_encode_rlp_scalar - // stack: rlp_addr', cur_len, retdest - %stack (rlp_addr, cur_len, retdest) -> (retdest, rlp_addr, cur_len) - JUMP - diff --git a/evm/src/cpu/kernel/asm/mpt/hex_prefix.asm b/evm/src/cpu/kernel/asm/mpt/hex_prefix.asm deleted file mode 100644 index 0ca2458f0c..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/hex_prefix.asm +++ /dev/null @@ -1,131 +0,0 @@ -// Computes the RLP encoding of the hex-prefix encoding of the given nibble list -// and termination flag. Writes the result to @SEGMENT_RLP_RAW starting at the -// given position, and returns the updated position, i.e. a pointer to the next -// unused offset. -// -// Pre stack: rlp_start_addr, num_nibbles, packed_nibbles, terminated, retdest -// Post stack: rlp_end_addr -global hex_prefix_rlp: - DUP2 %assert_lt_const(65) - - PUSH 2 DUP3 DIV - // Compute the length of the hex-prefix string, in bytes: - // hp_len = num_nibbles / 2 + 1 = i + 1 - %increment - // stack: hp_len, rlp_addr, num_nibbles, packed_nibbles, terminated, retdest - - // Write the RLP header. - DUP1 %gt_const(55) %jumpi(rlp_header_large) - DUP1 %gt_const(1) %jumpi(rlp_header_medium) - - // The hex-prefix is a single byte. It must be <= 127, since its first - // nibble only has two bits. So this is the "small" RLP string case, where - // the byte is its own RLP encoding. - // stack: hp_len, rlp_addr, num_nibbles, packed_nibbles, terminated, retdest - POP -first_byte: - // stack: rlp_addr, num_nibbles, packed_nibbles, terminated, retdest - // get the first nibble, if num_nibbles is odd, or zero otherwise - SWAP2 - // stack: packed_nibbles, num_nibbles, rlp_addr, terminated, retdest - DUP2 - PUSH 2 DUP2 MOD - // stack: parity, num_nibbles, packed_nibbles, num_nibbles, rlp_addr, terminated, retdest - SWAP1 SUB - %mul_const(4) - SHR - // stack: first_nibble_or_zero, num_nibbles, rlp_addr, terminated, retdest - SWAP2 - // stack: rlp_addr, num_nibbles, first_nibble_or_zero, terminated, retdest - SWAP3 - // stack: terminated, num_nibbles, first_nibble_or_zero, rlp_addr, retdest - %mul_const(2) - // stack: terminated * 2, num_nibbles, first_nibble_or_zero, rlp_addr, retdest - SWAP1 - // stack: num_nibbles, terminated * 2, first_nibble_or_zero, rlp_addr, retdest - %mod_const(2) // parity - ADD - // stack: parity + terminated * 2, first_nibble_or_zero, rlp_addr, retdest - %mul_const(16) - ADD - // stack: first_byte, rlp_addr, retdest - DUP2 - %swap_mstore - %increment - // stack: rlp_addr', retdest - SWAP1 - JUMP - -remaining_bytes: - // stack: rlp_addr, num_nibbles, packed_nibbles, retdest - SWAP2 - PUSH @U256_MAX - // stack: U256_MAX, packed_nibbles, num_nibbles, rlp_addr, ret_dest - SWAP1 SWAP2 - PUSH 2 DUP2 MOD - // stack: parity, num_nibbles, U256_MAX, packed_nibbles, rlp_addr, ret_dest - SWAP1 SUB DUP1 - // stack: num_nibbles - parity, num_nibbles - parity, U256_MAX, packed_nibbles, rlp_addr, ret_dest - %div2 - // stack: rem_bytes, num_nibbles - parity, U256_MAX, packed_nibbles, rlp_addr, ret_dest - SWAP2 SWAP1 - // stack: num_nibbles - parity, U256_MAX, rem_bytes, packed_nibbles, rlp_addr, ret_dest - %mul_const(4) - // stack: 4*(num_nibbles - parity), U256_MAX, rem_bytes, packed_nibbles, rlp_addr, ret_dest - PUSH 256 SUB - // stack: 256 - 4*(num_nibbles - parity), U256_MAX, rem_bytes, packed_nibbles, rlp_addr, ret_dest - SHR - // stack: mask, rem_bytes, packed_nibbles, rlp_addr, ret_dest - SWAP1 SWAP2 - AND - %stack(remaining_nibbles, rem_bytes, rlp_addr) -> (rlp_addr, remaining_nibbles, rem_bytes) - %mstore_unpacking - SWAP1 - JUMP - - -rlp_header_medium: - // stack: hp_len, rlp_addr, num_nibbles, packed_nibbles, terminated, retdest - %add_const(0x80) // value = 0x80 + hp_len - DUP2 - %swap_mstore - // stack: rlp_addr, num_nibbles, packed_nibbles, terminated, retdest - // rlp_addr += 1 - %increment - - // stack: rlp_addr, num_nibbles, packed_nibbles, terminated, retdest - SWAP3 DUP3 DUP3 - // stack: num_nibbles, packed_nibbles, terminated, num_nibbles, packed_nibbles, rlp_addr, retdest - PUSH remaining_bytes - // stack: remaining_bytes, num_nibbles, packed_nibbles, terminated, num_nibbles, packed_nibbles, rlp_addr, retdest - SWAP4 SWAP5 SWAP6 - // stack: rlp_addr, num_nibbles, packed_nibbles, terminated, remaining_bytes, num_nibbles, packed_nibbles, retdest - - %jump(first_byte) - -rlp_header_large: - // stack: hp_len, rlp_addr, num_nibbles, packed_nibbles, terminated, retdest - // In practice hex-prefix length will never exceed 256, so the length of the - // length will always be 1 byte in this case. - - DUP2 // rlp_addr - PUSH 0xb8 // value = 0xb7 + len_of_len = 0xb8 - MSTORE_GENERAL - - // stack: hp_len, rlp_addr, num_nibbles, packed_nibbles, terminated, retdest - DUP2 %increment - %swap_mstore - - // stack: rlp_addr, num_nibbles, packed_nibbles, terminated, retdest - // rlp_addr += 2 - %add_const(2) - - // stack: rlp_addr, num_nibbles, packed_nibbles, terminated, retdest - SWAP3 DUP3 DUP3 - // stack: num_nibbles, packed_nibbles, terminated, num_nibbles, packed_nibbles, rlp_addr, retdest - PUSH remaining_bytes - // stack: remaining_bytes, num_nibbles, packed_nibbles, terminated, num_nibbles, packed_nibbles, rlp_addr, retdest - SWAP4 SWAP5 SWAP6 - // stack: rlp_addr, num_nibbles, packed_nibbles, terminated, remaining_bytes, num_nibbles, packed_nibbles, retdest - - %jump(first_byte) diff --git a/evm/src/cpu/kernel/asm/mpt/insert/insert.asm b/evm/src/cpu/kernel/asm/mpt/insert/insert.asm deleted file mode 100644 index 34889a33f8..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/insert/insert.asm +++ /dev/null @@ -1,89 +0,0 @@ -// Return a copy of the given node, with the given key set to the given value. -// -// Pre stack: node_ptr, num_nibbles, key, value_ptr, retdest -// Post stack: updated_node_ptr -global mpt_insert: - // stack: node_ptr, num_nibbles, key, value_ptr, retdest - DUP1 %mload_trie_data - // stack: node_type, node_ptr, num_nibbles, key, value_ptr, retdest - // Increment node_ptr, so it points to the node payload instead of its type. - SWAP1 %increment SWAP1 - // stack: node_type, node_payload_ptr, num_nibbles, key, value_ptr, retdest - - DUP1 %eq_const(@MPT_NODE_EMPTY) %jumpi(mpt_insert_empty) - DUP1 %eq_const(@MPT_NODE_BRANCH) %jumpi(mpt_insert_branch) - DUP1 %eq_const(@MPT_NODE_EXTENSION) %jumpi(mpt_insert_extension) - DUP1 %eq_const(@MPT_NODE_LEAF) %jumpi(mpt_insert_leaf) - - // There's still the MPT_NODE_HASH case, but if we hit a hash node, - // it means the prover failed to provide necessary Merkle data, so panic. -global mpt_insert_hash_node: - PANIC - -mpt_insert_empty: - // stack: node_type, node_payload_ptr, num_nibbles, key, value_ptr, retdest - %pop2 - // stack: num_nibbles, key, value_ptr, retdest - // We will append a new leaf node to our MPT tape and return a pointer to it. - %get_trie_data_size - // stack: leaf_ptr, num_nibbles, key, value_ptr, retdest - PUSH @MPT_NODE_LEAF %append_to_trie_data - // stack: leaf_ptr, num_nibbles, key, value_ptr, retdest - SWAP1 %append_to_trie_data - // stack: leaf_ptr, key, value_ptr, retdest - SWAP1 %append_to_trie_data - // stack: leaf_ptr, value_ptr, retdest - SWAP1 %append_to_trie_data - // stack: leaf_ptr, retdest - SWAP1 - JUMP - -mpt_insert_branch: - // stack: node_type, node_payload_ptr, num_nibbles, key, value_ptr, retdest - POP - - //stack: node_payload_ptr, num_nibbles, key, value_ptr, retdest - - // At this point, we branch based on whether the key terminates with this branch node. - // stack: node_payload_ptr, num_nibbles, key, value_ptr, retdest - DUP2 %jumpi(mpt_insert_branch_nonterminal) - - // The key terminates here, so the value will be placed right in our (updated) branch node. - // stack: node_payload_ptr, num_nibbles, key, value_ptr, retdest - SWAP3 - // stack: value_ptr, num_nibbles, key, node_payload_ptr, retdest - DUP4 %add_const(16) - // stack: branch_value_ptr_ptr, value_ptr, num_nibbles, key, node_payload_ptr, retdest - %mstore_trie_data - // stack: num_nibbles, key, node_payload_ptr, retdest - %pop2 - // stack: node_payload_ptr, retdest - PUSH 1 SWAP1 SUB - // stack: branch_ptr, retdest - SWAP1 - JUMP - -mpt_insert_branch_nonterminal: - // The key continues, so we split off the first (most significant) nibble, - // and recursively insert into the child associated with that nibble. - // stack: node_payload_ptr, num_nibbles, key, value_ptr, retdest - %stack (node_payload_ptr, num_nibbles, key) -> (num_nibbles, key, node_payload_ptr) - %split_first_nibble - // stack: first_nibble, num_nibbles, key, node_payload_ptr, value_ptr, retdest - DUP4 ADD - // stack: child_ptr_ptr, num_nibbles, key, node_payload_ptr, value_ptr, retdest - // Replace node_payload_ptr with branch pointer - SWAP3 PUSH 1 SWAP1 SUB SWAP3 - %stack (child_ptr_ptr, num_nibbles, key, updated_branch_ptr, value_ptr) - -> (child_ptr_ptr, num_nibbles, key, value_ptr, - mpt_insert_branch_nonterminal_after_recursion, - child_ptr_ptr, updated_branch_ptr) - %mload_trie_data // Deref child_ptr_ptr, giving child_ptr - %jump(mpt_insert) - -mpt_insert_branch_nonterminal_after_recursion: - // stack: updated_child_ptr, child_ptr_ptr, updated_branch_ptr, retdest - SWAP1 %mstore_trie_data // Store the pointer to the updated child. - // stack: updated_branch_ptr, retdest - SWAP1 - JUMP diff --git a/evm/src/cpu/kernel/asm/mpt/insert/insert_extension.asm b/evm/src/cpu/kernel/asm/mpt/insert/insert_extension.asm deleted file mode 100644 index 21a4b7558b..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/insert/insert_extension.asm +++ /dev/null @@ -1,213 +0,0 @@ -/* -Insert into an extension node. -The high-level logic can be expressed with the following pseudocode: - -common_len, common_key, node_len, node_key, insert_len, insert_key = - split_common_prefix(node_len, node_key, insert_len, insert_key) - -if node_len == 0: - new_node = insert(node_child, insert_len, insert_key, insert_value) -else: - new_node = [MPT_TYPE_BRANCH] + [0] * 17 - - // Process the node's child. - if node_len > 1: - // The node key continues with multiple nibbles left, so we can't place - // node_child directly in the branch, but need an extension for it. - node_key_first, node_len, node_key = split_first_nibble(node_len, node_key) - new_node[node_key_first + 1] = [MPT_TYPE_EXTENSION, node_len, node_key, node_child] - else: - // The remaining node_key is a single nibble, so we can place node_child directly in the branch. - new_node[node_key + 1] = node_child - - // Process the inserted entry. - if insert_len > 0: - // The insert key continues. Add a leaf node for it. - insert_key_first, insert_len, insert_key = split_first_nibble(insert_len, insert_key) - new_node[insert_key_first + 1] = [MPT_TYPE_LEAF, insert_len, insert_key, insert_value] - else: - new_node[17] = insert_value - -if common_len > 0: - return [MPT_TYPE_EXTENSION, common_len, common_key, new_node] -else: - return new_node -*/ - -global mpt_insert_extension: - // stack: node_type, node_payload_ptr, insert_len, insert_key, insert_value_ptr, retdest - POP - // stack: node_payload_ptr, insert_len, insert_key, insert_value_ptr, retdest - - // We start by loading the extension node's three fields: node_len, node_key, node_child_ptr - DUP1 %add_const(2) %mload_trie_data - // stack: node_child_ptr, node_payload_ptr, insert_len, insert_key, insert_value_ptr, retdest - %stack (node_child_ptr, node_payload_ptr, insert_len, insert_key) - -> (node_payload_ptr, insert_len, insert_key, node_child_ptr) - // stack: node_payload_ptr, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - DUP1 %increment %mload_trie_data - // stack: node_key, node_payload_ptr, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - SWAP1 %mload_trie_data - // stack: node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - - // Next, we split off any key prefix which is common to the node's key and the inserted key. - %split_common_prefix - // stack: common_len, common_key, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - - // Now we branch based on whether the node key continues beyond the common prefix. - DUP3 %jumpi(node_key_continues) - - // The node key does not continue. In this case we recurse. Pseudocode: - // new_node = insert(node_child, insert_len, insert_key, insert_value) - // and then proceed to maybe_add_extension_for_common_key. - // stack: common_len, common_key, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - PUSH maybe_add_extension_for_common_key - DUP9 // insert_value_ptr - DUP8 // insert_key - DUP8 // insert_len - DUP11 // node_child_ptr - %jump(mpt_insert) - -node_key_continues: - // stack: common_len, common_key, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - // Allocate new_node, a branch node which is initially empty - // Pseudocode: new_node = [MPT_TYPE_BRANCH] + [0] * 17 - %get_trie_data_size // pointer to the branch node we're about to create - PUSH @MPT_NODE_BRANCH %append_to_trie_data - - PUSH 0 - // Increment trie data size by 17 - %get_trie_data_size - // stack: trie_data_size, 0 - DUP1 - %add_const(17) - %set_trie_data_size - - // stack: trie_data_size, 0 - - // Write 17 consecutive 0s at once - PUSH @SEGMENT_TRIE_DATA %build_kernel_address - MSTORE_32BYTES_17 - POP - -process_node_child: - // stack: new_node_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - // We want to check if node_len > 1. We already know node_len > 0 since we're in node_key_continues, - // so it suffices to check 1 - node_len != 0 - DUP4 // node_len - PUSH 1 SUB - %jumpi(node_key_continues_multiple_nibbles) - - // If we got here, node_len = 1. - // Pseudocode: new_node[node_key + 1] = node_child - // stack: new_node_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - DUP8 // node_child_ptr - DUP2 // new_node_ptr - %increment - DUP7 // node_key - ADD - %mstore_trie_data - // stack: new_node_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - %jump(process_inserted_entry) - -node_key_continues_multiple_nibbles: - // stack: new_node_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - // Pseudocode: node_key_first, node_len, node_key = split_first_nibble(node_len, node_key) - // To minimize stack manipulation, we won't actually mutate the node_len, node_key variables in our stack. - // Instead we will duplicate them, and leave the old ones alone; they won't be used. - DUP5 DUP5 - // stack: node_len, node_key, new_node_ptr, ... - %split_first_nibble - // stack: node_key_first, node_len, node_key, new_node_ptr, ... - - // Pseudocode: new_node[node_key_first + 1] = [MPT_TYPE_EXTENSION, node_len, node_key, node_child] - %get_trie_data_size // pointer to the extension node we're about to create - // stack: ext_node_ptr, node_key_first, node_len, node_key, new_node_ptr, ... - PUSH @MPT_NODE_EXTENSION %append_to_trie_data - // stack: ext_node_ptr, node_key_first, node_len, node_key, new_node_ptr, ... - SWAP2 %append_to_trie_data // Append node_len - // stack: node_key_first, ext_node_ptr, node_key, new_node_ptr, ... - SWAP2 %append_to_trie_data // Append node_key - // stack: ext_node_ptr, node_key_first, new_node_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - DUP10 %append_to_trie_data // Append node_child_ptr - - SWAP1 - // stack: node_key_first, ext_node_ptr, new_node_ptr, ... - DUP3 // new_node_ptr - ADD - %increment - // stack: new_node_ptr + node_key_first + 1, ext_node_ptr, new_node_ptr, ... - %mstore_trie_data - %jump(process_inserted_entry) - -process_inserted_entry: - // stack: new_node_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - DUP6 // insert_len - %jumpi(insert_key_continues) - - // If we got here, insert_len = 0, so we store the inserted value directly in our new branch node. - // Pseudocode: new_node[17] = insert_value - DUP9 // insert_value_ptr - DUP2 // new_node_ptr - %add_const(17) - %mstore_trie_data - %jump(maybe_add_extension_for_common_key) - -insert_key_continues: - // stack: new_node_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - // Pseudocode: insert_key_first, insert_len, insert_key = split_first_nibble(insert_len, insert_key) - // To minimize stack manipulation, we won't actually mutate the node_len, node_key variables in our stack. - // Instead we will duplicate them, and leave the old ones alone; they won't be used. - DUP7 DUP7 - // stack: insert_len, insert_key, new_node_ptr, ... - %split_first_nibble - // stack: insert_key_first, insert_len, insert_key, new_node_ptr, ... - - // Pseudocode: new_node[insert_key_first + 1] = [MPT_TYPE_LEAF, insert_len, insert_key, insert_value] - %get_trie_data_size // pointer to the leaf node we're about to create - // stack: leaf_node_ptr, insert_key_first, insert_len, insert_key, new_node_ptr, ... - PUSH @MPT_NODE_LEAF %append_to_trie_data - // stack: leaf_node_ptr, insert_key_first, insert_len, insert_key, new_node_ptr, ... - SWAP2 %append_to_trie_data // Append insert_len - // stack: insert_key_first, leaf_node_ptr, insert_key, new_node_ptr, ... - SWAP2 %append_to_trie_data // Append insert_key - // stack: leaf_node_ptr, insert_key_first, new_node_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - DUP11 %append_to_trie_data // Append insert_value_ptr - - SWAP1 - // stack: insert_key_first, leaf_node_ptr, new_node_ptr, ... - DUP3 // new_node_ptr - ADD - %increment - // stack: new_node_ptr + insert_key_first + 1, leaf_node_ptr, new_node_ptr, ... - %mstore_trie_data - %jump(maybe_add_extension_for_common_key) - -maybe_add_extension_for_common_key: - // stack: new_node_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - // If common_len > 0, we need to add an extension node. - DUP2 %jumpi(add_extension_for_common_key) - // Otherwise, we simply return new_node_ptr. - SWAP8 - %pop8 - // stack: new_node_ptr, retdest - SWAP1 - JUMP - -add_extension_for_common_key: - // stack: new_node_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - // Pseudocode: return [MPT_TYPE_EXTENSION, common_len, common_key, new_node] - %get_trie_data_size // pointer to the extension node we're about to create - // stack: extension_ptr, new_node_ptr, common_len, common_key, ... - PUSH @MPT_NODE_EXTENSION %append_to_trie_data - SWAP2 %append_to_trie_data // Append common_len to our node - // stack: new_node_ptr, extension_ptr, common_key, ... - SWAP2 %append_to_trie_data // Append common_key to our node - // stack: extension_ptr, new_node_ptr, ... - SWAP1 %append_to_trie_data // Append new_node_ptr to our node - // stack: extension_ptr, node_len, node_key, insert_len, insert_key, node_child_ptr, insert_value_ptr, retdest - SWAP6 - %pop6 - // stack: extension_ptr, retdest - SWAP1 - JUMP diff --git a/evm/src/cpu/kernel/asm/mpt/insert/insert_leaf.asm b/evm/src/cpu/kernel/asm/mpt/insert/insert_leaf.asm deleted file mode 100644 index 806fc0ddbd..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/insert/insert_leaf.asm +++ /dev/null @@ -1,205 +0,0 @@ -/* -Insert into a leaf node. -The high-level logic can be expressed with the following pseudocode: - -if node_len == insert_len && node_key == insert_key: - return Leaf[node_key, insert_value] - -common_len, common_key, node_len, node_key, insert_len, insert_key = - split_common_prefix(node_len, node_key, insert_len, insert_key) - -branch = [MPT_TYPE_BRANCH] + [0] * 17 - -// Process the node's entry. -if node_len > 0: - node_key_first, node_len, node_key = split_first_nibble(node_len, node_key) - branch[node_key_first + 1] = [MPT_TYPE_LEAF, node_len, node_key, node_value] -else: - branch[17] = node_value - -// Process the inserted entry. -if insert_len > 0: - insert_key_first, insert_len, insert_key = split_first_nibble(insert_len, insert_key) - branch[insert_key_first + 1] = [MPT_TYPE_LEAF, insert_len, insert_key, insert_value] -else: - branch[17] = insert_value - -// Add an extension node if there is a common prefix. -if common_len > 0: - return [MPT_TYPE_EXTENSION, common_len, common_key, branch] -else: - return branch -*/ - -global mpt_insert_leaf: - // stack: node_type, node_payload_ptr, insert_len, insert_key, insert_value_ptr, retdest - POP - // stack: node_payload_ptr, insert_len, insert_key, insert_value_ptr, retdest - %stack (node_payload_ptr, insert_len, insert_key) -> (insert_len, insert_key, node_payload_ptr) - // stack: insert_len, insert_key, node_payload_ptr, insert_value_ptr, retdest - DUP3 %increment %mload_trie_data - // stack: node_key, insert_len, insert_key, node_payload_ptr, insert_value_ptr, retdest - DUP4 %mload_trie_data - // stack: node_len, node_key, insert_len, insert_key, node_payload_ptr, insert_value_ptr, retdest - - // If the keys match, i.e. node_len == insert_len && node_key == insert_key, - // then we're simply replacing the leaf node's value. Since this is a common - // case, it's best to detect it early. Calling %split_common_prefix could be - // expensive as leaf keys tend to be long. - DUP1 DUP4 EQ // node_len == insert_len - DUP3 DUP6 EQ // node_key == insert_key - MUL // Cheaper than AND - // stack: keys_match, node_len, node_key, insert_len, insert_key, node_payload_ptr, insert_value_ptr, retdest - %jumpi(keys_match) - - // Replace node_payload_ptr with node_value, which is node_payload[2]. - // stack: node_len, node_key, insert_len, insert_key, node_payload_ptr, insert_value_ptr, retdest - SWAP4 - %add_const(2) - %mload_trie_data - SWAP4 - // stack: node_len, node_key, insert_len, insert_key, node_value_ptr, insert_value_ptr, retdest - - // Split off any common prefix between the node key and the inserted key. - %split_common_prefix - // stack: common_len, common_key, node_len, node_key, insert_len, insert_key, node_value_ptr, insert_value_ptr, retdest - - // For the remaining cases, we will need a new branch node since the two keys diverge. - // We may also need an extension node above it (if common_len > 0); we will handle that later. - // For now, we allocate the branch node, initially with no children or value. - %get_trie_data_size // pointer to the branch node we're about to create - PUSH @MPT_NODE_BRANCH %append_to_trie_data - - PUSH 0 - // Increment trie data size by 17 - %get_trie_data_size - // stack: trie_data_size, 0 - DUP1 - %add_const(17) - %set_trie_data_size - - // stack: trie_data_size, 0 - - // Write 17 consecutive 0s at once - PUSH @SEGMENT_TRIE_DATA %build_kernel_address - MSTORE_32BYTES_17 - POP - - // stack: branch_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_value_ptr, insert_value_ptr, retdest - - // Now, we branch based on whether each key continues beyond the common - // prefix, starting with the node key. - -process_node_entry: - DUP4 // node_len - %jumpi(node_key_continues) - - // stack: branch_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_value_ptr, insert_value_ptr, retdest - // branch[17] = node_value_ptr - DUP8 // node_value_ptr - DUP2 // branch_ptr - %add_const(17) - %mstore_trie_data - -process_inserted_entry: - DUP6 // insert_len - %jumpi(insert_key_continues) - - // stack: branch_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_value_ptr, insert_value_ptr, retdest - // branch[17] = insert_value_ptr - DUP9 // insert_value_ptr - DUP2 // branch_ptr - %add_const(17) - %mstore_trie_data - -maybe_add_extension_for_common_key: - // stack: branch_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_value_ptr, insert_value_ptr, retdest - // If common_len > 0, we need to add an extension node. - DUP2 %jumpi(add_extension_for_common_key) - // Otherwise, we simply return branch_ptr. - SWAP8 - %pop8 - // stack: branch_ptr, retdest - SWAP1 - JUMP - -add_extension_for_common_key: - // stack: branch_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_value_ptr, insert_value_ptr, retdest - // Pseudocode: return [MPT_TYPE_EXTENSION, common_len, common_key, branch] - %get_trie_data_size // pointer to the extension node we're about to create - // stack: extension_ptr, branch_ptr, common_len, common_key, ... - PUSH @MPT_NODE_EXTENSION %append_to_trie_data - SWAP2 %append_to_trie_data // Append common_len to our node - // stack: branch_ptr, extension_ptr, common_key, ... - SWAP2 %append_to_trie_data // Append common_key to our node - // stack: extension_ptr, branch_ptr, ... - SWAP1 %append_to_trie_data // Append branch_ptr to our node - // stack: extension_ptr, node_len, node_key, insert_len, insert_key, node_value_ptr, insert_value_ptr, retdest - SWAP6 - %pop6 - // stack: extension_ptr, retdest - SWAP1 - JUMP - -node_key_continues: - // stack: branch_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_value_ptr, insert_value_ptr, retdest - // branch[node_key_first + 1] = Leaf[node_len, node_key, node_value] - // To minimize stack manipulation, we won't actually mutate the node_len, node_key variables in our stack. - // Instead we will duplicate them, and leave the old ones alone; they won't be used. - DUP5 DUP5 - // stack: node_len, node_key, branch_ptr, ... - %split_first_nibble - // stack: node_key_first, node_len, node_key, branch_ptr, ... - %get_trie_data_size // pointer to the leaf node we're about to create - // stack: leaf_ptr, node_key_first, node_len, node_key, branch_ptr, ... - SWAP1 - DUP5 // branch_ptr - %increment // Skip over node type field - ADD // Add node_key_first - %mstore_trie_data - // stack: node_len, node_key, branch_ptr, ... - PUSH @MPT_NODE_LEAF %append_to_trie_data - %append_to_trie_data // Append node_len to our leaf node - %append_to_trie_data // Append node_key to our leaf node - // stack: branch_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_value_ptr, insert_value_ptr, retdest - DUP8 %append_to_trie_data // Append node_value_ptr to our leaf node - %jump(process_inserted_entry) - -insert_key_continues: - // stack: branch_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_value_ptr, insert_value_ptr, retdest - // branch[insert_key_first + 1] = Leaf[insert_len, insert_key, insert_value] - // To minimize stack manipulation, we won't actually mutate the insert_len, insert_key variables in our stack. - // Instead we will duplicate them, and leave the old ones alone; they won't be used. - DUP7 DUP7 - // stack: insert_len, insert_key, branch_ptr, ... - %split_first_nibble - // stack: insert_key_first, insert_len, insert_key, branch_ptr, ... - %get_trie_data_size // pointer to the leaf node we're about to create - // stack: leaf_ptr, insert_key_first, insert_len, insert_key, branch_ptr, ... - SWAP1 - DUP5 // branch_ptr - %increment // Skip over node type field - ADD // Add insert_key_first - %mstore_trie_data - // stack: insert_len, insert_key, branch_ptr, ... - PUSH @MPT_NODE_LEAF %append_to_trie_data - %append_to_trie_data // Append insert_len to our leaf node - %append_to_trie_data // Append insert_key to our leaf node - // stack: branch_ptr, common_len, common_key, node_len, node_key, insert_len, insert_key, node_value_ptr, insert_value_ptr, retdest - DUP9 %append_to_trie_data // Append insert_value_ptr to our leaf node - %jump(maybe_add_extension_for_common_key) - -keys_match: - // The keys match exactly, so we simply replace the leaf value with the new value. - // stack: node_len, node_key, insert_len, insert_key, node_payload_ptr, insert_value_ptr, retdest - %stack (node_len, node_key, insert_len, insert_key, node_payload_ptr, insert_value_ptr) - -> (node_payload_ptr, node_len, node_key, insert_value_ptr) - // stack: node_payload_ptr, common_len, common_key, insert_value_ptr, retdest - DUP4 DUP2 - %add_const(2) - %mstore_trie_data - %stack (node_payload_ptr, common_len, common_key, insert_value_ptr, retdest) -> (node_payload_ptr, retdest) - PUSH 1 SWAP1 SUB - // stack: leaf_ptr, retdest - SWAP1 - JUMP diff --git a/evm/src/cpu/kernel/asm/mpt/insert/insert_trie_specific.asm b/evm/src/cpu/kernel/asm/mpt/insert/insert_trie_specific.asm deleted file mode 100644 index 71f78ec5bd..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/insert/insert_trie_specific.asm +++ /dev/null @@ -1,95 +0,0 @@ -// Insertion logic specific to a particular trie. - -// Mutate the state trie, inserting the given key-value pair. -// Pre stack: key, value_ptr, retdest -// Post stack: (empty) -// TODO: Have this take an address and do %mpt_insert_state_trie? To match mpt_read_state_trie. -global mpt_insert_state_trie: - // stack: key, value_ptr, retdest - %stack (key, value_ptr) - -> (key, value_ptr, mpt_insert_state_trie_save) - PUSH 64 // num_nibbles - %mload_global_metadata(@GLOBAL_METADATA_STATE_TRIE_ROOT) - // stack: state_root_ptr, num_nibbles, key, value_ptr, mpt_insert_state_trie_save, retdest - %jump(mpt_insert) -mpt_insert_state_trie_save: - // stack: updated_node_ptr, retdest - %mstore_global_metadata(@GLOBAL_METADATA_STATE_TRIE_ROOT) - JUMP - -%macro mpt_insert_state_trie - %stack (key, value_ptr) -> (key, value_ptr, %%after) - %jump(mpt_insert_state_trie) -%%after: -%endmacro - -// Insert a node in the transaction trie. The payload -// must be pointing to the rlp encoded txn -// Pre stack: key, txn_rlp_ptr, redest -// Post stack: (empty) -global mpt_insert_txn_trie: - // stack: key=rlp(key), num_nibbles, txn_rlp_ptr, retdest - %stack (key, num_nibbles, txn_rlp_ptr) - -> (num_nibbles, key, txn_rlp_ptr, mpt_insert_txn_trie_save) - %mload_global_metadata(@GLOBAL_METADATA_TXN_TRIE_ROOT) - // stack: txn_trie_root_ptr, num_nibbles, key, txn_rlp_ptr, mpt_insert_state_trie_save, retdest - %jump(mpt_insert) - -mpt_insert_txn_trie_save: - // stack: updated_node_ptr, retdest - %mstore_global_metadata(@GLOBAL_METADATA_TXN_TRIE_ROOT) - JUMP - -%macro mpt_insert_txn_trie - %stack (key, txn_rpl_ptr) -> (key, txn_rlp_ptr, %%after) - %jump(mpt_insert_txn_trie) -%%after: -%endmacro - -global mpt_insert_receipt_trie: - // stack: num_nibbles, scalar, value_ptr, retdest - %stack (num_nibbles, scalar, value_ptr) - -> (num_nibbles, scalar, value_ptr, mpt_insert_receipt_trie_save) - // The key is the scalar, which is an RLP encoding of the transaction number - // stack: num_nibbles, key, value_ptr, mpt_insert_receipt_trie_save, retdest - %mload_global_metadata(@GLOBAL_METADATA_RECEIPT_TRIE_ROOT) - // stack: receipt_root_ptr, num_nibbles, key, value_ptr, mpt_insert_receipt_trie_save, retdest - %jump(mpt_insert) -mpt_insert_receipt_trie_save: - // stack: updated_node_ptr, retdest - %mstore_global_metadata(@GLOBAL_METADATA_RECEIPT_TRIE_ROOT) - JUMP - -%macro mpt_insert_receipt_trie - %stack (num_nibbles, key, value_ptr) -> (num_nibbles, key, value_ptr, %%after) - %jump(mpt_insert_receipt_trie) -%%after: -%endmacro - -// Pre stack: scalar, retdest -// Post stack: rlp_scalar -global scalar_to_rlp: - // stack: scalar, retdest - %mload_global_metadata(@GLOBAL_METADATA_RLP_DATA_SIZE) - // stack: init_addr, scalar, retdest - SWAP1 DUP2 - %encode_rlp_scalar - // stack: addr', init_addr, retdest - // Now our rlp_encoding is in RlpRaw. - // Set new RlpRaw data size - DUP1 %mstore_global_metadata(@GLOBAL_METADATA_RLP_DATA_SIZE) - DUP2 DUP2 SUB // len of the key - // stack: len, addr', init_addr, retdest - DUP3 - MLOAD_32BYTES - // stack: packed_key, addr', init_addr, retdest - SWAP2 %pop2 - // stack: key, retdest - SWAP1 - JUMP - -%macro scalar_to_rlp - %stack (scalar) -> (scalar, %%after) - %jump(scalar_to_rlp) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/mpt/read.asm b/evm/src/cpu/kernel/asm/mpt/read.asm deleted file mode 100644 index 4a57dd4db2..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/read.asm +++ /dev/null @@ -1,152 +0,0 @@ -// Given an address, return a pointer to the associated account data, which -// consists of four words (nonce, balance, storage_root, code_hash), in the -// state trie. Returns null if the address is not found. -global mpt_read_state_trie: - // stack: addr, retdest - %addr_to_state_key - // stack: key, retdest - PUSH 64 // num_nibbles - %mload_global_metadata(@GLOBAL_METADATA_STATE_TRIE_ROOT) // node_ptr - // stack: node_ptr, num_nibbles, key, retdest - %jump(mpt_read) - -// Convenience macro to call mpt_read_state_trie and return where we left off. -%macro mpt_read_state_trie - %stack (addr) -> (addr, %%after) - %jump(mpt_read_state_trie) -%%after: -%endmacro - -// Read a value from a MPT. -// -// Arguments: -// - the virtual address of the trie to search in -// - the number of nibbles in the key (should start at 64) -// - the key, as a U256 -// - return destination -// -// This function returns a pointer to the value, or 0 if the key is not found. -global mpt_read: - // stack: node_ptr, num_nibbles, key, retdest - DUP1 - %mload_trie_data - // stack: node_type, node_ptr, num_nibbles, key, retdest - // Increment node_ptr, so it points to the node payload instead of its type. - SWAP1 %increment SWAP1 - // stack: node_type, node_payload_ptr, num_nibbles, key, retdest - - DUP1 %eq_const(@MPT_NODE_EMPTY) %jumpi(mpt_read_empty) - DUP1 %eq_const(@MPT_NODE_BRANCH) %jumpi(mpt_read_branch) - DUP1 %eq_const(@MPT_NODE_EXTENSION) %jumpi(mpt_read_extension) - DUP1 %eq_const(@MPT_NODE_LEAF) %jumpi(mpt_read_leaf) - - // There's still the MPT_NODE_HASH case, but if we hit a hash node, - // it means the prover failed to provide necessary Merkle data, so panic. -global mpt_read_hash_node: - PANIC - -global mpt_read_empty: - // Return 0 to indicate that the value was not found. - %stack (node_type, node_payload_ptr, num_nibbles, key, retdest) - -> (retdest, 0) - JUMP - -global mpt_read_branch: - // stack: node_type, node_payload_ptr, num_nibbles, key, retdest - POP - // stack: node_payload_ptr, num_nibbles, key, retdest - DUP2 // num_nibbles - ISZERO - // stack: num_nibbles == 0, node_payload_ptr, num_nibbles, key, retdest - %jumpi(mpt_read_branch_end_of_key) - - // We have not reached the end of the key, so we descend to one of our children. - // stack: node_payload_ptr, num_nibbles, key, retdest - %stack (node_payload_ptr, num_nibbles, key) - -> (num_nibbles, key, node_payload_ptr) - // stack: num_nibbles, key, node_payload_ptr, retdest - %split_first_nibble - %stack (first_nibble, num_nibbles, key, node_payload_ptr) - -> (node_payload_ptr, first_nibble, num_nibbles, key) - // child_ptr = load(node_payload_ptr + first_nibble) - ADD %mload_trie_data - // stack: child_ptr, num_nibbles, key, retdest - %jump(mpt_read) // recurse - -global mpt_read_branch_end_of_key: - %stack (node_payload_ptr, num_nibbles, key, retdest) -> (node_payload_ptr, retdest) - // stack: node_payload_ptr, retdest - %add_const(16) // skip over the 16 child nodes - // stack: value_ptr_ptr, retdest - %mload_trie_data - // stack: value_ptr, retdest - SWAP1 - JUMP - -global mpt_read_extension: - // stack: node_type, node_payload_ptr, num_nibbles, key, retdest - %stack (node_type, node_payload_ptr, num_nibbles, key) - -> (num_nibbles, key, node_payload_ptr) - // stack: num_nibbles, key, node_payload_ptr, retdest - DUP3 %mload_trie_data - // stack: node_num_nibbles, num_nibbles, key, node_payload_ptr, retdest - SWAP1 - SUB - // stack: future_nibbles, key, node_payload_ptr, retdest - DUP2 DUP2 - // stack: future_nibbles, key, future_nibbles, key, node_payload_ptr, retdest - %mul_const(4) SHR // key_part = key >> (future_nibbles * 4) - DUP1 - // stack: key_part, key_part, future_nibbles, key, node_payload_ptr, retdest - DUP5 %increment %mload_trie_data - // stack: node_key, key_part, key_part, future_nibbles, key, node_payload_ptr, retdest - EQ // does the first part of our key match the node's key? - %jumpi(mpt_read_extension_found) -global mpt_read_extension_not_found: - // Not found; return 0. - %stack (key_part, future_nibbles, key, node_payload_ptr, retdest) -> (retdest, 0) - JUMP -mpt_read_extension_found: - // stack: key_part, future_nibbles, key, node_payload_ptr, retdest - DUP2 %mul_const(4) SHL // key_part_shifted = (key_part << (future_nibbles * 4)) - // stack: key_part_shifted, future_nibbles, key, node_payload_ptr, retdest - %stack (key_part_shifted, future_nibbles, key) - -> (key, key_part_shifted, future_nibbles) - SUB // key -= key_part_shifted - // stack: key, future_nibbles, node_payload_ptr, retdest - SWAP2 - // stack: node_payload_ptr, future_nibbles, key, retdest - %add_const(2) // child pointer is third field of extension node - %mload_trie_data - // stack: child_ptr, future_nibbles, key, retdest - %jump(mpt_read) // recurse - -mpt_read_leaf: - // stack: node_type, node_payload_ptr, num_nibbles, key, retdest - POP - // stack: node_payload_ptr, num_nibbles, key, retdest - DUP1 %mload_trie_data - // stack: node_num_nibbles, node_payload_ptr, num_nibbles, key, retdest - DUP2 %increment %mload_trie_data - // stack: node_key, node_num_nibbles, node_payload_ptr, num_nibbles, key, retdest - SWAP3 - // stack: num_nibbles, node_num_nibbles, node_payload_ptr, node_key, key, retdest - EQ - %stack (num_nibbles_match, node_payload_ptr, node_key, key) - -> (key, node_key, num_nibbles_match, node_payload_ptr) - EQ - AND - // stack: keys_match && num_nibbles_match, node_payload_ptr, retdest - %jumpi(mpt_read_leaf_found) -global mpt_read_leaf_not_found: - // Not found; return 0. - %stack (node_payload_ptr, retdest) -> (retdest, 0) - JUMP -mpt_read_leaf_found: - // stack: node_payload_ptr, retdest - %add_const(2) // The value pointer is located after num_nibbles and the key. - // stack: value_ptr_ptr, retdest - %mload_trie_data - // stack: value_ptr, retdest - SWAP1 - JUMP diff --git a/evm/src/cpu/kernel/asm/mpt/storage/storage_read.asm b/evm/src/cpu/kernel/asm/mpt/storage/storage_read.asm deleted file mode 100644 index 84d8d0efc9..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/storage/storage_read.asm +++ /dev/null @@ -1,56 +0,0 @@ -%macro sload_current - %stack (slot) -> (slot, %%after) - %jump(sload_current) -%%after: -%endmacro - -global sload_current: - %stack (slot) -> (slot, after_storage_read) - %slot_to_storage_key - // stack: storage_key, after_storage_read - PUSH 64 // storage_key has 64 nibbles - %current_storage_trie - // stack: storage_root_ptr, 64, storage_key, after_storage_read - %jump(mpt_read) - -global after_storage_read: - // stack: value_ptr, retdest - DUP1 %jumpi(storage_key_exists) - - // Storage key not found. Return default value_ptr = 0, - // which derefs to 0 since @SEGMENT_TRIE_DATA[0] = 0. - %stack (value_ptr, retdest) -> (retdest, 0) - JUMP - -global storage_key_exists: - // stack: value_ptr, retdest - %mload_trie_data - // stack: value, retdest - SWAP1 - JUMP - -// Read a word from the current account's storage trie. -// -// Pre stack: kexit_info, slot -// Post stack: value - -global sys_sload: - // stack: kexit_info, slot - SWAP1 - DUP1 - // stack: slot, slot, kexit_info - %sload_current - - %stack (value, slot, kexit_info) -> (slot, value, kexit_info, value) - %address - // stack: addr, slot, value, kexit_info, value - %insert_accessed_storage_keys - // stack: cold_access, old_value, kexit_info, value - SWAP1 POP - // stack: cold_access, kexit_info, value - %mul_const(@GAS_COLDSLOAD_MINUS_WARMACCESS) - %add_const(@GAS_WARMACCESS) - %charge_gas - // stack: kexit_info, value - EXIT_KERNEL - diff --git a/evm/src/cpu/kernel/asm/mpt/storage/storage_write.asm b/evm/src/cpu/kernel/asm/mpt/storage/storage_write.asm deleted file mode 100644 index 08270dfa9e..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/storage/storage_write.asm +++ /dev/null @@ -1,144 +0,0 @@ -// Write a word to the current account's storage trie. -// -// Pre stack: kexit_info, slot, value -// Post stack: (empty) - -global sys_sstore: - %check_static - DUP1 %leftover_gas %le_const(@GAS_CALLSTIPEND) %jumpi(fault_exception) - %stack (kexit_info, slot, value) -> (slot, kexit_info, slot, value) - %sload_current - %address - %stack (addr, current_value, kexit_info, slot, value) -> (addr, slot, current_value, current_value, kexit_info, slot, value) - %insert_accessed_storage_keys - // stack: cold_access, original_value, current_value, kexit_info, slot, value - %mul_const(@GAS_COLDSLOAD) - - // Check for warm access. - %stack (gas, original_value, current_value, kexit_info, slot, value) -> - (value, current_value, current_value, original_value, gas, original_value, current_value, kexit_info, slot, value) - EQ SWAP2 EQ ISZERO - // stack: current_value==original_value, value==current_value, gas, original_value, current_value, kexit_info, slot, value) - ADD // OR - %jumpi(sstore_warm) - - // Check for sset (set a zero storage slot to a non-zero value). - // stack: gas, original_value, current_value, kexit_info, slot, value - DUP2 ISZERO %mul_const(@GAS_SSET) ADD - - // Check for sreset (set a non-zero storage slot to a non-zero value). - // stack: gas, original_value, current_value, kexit_info, slot, value - DUP2 ISZERO ISZERO %mul_const(@GAS_SRESET) ADD - %jump(sstore_charge_gas) - -sstore_warm: - // stack: gas, original_value, current_value, kexit_info, slot, value) - %add_const(@GAS_WARMACCESS) - -sstore_charge_gas: - %stack (gas, original_value, current_value, kexit_info, slot, value) -> (gas, kexit_info, current_value, value, original_value, slot) - %charge_gas - -sstore_refund: - %stack (kexit_info, current_value, value, original_value, slot) -> (current_value, value, current_value, value, original_value, slot, kexit_info) - EQ %jumpi(sstore_no_refund) - %stack (current_value, value, original_value, slot, kexit_info) -> (current_value, original_value, current_value, value, original_value, slot, kexit_info) - EQ %jumpi(sstore_refund_original) - %stack (current_value, value, original_value, slot, kexit_info) -> (original_value, current_value, value, original_value, slot, kexit_info) - ISZERO %jumpi(sstore_dirty_reset) - %stack (current_value, value, original_value, slot, kexit_info) -> (current_value, current_value, value, original_value, slot, kexit_info) - ISZERO %jumpi(sstore_dirty_clear1) - %stack (current_value, value, original_value, slot, kexit_info) -> (value, current_value, value, original_value, slot, kexit_info) - ISZERO %jumpi(sstore_dirty_clear2) - %jump(sstore_dirty_reset) - -sstore_dirty_clear1: - PUSH @REFUND_SCLEAR PUSH 0 SUB %refund_gas - %jump(sstore_dirty_reset) - -sstore_dirty_clear2: - PUSH @REFUND_SCLEAR %refund_gas - -sstore_dirty_reset: - %stack (current_value, value, original_value, slot, kexit_info) -> (original_value, value, current_value, value, original_value, slot, kexit_info) - EQ %jumpi(sstore_dirty_reset2) - %jump(sstore_no_refund) -sstore_dirty_reset2: - %stack (current_value, value, original_value, slot, kexit_info) -> (original_value, current_value, value, original_value, slot, kexit_info) - ISZERO %jumpi(sstore_dirty_reset_sset) - PUSH @GAS_WARMACCESS PUSH @GAS_SRESET SUB %refund_gas - %jump(sstore_no_refund) -sstore_dirty_reset_sset: - PUSH @GAS_WARMACCESS PUSH @GAS_SSET SUB %refund_gas - %jump(sstore_no_refund) - -sstore_refund_original: - %stack (current_value, value, original_value, slot, kexit_info) -> (value, current_value, value, original_value, slot, kexit_info) - ISZERO %jumpi(sstore_sclear) - %jump(sstore_no_refund) -sstore_sclear: - PUSH @REFUND_SCLEAR %refund_gas - %jump(sstore_no_refund) - -sstore_no_refund: - %stack (current_value, value, original_value, slot, kexit_info) -> (kexit_info, current_value, slot, value) -sstore_after_refund: - // stack: kexit_info, current_value, slot, value - // Check if `value` is equal to `current_value`, and if so exit the kernel early. - %stack (kexit_info, current_value, slot, value) -> (value, current_value, current_value, slot, value, kexit_info) - EQ %jumpi(sstore_noop) - - // stack: current_value, slot, value, kexit_info - DUP2 %address %journal_add_storage_change - // stack: slot, value, kexit_info - - // If the value is zero, delete the slot from the storage trie. - // stack: slot, value, kexit_info - DUP2 ISZERO %jumpi(sstore_delete) - - // First we write the value to MPT data, and get a pointer to it. - %get_trie_data_size - // stack: value_ptr, slot, value, kexit_info - SWAP2 - // stack: value, slot, value_ptr, kexit_info - %append_to_trie_data - // stack: slot, value_ptr, kexit_info - - // Next, call mpt_insert on the current account's storage root. - %stack (slot, value_ptr) -> (slot, value_ptr, after_storage_insert) - %slot_to_storage_key - // stack: storage_key, value_ptr, after_storage_insert, kexit_info - PUSH 64 // storage_key has 64 nibbles - %current_storage_trie - // stack: storage_root_ptr, 64, storage_key, value_ptr, after_storage_insert, kexit_info - %jump(mpt_insert) - -after_storage_insert: - // stack: new_storage_root_ptr, kexit_info - %current_account_data - // stack: account_ptr, new_storage_root_ptr, kexit_info - - // Update the copied account with our new storage root pointer. - %add_const(2) - // stack: account_storage_root_ptr_ptr, new_storage_root_ptr, kexit_info - %mstore_trie_data - // stack: kexit_info - EXIT_KERNEL - -sstore_noop: - // stack: current_value, slot, value, kexit_info - %pop3 - EXIT_KERNEL - -// Delete the slot from the storage trie. -sstore_delete: - // stack: slot, value, kexit_info - SWAP1 POP - PUSH after_storage_insert SWAP1 - // stack: slot, after_storage_insert, kexit_info - %slot_to_storage_key - // stack: storage_key, after_storage_insert, kexit_info - PUSH 64 // storage_key has 64 nibbles - %current_storage_trie - // stack: storage_root_ptr, 64, storage_key, after_storage_insert, kexit_info - %jump(mpt_delete) diff --git a/evm/src/cpu/kernel/asm/mpt/util.asm b/evm/src/cpu/kernel/asm/mpt/util.asm deleted file mode 100644 index 9829494c2f..0000000000 --- a/evm/src/cpu/kernel/asm/mpt/util.asm +++ /dev/null @@ -1,232 +0,0 @@ -%macro mload_trie_data - // stack: virtual - %mload_kernel(@SEGMENT_TRIE_DATA) - // stack: value -%endmacro - -%macro mstore_trie_data - // stack: virtual, value - %mstore_kernel(@SEGMENT_TRIE_DATA) - // stack: (empty) -%endmacro - -%macro initialize_rlp_segment - PUSH @ENCODED_EMPTY_NODE_POS - PUSH 0x80 - MSTORE_GENERAL -%endmacro - -%macro alloc_rlp_block - // stack: (empty) - %mload_global_metadata(@GLOBAL_METADATA_RLP_DATA_SIZE) - // stack: block_start - // In our model it's fine to use memory in a sparse way, as long as the gaps aren't larger than - // 2^16 or so. So instead of the caller specifying the size of the block they need, we'll just - // allocate 0x10000 = 2^16 bytes, much larger than any RLP blob the EVM could possibly create. - DUP1 %add_const(@MAX_RLP_BLOB_SIZE) - // stack: block_end, block_start - %mstore_global_metadata(@GLOBAL_METADATA_RLP_DATA_SIZE) - // stack: block_start - // We leave an extra 9 bytes, so that callers can later prepend a prefix before block_start. - // (9 is the length of the longest possible RLP list prefix.) - %add_const(9) - // stack: block_start -%endmacro - -%macro get_trie_data_size - // stack: (empty) - %mload_global_metadata(@GLOBAL_METADATA_TRIE_DATA_SIZE) - // stack: trie_data_size -%endmacro - -%macro set_trie_data_size - // stack: trie_data_size - %mstore_global_metadata(@GLOBAL_METADATA_TRIE_DATA_SIZE) - // stack: (empty) -%endmacro - -// Equivalent to: trie_data[trie_data_size++] = value -%macro append_to_trie_data - // stack: value - %get_trie_data_size - // stack: trie_data_size, value - DUP1 - %increment - // stack: trie_data_size', trie_data_size, value - %set_trie_data_size - // stack: trie_data_size, value - %mstore_trie_data - // stack: (empty) -%endmacro - -// Split off the first nibble from a key part. Roughly equivalent to -// def split_first_nibble(num_nibbles, key): -// num_nibbles -= 1 -// num_nibbles_x4 = num_nibbles * 4 -// first_nibble = (key >> num_nibbles_x4) & 0xF -// key -= (first_nibble << num_nibbles_x4) -// return (first_nibble, num_nibbles, key) -%macro split_first_nibble - // stack: num_nibbles, key - %decrement // num_nibbles -= 1 - // stack: num_nibbles, key - DUP2 - // stack: key, num_nibbles, key - DUP2 %mul_const(4) - // stack: num_nibbles_x4, key, num_nibbles, key - SHR - // stack: key >> num_nibbles_x4, num_nibbles, key - %and_const(0xF) - // stack: first_nibble, num_nibbles, key - DUP1 - // stack: first_nibble, first_nibble, num_nibbles, key - DUP3 %mul_const(4) - // stack: num_nibbles_x4, first_nibble, first_nibble, num_nibbles, key - SHL - // stack: first_nibble << num_nibbles_x4, first_nibble, num_nibbles, key - DUP1 - // stack: junk, first_nibble << num_nibbles_x4, first_nibble, num_nibbles, key - SWAP4 - // stack: key, first_nibble << num_nibbles_x4, first_nibble, num_nibbles, junk - SUB - // stack: key, first_nibble, num_nibbles, junk - SWAP3 - // stack: junk, first_nibble, num_nibbles, key - POP - // stack: first_nibble, num_nibbles, key -%endmacro - -// Remove the first `k` nibbles from a key part. -// def truncate_nibbles(k, num_nibbles, key): -// num_nibbles -= k -// num_nibbles_x4 = num_nibbles * 4 -// lead_nibbles = key >> num_nibbles_x4 -// key -= (lead_nibbles << num_nibbles_x4) -// return (num_nibbles, key) -%macro truncate_nibbles - // stack: k, num_nibbles, key - SWAP1 SUB - // stack: num_nibbles, key - DUP1 %mul_const(4) - %stack (num_nibbles_x4, num_nibbles, key) -> (num_nibbles_x4, key, num_nibbles_x4, num_nibbles, key) - SHR - %stack (lead_nibbles, num_nibbles_x4, num_nibbles, key) -> (num_nibbles_x4, lead_nibbles, key, num_nibbles) - SHL SWAP1 SUB - // stack: key, num_nibbles - SWAP1 -%endmacro - -// Split off the common prefix among two key parts. -// -// Pre stack: len_1, key_1, len_2, key_2 -// Post stack: len_common, key_common, len_1, key_1, len_2, key_2 -// -// Roughly equivalent to -// def split_common_prefix(len_1, key_1, len_2, key_2): -// bits_1 = len_1 * 4 -// bits_2 = len_2 * 4 -// len_common = 0 -// key_common = 0 -// while True: -// if bits_1 * bits_2 == 0: -// break -// first_nib_1 = (key_1 >> (bits_1 - 4)) & 0xF -// first_nib_2 = (key_2 >> (bits_2 - 4)) & 0xF -// if first_nib_1 != first_nib_2: -// break -// len_common += 1 -// key_common = key_common * 16 + first_nib_1 -// bits_1 -= 4 -// bits_2 -= 4 -// key_1 -= (first_nib_1 << bits_1) -// key_2 -= (first_nib_2 << bits_2) -// len_1 = bits_1 // 4 -// len_2 = bits_2 // 4 -// return (len_common, key_common, len_1, key_1, len_2, key_2) -%macro split_common_prefix - // stack: len_1, key_1, len_2, key_2 - %mul_const(4) - SWAP2 %mul_const(4) SWAP2 - // stack: bits_1, key_1, bits_2, key_2 - PUSH 0 - PUSH 0 - -%%loop: - // stack: len_common, key_common, bits_1, key_1, bits_2, key_2 - - // if bits_1 * bits_2 == 0: break - DUP3 DUP6 MUL ISZERO %jumpi(%%return) - - // first_nib_2 = (key_2 >> (bits_2 - 4)) & 0xF - DUP6 PUSH 4 DUP7 SUB SHR %and_const(0xF) - // first_nib_1 = (key_1 >> (bits_1 - 4)) & 0xF - DUP5 PUSH 4 DUP6 SUB SHR %and_const(0xF) - // stack: first_nib_1, first_nib_2, len_common, key_common, bits_1, key_1, bits_2, key_2 - - // if first_nib_1 != first_nib_2: break - DUP2 DUP2 SUB %jumpi(%%return_with_first_nibs) - - // len_common += 1 - SWAP2 %increment SWAP2 - - // key_common = key_common * 16 + first_nib_1 - SWAP3 - %mul_const(16) - DUP4 ADD - SWAP3 - // stack: first_nib_1, first_nib_2, len_common, key_common, bits_1, key_1, bits_2, key_2 - - // bits_1 -= 4 - SWAP4 %sub_const(4) SWAP4 - // bits_2 -= 4 - SWAP6 %sub_const(4) SWAP6 - // stack: first_nib_1, first_nib_2, len_common, key_common, bits_1, key_1, bits_2, key_2 - - // key_1 -= (first_nib_1 << bits_1) - DUP5 SHL - // stack: first_nib_1 << bits_1, first_nib_2, len_common, key_common, bits_1, key_1, bits_2, key_2 - DUP6 SUB - // stack: key_1, first_nib_2, len_common, key_common, bits_1, key_1_old, bits_2, key_2 - SWAP5 POP - // stack: first_nib_2, len_common, key_common, bits_1, key_1, bits_2, key_2 - - // key_2 -= (first_nib_2 << bits_2) - DUP6 SHL - // stack: first_nib_2 << bits_2, len_common, key_common, bits_1, key_1, bits_2, key_2 - DUP7 SUB - // stack: key_2, len_common, key_common, bits_1, key_1, bits_2, key_2_old - SWAP6 POP - // stack: len_common, key_common, bits_1, key_1, bits_2, key_2 - - %jump(%%loop) -%%return_with_first_nibs: - // stack: first_nib_1, first_nib_2, len_common, key_common, bits_1, key_1, bits_2, key_2 - %pop2 -%%return: - // stack: len_common, key_common, bits_1, key_1, bits_2, key_2 - SWAP2 %shr_const(2) SWAP2 // bits_1 -> len_1 (in nibbles) - SWAP4 %shr_const(2) SWAP4 // bits_2 -> len_2 (in nibbles) - // stack: len_common, key_common, len_1, key_1, len_2, key_2 -%endmacro - -// Remove the first `k` nibbles from a key part. -// def merge_nibbles(front_len, front_key, back_len, back_key): -// return (front_len + back_len, (front_key<<(back_len*4)) + back_key) -%macro merge_nibbles - // stack: front_len, front_key, back_len, back_key - %stack (front_len, front_key, back_len, back_key) -> (back_len, front_key, back_key, back_len, front_len) - %mul_const(4) SHL ADD - // stack: new_key, back_len, front_len - SWAP2 ADD -%endmacro - -// Computes state_key = Keccak256(addr). Clobbers @SEGMENT_KERNEL_GENERAL. -%macro addr_to_state_key - %keccak256_word(20) -%endmacro - -// Given a storage slot (a 256-bit integer), computes storage_key = Keccak256(slot). -// Clobbers @SEGMENT_KERNEL_GENERAL. -%macro slot_to_storage_key - %keccak256_word(32) -%endmacro diff --git a/evm/src/cpu/kernel/asm/rlp/decode.asm b/evm/src/cpu/kernel/asm/rlp/decode.asm deleted file mode 100644 index 43c6627d6c..0000000000 --- a/evm/src/cpu/kernel/asm/rlp/decode.asm +++ /dev/null @@ -1,147 +0,0 @@ -// Note: currently, these methods do not check that RLP input is in canonical -// form; for example a single byte could be encoded with the length-of-length -// form. Technically an EVM must perform these checks, but we aren't really -// concerned with it in our setting. An attacker who corrupted consensus could -// prove a non-canonical state, but this would just temporarily stall the bridge -// until a fix was deployed. We are more concerned with preventing any theft of -// assets. - -// Parse the length of a bytestring from RLP memory. The next len bytes after -// rlp_addr' will contain the string. -// -// Pre stack: rlp_addr, retdest -// Post stack: rlp_addr', len -global decode_rlp_string_len: - // stack: rlp_addr, retdest - DUP1 - MLOAD_GENERAL - // stack: first_byte, rlp_addr, retdest - DUP1 - %gt_const(0xb7) - // stack: first_byte >= 0xb8, first_byte, rlp_addr, retdest - %jumpi(decode_rlp_string_len_large) - // stack: first_byte, rlp_addr, retdest - DUP1 - %gt_const(0x7f) - // stack: first_byte >= 0x80, first_byte, rlp_addr, retdest - %jumpi(decode_rlp_string_len_medium) - - // String is a single byte in the range [0x00, 0x7f]. - %stack (first_byte, rlp_addr, retdest) -> (retdest, rlp_addr, 1) - JUMP - -decode_rlp_string_len_medium: - // String is 0-55 bytes long. First byte contains the len. - // stack: first_byte, rlp_addr, retdest - %sub_const(0x80) - // stack: len, rlp_addr, retdest - SWAP1 - %increment - // stack: rlp_addr', len, retdest - %stack (rlp_addr, len, retdest) -> (retdest, rlp_addr, len) - JUMP - -decode_rlp_string_len_large: - // String is >55 bytes long. First byte contains the len of the len. - // stack: first_byte, rlp_addr, retdest - %sub_const(0xb7) - // stack: len_of_len, rlp_addr, retdest - SWAP1 - %increment - // stack: rlp_addr', len_of_len, retdest - %jump(decode_int_given_len) - -// Convenience macro to call decode_rlp_string_len and return where we left off. -%macro decode_rlp_string_len - %stack (rlp_addr) -> (rlp_addr, %%after) - %jump(decode_rlp_string_len) -%%after: -%endmacro - -// Parse a scalar from RLP memory. -// Pre stack: rlp_addr, retdest -// Post stack: rlp_addr', scalar -// -// Scalars are variable-length, but this method assumes a max length of 32 -// bytes, so that the result can be returned as a single word on the stack. -// As per the spec, scalars must not have leading zeros. -global decode_rlp_scalar: - // stack: rlp_addr, retdest - PUSH decode_int_given_len - // stack: decode_int_given_len, rlp_addr, retdest - SWAP1 - // stack: rlp_addr, decode_int_given_len, retdest - // decode_rlp_string_len will return to decode_int_given_len, at which point - // the stack will contain (rlp_addr', len, retdest), which are the proper args - // to decode_int_given_len. - %jump(decode_rlp_string_len) - -// Convenience macro to call decode_rlp_scalar and return where we left off. -%macro decode_rlp_scalar - %stack (rlp_addr) -> (rlp_addr, %%after) - %jump(decode_rlp_scalar) -%%after: -%endmacro - -// Parse the length of an RLP list from memory. -// Pre stack: rlp_addr, retdest -// Post stack: rlp_addr', len -global decode_rlp_list_len: - // stack: rlp_addr, retdest - DUP1 - MLOAD_GENERAL - // stack: first_byte, rlp_addr, retdest - SWAP1 - %increment // increment rlp_addr - SWAP1 - // stack: first_byte, rlp_addr', retdest - // If first_byte is >= 0xf8, it's a > 55 byte list, and - // first_byte - 0xf7 is the length of the length. - DUP1 - %gt_const(0xf7) // GT is native while GE is not, so compare to 0xf6 instead - // stack: first_byte >= 0xf7, first_byte, rlp_addr', retdest - %jumpi(decode_rlp_list_len_big) - - // This is the "small list" case. - // The list length is first_byte - 0xc0. - // stack: first_byte, rlp_addr', retdest - %sub_const(0xc0) - // stack: len, rlp_addr', retdest - %stack (len, rlp_addr, retdest) -> (retdest, rlp_addr, len) - JUMP - -decode_rlp_list_len_big: - // The length of the length is first_byte - 0xf7. - // stack: first_byte, rlp_addr', retdest - %sub_const(0xf7) - // stack: len_of_len, rlp_addr', retdest - SWAP1 - // stack: rlp_addr', len_of_len, retdest - %jump(decode_int_given_len) - -// Convenience macro to call decode_rlp_list_len and return where we left off. -%macro decode_rlp_list_len - %stack (rlp_addr) -> (rlp_addr, %%after) - %jump(decode_rlp_list_len) -%%after: -%endmacro - -// Parse an integer of the given length. It is assumed that the integer will -// fit in a single (256-bit) word on the stack. -// Pre stack: rlp_addr, len, retdest -// Post stack: rlp_addr', int -global decode_int_given_len: - DUP2 ISZERO %jumpi(empty_int) - %stack (rlp_addr, len, retdest) -> (rlp_addr, len, rlp_addr, len, retdest) - ADD - %stack(rlp_addr_two, rlp_addr, len, retdest) -> (rlp_addr, len, rlp_addr_two, retdest) - MLOAD_32BYTES - // stack: int, rlp_addr', retdest - %stack(int, rlp_addr, retdest) -> (retdest, rlp_addr, int) - JUMP - -empty_int: - // stack: rlp_addr, len, retdest - %stack(rlp_addr, len, retdest) -> (retdest, rlp_addr, 0) - JUMP - diff --git a/evm/src/cpu/kernel/asm/rlp/encode.asm b/evm/src/cpu/kernel/asm/rlp/encode.asm deleted file mode 100644 index 9f6813ab18..0000000000 --- a/evm/src/cpu/kernel/asm/rlp/encode.asm +++ /dev/null @@ -1,265 +0,0 @@ -// Convenience macro to RLP-encode a fixed-length 160 bit (20 byte) string -// and return where we left off. Assumes string < 2^160. -// Pre stack: rlp_addr, string, retdest -// Post stack: rlp_addr -%macro encode_rlp_160 - %stack (rlp_addr, string) -> (20, rlp_addr, string, %%after) - %jump(encode_rlp_fixed) -%%after: -%endmacro - -// Convenience macro to RLP-encode a fixed-length 256 bit (32 byte) string -// and return where we left off. -// Pre stack: rlp_addr, string, retdest -// Post stack: rlp_addr -%macro encode_rlp_256 - %stack (rlp_addr, string) -> (32, rlp_addr, string, %%after) - %jump(encode_rlp_fixed) -%%after: -%endmacro - -// RLP-encode a fixed-length string with the given byte length. Assumes string < 2^(8 * len). -global encode_rlp_fixed: - // stack: len, rlp_addr, string, retdest - DUP2 - DUP2 - %add_const(0x80) - // stack: first_byte, rlp_addr, len, rlp_addr, string, retdest - MSTORE_GENERAL - // stack: len, rlp_addr, string, retdest - SWAP1 - %increment // increment rlp_addr - // stack: rlp_addr, len, string, retdest - %stack (rlp_addr, len, string) -> (rlp_addr, string, len, encode_rlp_fixed_finish) - // stack: rlp_addr, string, len, encode_rlp_fixed_finish, retdest - %jump(mstore_unpacking) -encode_rlp_fixed_finish: - // stack: rlp_addr', retdest - SWAP1 - JUMP - -// Doubly-RLP-encode a fixed-length string with the given byte length. -// I.e. writes encode(encode(string). Assumes string < 2^(8 * len). -global doubly_encode_rlp_fixed: - // stack: len, rlp_addr, string, retdest - DUP2 - DUP2 - %add_const(0x81) - // stack: first_byte, rlp_addr, len, rlp_addr, string, retdest - MSTORE_GENERAL - // stack: len, rlp_addr, string, retdest - DUP2 %increment - DUP2 - %add_const(0x80) - // stack: second_byte, rlp_addr', len, original_rlp_addr, string, retdest - MSTORE_GENERAL - // stack: len, rlp_addr, string, retdest - SWAP1 - %add_const(2) // advance past the two prefix bytes - // stack: rlp_addr'', len, string, retdest - %stack (rlp_addr, len, string) -> (rlp_addr, string, len, encode_rlp_fixed_finish) - // stack: context, segment, rlp_addr'', string, len, encode_rlp_fixed_finish, retdest - %jump(mstore_unpacking) - -// Writes the RLP prefix for a string of the given length. This does not handle -// the trivial encoding of certain single-byte strings, as handling that would -// require access to the actual string, while this method only accesses its -// length. This method should generally be used only when we know a string -// contains at least two bytes. -// -// Pre stack: rlp_addr, str_len, retdest -// Post stack: rlp_addr' -global encode_rlp_multi_byte_string_prefix: - // stack: rlp_addr, str_len, retdest - DUP2 %gt_const(55) - // stack: str_len > 55, rlp_addr, str_len, retdest - %jumpi(encode_rlp_multi_byte_string_prefix_large) - // Medium case; prefix is 0x80 + str_len. - // stack: rlp_addr, str_len, retdest - PUSH 0x80 - DUP2 - // stack: rlp_addr, 0x80, rlp_addr, str_len, retdest - SWAP3 ADD - // stack: prefix, rlp_addr, rlp_addr, retdest - MSTORE_GENERAL - // stack: rlp_addr, retdest - %increment - // stack: rlp_addr', retdest - SWAP1 - JUMP -encode_rlp_multi_byte_string_prefix_large: - // Large case; prefix is 0xb7 + len_of_len, followed by str_len. - // stack: rlp_addr, str_len, retdest - DUP2 - %num_bytes - // stack: len_of_len, rlp_addr, str_len, retdest - SWAP1 - DUP1 // rlp_addr - DUP3 // len_of_len - %add_const(0xb7) - // stack: first_byte, rlp_addr, rlp_addr, len_of_len, str_len, retdest - MSTORE_GENERAL - // stack: rlp_addr, len_of_len, str_len, retdest - %increment - // stack: rlp_addr', len_of_len, str_len, retdest - %stack (rlp_addr, len_of_len, str_len) -> (rlp_addr, str_len, len_of_len) - %jump(mstore_unpacking) - -%macro encode_rlp_multi_byte_string_prefix - %stack (rlp_addr, str_len) -> (rlp_addr, str_len, %%after) - %jump(encode_rlp_multi_byte_string_prefix) -%%after: -%endmacro - -// Writes the RLP prefix for a list with the given payload length. -// -// Pre stack: rlp_addr, payload_len, retdest -// Post stack: rlp_addr' -global encode_rlp_list_prefix: - // stack: rlp_addr, payload_len, retdest - DUP2 %gt_const(55) - %jumpi(encode_rlp_list_prefix_large) - // Small case: prefix is just 0xc0 + length. - // stack: rlp_addr, payload_len, retdest - DUP1 - SWAP2 - %add_const(0xc0) - // stack: prefix, rlp_addr, rlp_addr, retdest - MSTORE_GENERAL - // stack: rlp_addr, retdest - %increment - SWAP1 - JUMP -encode_rlp_list_prefix_large: - // Write 0xf7 + len_of_len. - // stack: rlp_addr, payload_len, retdest - DUP2 %num_bytes - // stack: len_of_len, rlp_addr, payload_len, retdest - DUP2 - DUP2 %add_const(0xf7) - // stack: first_byte, rlp_addr, len_of_len, rlp_addr, payload_len, retdest - MSTORE_GENERAL - // stack: len_of_len, rlp_addr, payload_len, retdest - SWAP1 %increment - // stack: rlp_addr', len_of_len, payload_len, retdest - %stack (rlp_addr, len_of_len, payload_len) - -> (rlp_addr, payload_len, len_of_len, - encode_rlp_list_prefix_large_done_writing_len) - %jump(mstore_unpacking) -encode_rlp_list_prefix_large_done_writing_len: - // stack: rlp_addr'', retdest - SWAP1 - JUMP - -%macro encode_rlp_list_prefix - %stack (rlp_addr, payload_len) -> (rlp_addr, payload_len, %%after) - %jump(encode_rlp_list_prefix) -%%after: -%endmacro - -// Given an RLP list payload which starts and ends at the given rlp_address, -// prepend the appropriate RLP list prefix. Returns the updated start rlp_address, -// as well as the length of the RLP data (including the newly-added prefix). -// -// Pre stack: end_rlp_addr, start_rlp_addr, retdest -// Post stack: prefix_start_rlp_addr, rlp_len -global prepend_rlp_list_prefix: - // stack: end_rlp_addr, start_rlp_addr, retdest - DUP2 DUP2 SUB // end_rlp_addr - start_rlp_addr - // stack: payload_len, end_rlp_addr, start_rlp_addr, retdest - DUP1 %gt_const(55) - %jumpi(prepend_rlp_list_prefix_big) - - // If we got here, we have a small list, so we prepend 0xc0 + len at rlp_address 8. - // stack: payload_len, end_rlp_addr, start_rlp_addr, retdest - PUSH 1 DUP4 SUB // offset of prefix - DUP2 %add_const(0xc0) - // stack: prefix_byte, start_rlp_addr-1, payload_len, end_rlp_addr, start_rlp_addr, retdest - MSTORE_GENERAL - // stack: payload_len, end_rlp_addr, start_rlp_addr, retdest - %increment - // stack: rlp_len, end_rlp_addr, start_rlp_addr, retdest - SWAP2 %decrement - // stack: prefix_start_rlp_addr, end_rlp_addr, rlp_len, retdest - %stack (prefix_start_rlp_addr, end_rlp_addr, rlp_len, retdest) -> (retdest, prefix_start_rlp_addr, rlp_len) - JUMP - -prepend_rlp_list_prefix_big: - // We have a large list, so we prepend 0xf7 + len_of_len at rlp_address - // prefix_start_rlp_addr = start_rlp_addr - 1 - len_of_len - // followed by the length itself. - // stack: payload_len, end_rlp_addr, start_rlp_addr, retdest - DUP1 %num_bytes - // stack: len_of_len, payload_len, end_rlp_addr, start_rlp_addr, retdest - DUP1 - PUSH 1 DUP6 SUB // start_rlp_addr - 1 - SUB - // stack: prefix_start_rlp_addr, len_of_len, payload_len, end_rlp_addr, start_rlp_addr, retdest - DUP1 - DUP3 %add_const(0xf7) MSTORE_GENERAL // rlp[prefix_start_rlp_addr] = 0xf7 + len_of_len - // stack: prefix_start_rlp_addr, len_of_len, payload_len, end_rlp_addr, start_rlp_addr, retdest - DUP1 %increment // start_len_rlp_addr = prefix_start_rlp_addr + 1 - %stack (start_len_rlp_addr, prefix_start_rlp_addr, len_of_len, payload_len, end_rlp_addr, start_rlp_addr, retdest) - -> (start_len_rlp_addr, payload_len, len_of_len, - prepend_rlp_list_prefix_big_done_writing_len, - prefix_start_rlp_addr, end_rlp_addr, retdest) - %jump(mstore_unpacking) -prepend_rlp_list_prefix_big_done_writing_len: - // stack: start_rlp_addr, prefix_start_rlp_addr, end_rlp_addr, retdest - %stack (start_rlp_addr, prefix_start_rlp_addr, end_rlp_addr) - -> (end_rlp_addr, prefix_start_rlp_addr, prefix_start_rlp_addr) - // stack: end_rlp_addr, prefix_start_rlp_addr, prefix_start_rlp_addr, retdest - SUB - // stack: rlp_len, prefix_start_rlp_addr, retdest - %stack (rlp_len, prefix_start_rlp_addr, retdest) -> (retdest, prefix_start_rlp_addr, rlp_len) - JUMP - -// Convenience macro to call prepend_rlp_list_prefix and return where we left off. -%macro prepend_rlp_list_prefix - %stack (end_rlp_addr, start_rlp_addr) -> (end_rlp_addr, start_rlp_addr, %%after) - %jump(prepend_rlp_list_prefix) -%%after: -%endmacro - -// Given some scalar, compute the number of bytes used in its RLP encoding, -// including any length prefix. -%macro rlp_scalar_len - // stack: scalar - // Since the scalar fits in a word, we can't hit the large (>55 byte) - // case, so we just check for small vs medium. - DUP1 %gt_const(0x7f) - // stack: is_medium, scalar - %jumpi(%%medium) - // Small case; result is 1. - %stack (scalar) -> (1) - %jump(%%finish) -%%medium: - // stack: scalar - %num_bytes - // stack: scalar_bytes - %increment // Account for the length prefix. - // stack: rlp_len -%%finish: -%endmacro - -// Given some list with the given payload length, compute the number of bytes -// used in its RLP encoding, including the list prefix. -%macro rlp_list_len - // stack: payload_len - DUP1 %gt_const(55) - // stack: is_large, payload_len - %jumpi(%%large) - // Small case; prefix is a single byte. - %increment - // stack: 1 + payload_len - %jump(%%finish) -%%large: - // Prefix is 1 byte containing len_of_len, followed by len_of_len bytes containing len. - // stack: payload_len - DUP1 %num_bytes - // stack: len_of_len, payload_len - %increment - // stack: prefix_len, payload_len - ADD -%%finish: -%endmacro diff --git a/evm/src/cpu/kernel/asm/rlp/encode_rlp_scalar.asm b/evm/src/cpu/kernel/asm/rlp/encode_rlp_scalar.asm deleted file mode 100644 index d311a57ebc..0000000000 --- a/evm/src/cpu/kernel/asm/rlp/encode_rlp_scalar.asm +++ /dev/null @@ -1,108 +0,0 @@ -// RLP-encode a scalar, i.e. a variable-length integer. -// Pre stack: rlp_addr, scalar, retdest -// Post stack: rlp_addr -global encode_rlp_scalar: - // stack: rlp_addr, scalar, retdest - // If scalar > 0x7f, this is the "medium" case. - DUP2 - %gt_const(0x7f) - %jumpi(encode_rlp_scalar_medium) - - // Else, if scalar != 0, this is the "small" case, where the value is its own encoding. - DUP2 %jumpi(encode_rlp_scalar_small) - - // scalar = 0, so BE(scalar) is the empty string, which RLP encodes as a single byte 0x80. - // stack: rlp_addr, scalar, retdest - %stack (rlp_addr, scalar) -> (0x80, rlp_addr, rlp_addr) - MSTORE_GENERAL - // stack: rlp_addr, retdest - %increment - // stack: rlp_addr', retdest - SWAP1 - JUMP - -encode_rlp_scalar_medium: - // This is the "medium" case, where we write 0x80 + len followed by the - // (big-endian) scalar bytes. We first compute the minimal number of bytes - // needed to represent this scalar, then treat it as if it was a fixed- - // length string with that length. - // stack: rlp_addr, scalar, retdest - DUP2 - %num_bytes - // stack: scalar_bytes, rlp_addr, scalar, retdest - %jump(encode_rlp_fixed) - -// Doubly-RLP-encode a scalar, i.e. return encode(encode(scalar)). -// Pre stack: rlp_addr, scalar, retdest -// Post stack: rlp_addr -global doubly_encode_rlp_scalar: - // stack: rlp_addr, scalar, retdest - // If scalar > 0x7f, this is the "medium" case. - DUP2 - %gt_const(0x7f) - %jumpi(doubly_encode_rlp_scalar_medium) - - // Else, if scalar != 0, this is the "small" case, where the value is its own encoding. - DUP2 %jumpi(encode_rlp_scalar_small) - - // scalar = 0, so BE(scalar) is the empty string, encode(scalar) = 0x80, and encode(encode(scalar)) = 0x8180. - // stack: rlp_addr, scalar, retdest - %stack (rlp_addr, scalar) -> (0x81, rlp_addr, rlp_addr) - MSTORE_GENERAL - // stack: rlp_addr, retdest - %increment - DUP1 PUSH 0x80 - MSTORE_GENERAL - // stack: rlp_addr, retdest - %increment - // stack: rlp_addr, retdest - SWAP1 - JUMP - -doubly_encode_rlp_scalar_medium: - // This is the "medium" case, where - // encode(scalar) = [0x80 + len] || BE(scalar) - // and so - // encode(encode(scalar)) = [0x80 + len + 1] || [0x80 + len] || BE(scalar) - // We first compute the length of the scalar with %num_bytes, then treat the scalar as if it was a - // fixed-length string with that length. - // stack: rlp_addr, scalar, retdest - DUP2 - %num_bytes - // stack: scalar_bytes, rlp_addr, scalar, retdest - %jump(doubly_encode_rlp_fixed) - -// The "small" case of RLP-encoding a scalar, where the value is its own encoding. -// This can be used for both for singly encoding or doubly encoding, since encode(encode(x)) = encode(x) = x. -encode_rlp_scalar_small: - // stack: rlp_addr, scalar, retdest - %stack (rlp_addr, scalar) -> (scalar, rlp_addr, rlp_addr) - // stack: scalar, rlp_addr, rlp_addr, retdest - MSTORE_GENERAL - // stack: rlp_addr, retdest - %increment - // stack: rlp_addr', retdest - SWAP1 - JUMP - -// Convenience macro to call encode_rlp_scalar and return where we left off. -// It takes swapped inputs, i.e. `scalar, rlp_addr` instead of `rlp_addr, scalar`. -%macro encode_rlp_scalar_swapped_inputs - %stack (scalar, rlp_addr) -> (rlp_addr, scalar, %%after) - %jump(encode_rlp_scalar) -%%after: -%endmacro - -// Convenience macro to call encode_rlp_scalar and return where we left off. -%macro encode_rlp_scalar - %stack (rlp_addr, scalar) -> (rlp_addr, scalar, %%after) - %jump(encode_rlp_scalar) -%%after: -%endmacro - -// Convenience macro to call doubly_encode_rlp_scalar and return where we left off. -%macro doubly_encode_rlp_scalar - %stack (rlp_addr, scalar) -> (rlp_addr, scalar, %%after) - %jump(doubly_encode_rlp_scalar) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/rlp/encode_rlp_string.asm b/evm/src/cpu/kernel/asm/rlp/encode_rlp_string.asm deleted file mode 100644 index 60174a9436..0000000000 --- a/evm/src/cpu/kernel/asm/rlp/encode_rlp_string.asm +++ /dev/null @@ -1,79 +0,0 @@ -// Encodes an arbitrary string, given a pointer and length. -// Pre stack: rlp_addr, ADDR, len, retdest -// Post stack: rlp_addr' -global encode_rlp_string: - // stack: rlp_addr, ADDR, len, retdest - DUP3 %eq_const(1) - // stack: len == 1, rlp_addr, ADDR, len, retdest - DUP3 - MLOAD_GENERAL - // stack: first_byte, len == 1, rlp_addr, ADDR, len, retdest - %lt_const(128) - MUL // cheaper than AND - // stack: single_small_byte, rlp_addr, ADDR, len, retdest - %jumpi(encode_rlp_string_small_single_byte) - - // stack: rlp_addr, ADDR, len, retdest - DUP3 %gt_const(55) - // stack: len > 55, rlp_addr, ADDR, len, retdest - %jumpi(encode_rlp_string_large) - -global encode_rlp_string_small: - // stack: rlp_addr, ADDR, len, retdest - DUP1 - DUP4 // len - %add_const(0x80) - // stack: first_byte, rlp_addr, rlp_addr, ADDR, len, retdest - MSTORE_GENERAL - // stack: rlp_addr, ADDR, len, retdest - %increment - // stack: rlp_addr', ADDR, len, retdest - DUP3 DUP2 ADD // rlp_addr'' = rlp_addr' + len - // stack: rlp_addr'', rlp_addr', ADDR, len, retdest - %stack (rlp_addr2, rlp_addr1, ADDR, len, retdest) - -> (rlp_addr1, ADDR, len, retdest, rlp_addr2) - %jump(memcpy_bytes) - -global encode_rlp_string_small_single_byte: - // stack: rlp_addr, ADDR, len, retdest - %stack (rlp_addr, ADDR, len) -> (ADDR, rlp_addr) - MLOAD_GENERAL - // stack: byte, rlp_addr, retdest - DUP2 SWAP1 - MSTORE_GENERAL - // stack: rlp_addr, retdest - %increment - SWAP1 - // stack: retdest, rlp_addr' - JUMP - -global encode_rlp_string_large: - // stack: rlp_addr, ADDR, len, retdest - DUP3 %num_bytes - // stack: len_of_len, rlp_addr, ADDR, len, retdest - SWAP1 - DUP1 - // stack: rlp_addr, rlp_addr, len_of_len, ADDR, len, retdest - DUP3 // len_of_len - %add_const(0xb7) - // stack: first_byte, rlp_addr, rlp_addr, len_of_len, ADDR, len, retdest - MSTORE_GENERAL - // stack: rlp_addr, len_of_len, ADDR, len, retdest - %increment - // stack: rlp_addr', len_of_len, ADDR, len, retdest - %stack (rlp_addr, len_of_len, ADDR, len) - -> (rlp_addr, len, len_of_len, encode_rlp_string_large_after_writing_len, ADDR, len) - %jump(mstore_unpacking) -global encode_rlp_string_large_after_writing_len: - // stack: rlp_addr'', ADDR, len, retdest - DUP3 DUP2 ADD // rlp_addr''' = rlp_addr'' + len - // stack: rlp_addr''', rlp_addr'', ADDR, len, retdest - %stack (rlp_addr3, rlp_addr2, ADDR, len, retdest) - -> (rlp_addr2, ADDR, len, retdest, rlp_addr3) - %jump(memcpy_bytes) - -%macro encode_rlp_string - %stack (rlp_addr, ADDR, len) -> (rlp_addr, ADDR, len, %%after) - %jump(encode_rlp_string) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/rlp/increment_bounded_rlp.asm b/evm/src/cpu/kernel/asm/rlp/increment_bounded_rlp.asm deleted file mode 100644 index 6958cff9f8..0000000000 --- a/evm/src/cpu/kernel/asm/rlp/increment_bounded_rlp.asm +++ /dev/null @@ -1,38 +0,0 @@ -// Increment by 1 the rlp encoded index and increment -// its number of nibbles when required. Shouldn't be -// called with rlp_index > 0x82 ff ff -global increment_bounded_rlp: - // stack: num_nibbles, rlp_index, retdest - DUP2 - %eq_const(0x80) - %jumpi(case_0x80) - DUP1 - %eq_const(0x7f) - %jumpi(case_0x7f) - DUP1 - %eq_const(0x81ff) - %jumpi(case_0x81ff) - // If rlp_index != 0x80 and rlp_index != 0x7f and rlp_index != 0x81ff - // we only need to add one and keep the number of nibbles - DUP2 %increment DUP2 - %stack (next_num_nibbles, next_rlp_index, num_nibbles, rlp_index, retdest) -> (retdest, rlp_index, num_nibbles, next_rlp_index, next_num_nibbles) - JUMP - -case_0x80: - %stack (num_nibbles, rlp_index, retdest) -> (retdest, 0x80, 2, 0x01, 2) - JUMP -case_0x7f: - %stack (num_nibbles, rlp_index, retdest) -> (retdest, 0x7f, 2, 0x8180, 4) - JUMP - -case_0x81ff: - %stack (num_nibbles, rlp_index, retdest) -> (retdest, 0x81ff, 4, 0x820100, 6) - JUMP - - - -%macro increment_bounded_rlp - %stack (rlp_index, num_nibbles) -> (rlp_index, num_nibbles, %%after) - %jump(increment_bounded_rlp) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/rlp/num_bytes.asm b/evm/src/cpu/kernel/asm/rlp/num_bytes.asm deleted file mode 100644 index de0a7ca966..0000000000 --- a/evm/src/cpu/kernel/asm/rlp/num_bytes.asm +++ /dev/null @@ -1,30 +0,0 @@ -// Get the number of bytes required to represent the given scalar. -// Note that we define num_bytes(0) to be 1. -global num_bytes: - // stack: x, retdest - DUP1 ISZERO %jumpi(return_1) - // Non-deterministically guess the number of bits - PROVER_INPUT(num_bits) - %stack(num_bits, x) -> (num_bits, 1, x, num_bits) - SUB - SHR - // stack: 1, num_bits - %assert_eq_const(1) - // convert number of bits to number of bytes - %add_const(7) - %shr_const(3) - - SWAP1 - JUMP - -return_1: - // stack: x, retdest - %stack(x, retdest) -> (retdest, 1) - JUMP - -// Convenience macro to call num_bytes and return where we left off. -%macro num_bytes - %stack (x) -> (x, %%after) - %jump(num_bytes) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/asm/rlp/read_to_memory.asm b/evm/src/cpu/kernel/asm/rlp/read_to_memory.asm deleted file mode 100644 index 8070fd0beb..0000000000 --- a/evm/src/cpu/kernel/asm/rlp/read_to_memory.asm +++ /dev/null @@ -1,38 +0,0 @@ -// Read RLP data from the prover's tape, and save it to the SEGMENT_RLP_RAW -// segment of memory. - -// Pre stack: retdest -// Post stack: txn_rlp_len - -global read_rlp_to_memory: - // stack: retdest - PROVER_INPUT(rlp) // Read the RLP blob length from the prover tape. - // stack: len, retdest - PUSH @SEGMENT_RLP_RAW - %build_kernel_address - - PUSH @SEGMENT_RLP_RAW // ctx == virt == 0 - // stack: addr, final_addr, retdest -read_rlp_to_memory_loop: - // stack: addr, final_addr, retdest - DUP2 - DUP2 - LT - ISZERO - // stack: addr >= final_addr, addr, final_addr, retdest - %jumpi(read_rlp_to_memory_finish) - // stack: addr, final_addr, retdest - PROVER_INPUT(rlp) - SWAP1 - MSTORE_32BYTES_32 - // stack: addr', final_addr, retdest - %jump(read_rlp_to_memory_loop) - -read_rlp_to_memory_finish: - // stack: addr, final_addr, retdest - // we recover the offset here - PUSH @SEGMENT_RLP_RAW // ctx == virt == 0 - DUP3 SUB - // stack: pos, addr, final_addr, retdest - %stack(pos, addr, final_addr, retdest) -> (retdest, pos) - JUMP \ No newline at end of file diff --git a/evm/src/cpu/kernel/asm/shift.asm b/evm/src/cpu/kernel/asm/shift.asm deleted file mode 100644 index ee9ccbfaea..0000000000 --- a/evm/src/cpu/kernel/asm/shift.asm +++ /dev/null @@ -1,20 +0,0 @@ -/// Initialise the lookup table of binary powers for doing left/right shifts -/// -/// Specifically, set SHIFT_TABLE_SEGMENT[i] = 2^i for i = 0..255. -%macro shift_table_init - push @SEGMENT_SHIFT_TABLE // segment, ctx == virt == 0 - push 1 // 2^0 - %rep 255 - // stack: 2^i, addr_i - dup2 - %increment - // stack: addr_(i+1), 2^i, addr_i - dup2 - dup1 - add - // stack: 2^(i+1), addr_(i+1), 2^i, addr_i - %endrep - %rep 256 - mstore_general - %endrep -%endmacro diff --git a/evm/src/cpu/kernel/asm/signed.asm b/evm/src/cpu/kernel/asm/signed.asm deleted file mode 100644 index 566d7d5aeb..0000000000 --- a/evm/src/cpu/kernel/asm/signed.asm +++ /dev/null @@ -1,216 +0,0 @@ -// SDIV(a, b): signed division operation. -// -// If b = 0, then SDIV(a, b) = 0, -// else if a = -2^255 and b = -1, then SDIV(a, b) = -2^255 -// else SDIV(a, b) = sgn(a/b) * floor(|a/b|). -global _sys_sdiv: - // stack: num, denom, return_info - DUP1 - PUSH 0x8000000000000000000000000000000000000000000000000000000000000000 - GT - // stack: num_is_nonneg := sign_bit > num, num, denom, return_info - DUP1 - %jumpi(sys_sdiv_nonneg_num) - // stack: num_is_nonneg, num, denom, return_info - SWAP1 - PUSH 0 - SUB - SWAP1 - // stack: num_is_nonneg, num := -num, denom, return_info -sys_sdiv_nonneg_num: - SWAP2 - DUP1 - PUSH 0x8000000000000000000000000000000000000000000000000000000000000000 - GT - // stack: denom_is_nonneg := sign_bit > denom, denom, num, num_is_nonneg, return_info - DUP1 - %jumpi(sys_sdiv_nonneg_denom) - // stack: denom_is_nonneg, denom, num, num_is_nonneg, return_info - SWAP1 - PUSH 0 - SUB - // stack: denom := -denom, denom_is_nonneg, num, num_is_nonneg, return_info - SWAP1 -sys_sdiv_nonneg_denom: - // stack: denom_is_nonneg, denom, num, num_is_nonneg, return_info - SWAP2 - DIV - // stack: num / denom, denom_is_nonneg, num_is_nonneg, return_info - SWAP2 - EQ - // stack: denom_is_nonneg == num_is_nonneg, num / denom, return_info - %jumpi(sys_sdiv_same_sign) - PUSH 0 - SUB -sys_sdiv_same_sign: - SWAP1 - JUMP - - -// SMOD(a, b): signed "modulo remainder" operation. -// -// If b != 0, then SMOD(a, b) = sgn(a) * MOD(|a|, |b|), -// else SMOD(a, 0) = 0. -global _sys_smod: - // stack: x, mod, return_info - PUSH 0x8000000000000000000000000000000000000000000000000000000000000000 - // stack: sign_bit, x, mod, return_info - DUP1 - DUP4 - LT - // stack: mod < sign_bit, sign_bit, x, mod, return_info - %jumpi(sys_smod_pos_mod) - // mod is negative, so we negate it - // sign_bit, x, mod, return_info - SWAP2 - PUSH 0 - SUB - SWAP2 - // sign_bit, x, mod := 0 - mod, return_info -sys_smod_pos_mod: - // At this point, we know that mod is non-negative. - DUP2 - LT - // stack: x < sign_bit, x, mod, return_info - %jumpi(sys_smod_pos_x) - // x is negative, so let's negate it - // stack: x, mod, return_info - PUSH 0 - SUB - // stack: x := 0 - x, mod, return_info - MOD - // negate the result - PUSH 0 - SUB - SWAP1 - JUMP -sys_smod_pos_x: - // Both x and mod are non-negative - // stack: x, mod, return_info - MOD - SWAP1 - JUMP - - -// SIGNEXTEND from the Nth byte of value, where the bytes of value are -// considered in LITTLE-endian order. Just a SHL followed by a SAR. -global _sys_signextend: - // Stack: N, value, return_info - // Handle N >= 31, which is a no-op. - PUSH 31 - %min - // Stack: min(31, N), value, return_info - %increment - %mul_const(8) - // Stack: 8*(N + 1), value, return_info - PUSH 256 - SUB - // Stack: 256 - 8*(N + 1), value, return_info - %stack(bits, value, return_info) -> (bits, value, bits, return_info) - SHL - SWAP1 - // Stack: bits, value << bits, return_info - // fall through to sys_sar - - -// SAR, i.e. shift arithmetic right, shifts `value` `shift` bits to -// the right, preserving sign by filling with the most significant bit. -// -// Trick: x >>s i = (x + sign_bit >>u i) - (sign_bit >>u i), -// where >>s is arithmetic shift and >>u is logical shift. -// Reference: Hacker's Delight, 2013, 2nd edition, §2-7. -global _sys_sar: - // SAR(shift, value) is the same for all shift >= 255, so we - // replace shift with min(shift, 255) - - // Stack: shift, value, return_info - PUSH 255 - %min - // Stack: min(shift, 255), value, return_info - - // Now assume shift < 256. - // Stack: shift, value, return_info - PUSH 0x8000000000000000000000000000000000000000000000000000000000000000 - DUP2 - SHR - // Stack: 2^255 >> shift, shift, value, return_info - SWAP2 - %add_const(0x8000000000000000000000000000000000000000000000000000000000000000) - // Stack: 2^255 + value, shift, 2^255 >> shift, return_info - SWAP1 - SHR - SUB - // Stack: ((2^255 + value) >> shift) - (2^255 >> shift), return_info - SWAP1 - JUMP - - -// SGT, i.e. signed greater than, returns 1 if lhs > rhs as signed -// integers, 0 otherwise. -// -// Just swap argument order and fall through to signed less than. -global _sys_sgt: - SWAP1 - - -// SLT, i.e. signed less than, returns 1 if lhs < rhs as signed -// integers, 0 otherwise. -// -// Trick: x (_sys_sdiv, x, y, _syscall_return, kernel_return) - JUMP - -global sys_smod: - %charge_gas_const(@GAS_LOW) - %stack(kernel_return, x, y) -> (_sys_smod, x, y, _syscall_return, kernel_return) - JUMP - -global sys_signextend: - %charge_gas_const(@GAS_LOW) - %stack(kernel_return, x, y) -> (_sys_signextend, x, y, _syscall_return, kernel_return) - JUMP - -global sys_sar: - %charge_gas_const(@GAS_VERYLOW) - %stack(kernel_return, x, y) -> (_sys_sar, x, y, _syscall_return, kernel_return) - JUMP - -global sys_slt: - %charge_gas_const(@GAS_VERYLOW) - %stack(kernel_return, x, y) -> (_sys_slt, x, y, _syscall_return, kernel_return) - JUMP - -global sys_sgt: - %charge_gas_const(@GAS_VERYLOW) - %stack(kernel_return, x, y) -> (_sys_sgt, x, y, _syscall_return, kernel_return) - JUMP - -_syscall_return: - SWAP1 - EXIT_KERNEL diff --git a/evm/src/cpu/kernel/asm/transactions/common_decoding.asm b/evm/src/cpu/kernel/asm/transactions/common_decoding.asm deleted file mode 100644 index 4a8feccaa3..0000000000 --- a/evm/src/cpu/kernel/asm/transactions/common_decoding.asm +++ /dev/null @@ -1,252 +0,0 @@ -// Store chain ID = 1. Used for non-legacy txns which always have a chain ID. -%macro store_chain_id_present_true - PUSH 1 - %mstore_txn_field(@TXN_FIELD_CHAIN_ID_PRESENT) -%endmacro - -// Decode the chain ID and store it. -%macro decode_and_store_chain_id - // stack: rlp_addr - %decode_rlp_scalar - %stack (rlp_addr, chain_id) -> (chain_id, rlp_addr) - %mstore_txn_field(@TXN_FIELD_CHAIN_ID) - // stack: rlp_addr -%endmacro - -// Decode the nonce and store it. -%macro decode_and_store_nonce - // stack: rlp_addr - %decode_rlp_scalar - %stack (rlp_addr, nonce) -> (nonce, rlp_addr) - %mstore_txn_field(@TXN_FIELD_NONCE) - // stack: rlp_addr -%endmacro - -// Decode the gas price and, since this is for legacy txns, store it as both -// TXN_FIELD_MAX_PRIORITY_FEE_PER_GAS and TXN_FIELD_MAX_FEE_PER_GAS. -%macro decode_and_store_gas_price_legacy - // stack: rlp_addr - %decode_rlp_scalar - %stack (rlp_addr, gas_price) -> (gas_price, gas_price, rlp_addr) - %mstore_txn_field(@TXN_FIELD_MAX_PRIORITY_FEE_PER_GAS) - %mstore_txn_field(@TXN_FIELD_MAX_FEE_PER_GAS) - // stack: rlp_addr -%endmacro - -// Decode the max priority fee and store it. -%macro decode_and_store_max_priority_fee - // stack: rlp_addr - %decode_rlp_scalar - %stack (rlp_addr, gas_price) -> (gas_price, rlp_addr) - %mstore_txn_field(@TXN_FIELD_MAX_PRIORITY_FEE_PER_GAS) - // stack: rlp_addr -%endmacro - -// Decode the max fee and store it. -%macro decode_and_store_max_fee - // stack: rlp_addr - %decode_rlp_scalar - %stack (rlp_addr, gas_price) -> (gas_price, rlp_addr) - %mstore_txn_field(@TXN_FIELD_MAX_FEE_PER_GAS) - // stack: rlp_addr -%endmacro - -// Decode the gas limit and store it. -%macro decode_and_store_gas_limit - // stack: rlp_addr - %decode_rlp_scalar - %stack (rlp_addr, gas_limit) -> (gas_limit, rlp_addr) - %mstore_txn_field(@TXN_FIELD_GAS_LIMIT) - // stack: rlp_addr -%endmacro - -// Decode the "to" field and store it. -// This field is either 160-bit or empty in the case of a contract creation txn. -%macro decode_and_store_to - // stack: rlp_addr - %decode_rlp_string_len - // stack: rlp_addr, len - SWAP1 - // stack: len, rlp_addr - DUP1 ISZERO %jumpi(%%contract_creation) - // stack: len, rlp_addr - DUP1 %eq_const(20) ISZERO %jumpi(invalid_txn) // Address is 160-bit - %stack (len, rlp_addr) -> (rlp_addr, len, %%with_scalar) - %jump(decode_int_given_len) -%%with_scalar: - // stack: rlp_addr, int - SWAP1 - %mstore_txn_field(@TXN_FIELD_TO) - // stack: rlp_addr - %jump(%%end) -%%contract_creation: - // stack: len, rlp_addr - POP - PUSH 1 %mstore_global_metadata(@GLOBAL_METADATA_CONTRACT_CREATION) - // stack: rlp_addr -%%end: -%endmacro - -// Decode the "value" field and store it. -%macro decode_and_store_value - // stack: rlp_addr - %decode_rlp_scalar - %stack (rlp_addr, value) -> (value, rlp_addr) - %mstore_txn_field(@TXN_FIELD_VALUE) - // stack: rlp_addr -%endmacro - -// Decode the calldata field, store its length in @TXN_FIELD_DATA_LEN, and copy it to @SEGMENT_TXN_DATA. -%macro decode_and_store_data - // stack: rlp_addr - // Decode the data length, store it, and compute new_rlp_addr after any data. - %decode_rlp_string_len - %stack (rlp_addr, data_len) -> (data_len, rlp_addr, data_len, rlp_addr, data_len) - %mstore_txn_field(@TXN_FIELD_DATA_LEN) - // stack: rlp_addr, data_len, rlp_addr, data_len - ADD - // stack: new_rlp_addr, old_rlp_addr, data_len - - // Memcpy the txn data from @SEGMENT_RLP_RAW to @SEGMENT_TXN_DATA. - %stack (new_rlp_addr, old_rlp_addr, data_len) -> (old_rlp_addr, data_len, %%after, new_rlp_addr) - // old_rlp_addr has context 0. We will call GET_CONTEXT and update it. - GET_CONTEXT ADD - PUSH @SEGMENT_TXN_DATA - GET_CONTEXT ADD - // stack: DST, SRC, data_len, %%after, new_rlp_addr - %jump(memcpy_bytes) - -%%after: - // stack: new_rlp_addr -%endmacro - -%macro decode_and_store_access_list - // stack: rlp_addr - DUP1 %mstore_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_RLP_START) - %decode_rlp_list_len - %stack (rlp_addr, len) -> (len, len, rlp_addr, %%after) - %jumpi(decode_and_store_access_list) - // stack: len, rlp_addr, %%after - POP SWAP1 POP - // stack: rlp_addr - %mload_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_RLP_START) DUP2 SUB %mstore_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_RLP_LEN) -%%after: -%endmacro - -%macro decode_and_store_y_parity - // stack: rlp_addr - %decode_rlp_scalar - %stack (rlp_addr, y_parity) -> (y_parity, rlp_addr) - %mstore_txn_field(@TXN_FIELD_Y_PARITY) - // stack: rlp_addr -%endmacro - -%macro decode_and_store_r - // stack: rlp_addr - %decode_rlp_scalar - %stack (rlp_addr, r) -> (r, rlp_addr) - %mstore_txn_field(@TXN_FIELD_R) - // stack: rlp_addr -%endmacro - -%macro decode_and_store_s - // stack: rlp_addr - %decode_rlp_scalar - %stack (rlp_addr, s) -> (s, rlp_addr) - %mstore_txn_field(@TXN_FIELD_S) - // stack: rlp_addr -%endmacro - - -// The access list is of the form `[[{20 bytes}, [{32 bytes}...]]...]`. -global decode_and_store_access_list: - // stack: len, rlp_addr - DUP2 ADD - // stack: end_rlp_addr, rlp_addr - // Store the RLP length. - %mload_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_RLP_START) DUP2 SUB %mstore_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_RLP_LEN) - SWAP1 -decode_and_store_access_list_loop: - // stack: rlp_addr, end_rlp_addr - DUP2 DUP2 EQ %jumpi(decode_and_store_access_list_finish) - // stack: rlp_addr, end_rlp_addr - %decode_rlp_list_len // Should be a list `[{20 bytes}, [{32 bytes}...]]` - // stack: rlp_addr, internal_len, end_rlp_addr - SWAP1 POP // We don't need the length of this list. - // stack: rlp_addr, end_rlp_addr - %decode_rlp_scalar // Address // TODO: Should panic when address is not 20 bytes? - // stack: rlp_addr, addr, end_rlp_addr - SWAP1 - // stack: addr, rlp_addr, end_rlp_addr - DUP1 %insert_accessed_addresses_no_return - // stack: addr, rlp_addr, end_rlp_addr - %add_address_cost - // stack: addr, rlp_addr, end_rlp_addr - SWAP1 - // stack: rlp_addr, addr, end_rlp_addr - %decode_rlp_list_len // Should be a list of storage keys `[{32 bytes}...]` - // stack: rlp_addr, sk_len, addr, end_rlp_addr - SWAP1 DUP2 ADD - // stack: sk_end_rlp_addr, rlp_addr, addr, end_rlp_addr - SWAP1 - // stack: rlp_addr, sk_end_rlp_addr, addr, end_rlp_addr -sk_loop: - DUP2 DUP2 EQ %jumpi(end_sk) - // stack: rlp_addr, sk_end_rlp_addr, addr, end_rlp_addr - %decode_rlp_scalar // Storage key // TODO: Should panic when key is not 32 bytes? - %stack (rlp_addr, key, sk_end_rlp_addr, addr, end_rlp_addr) -> - (addr, key, sk_loop_contd, rlp_addr, sk_end_rlp_addr, addr, end_rlp_addr) - %jump(insert_accessed_storage_keys_with_original_value) -sk_loop_contd: - // stack: rlp_addr, sk_end_rlp_addr, addr, end_rlp_addr - %add_storage_key_cost - %jump(sk_loop) -end_sk: - %stack (rlp_addr, sk_end_rlp_addr, addr, end_rlp_addr) -> (rlp_addr, end_rlp_addr) - %jump(decode_and_store_access_list_loop) -decode_and_store_access_list_finish: - %stack (rlp_addr, end_rlp_addr, retdest) -> (retdest, rlp_addr) - JUMP - -%macro add_address_cost - %mload_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_DATA_COST) - %add_const(@GAS_ACCESSLISTADDRESS) - %mstore_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_DATA_COST) -%endmacro - -%macro add_storage_key_cost - %mload_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_DATA_COST) - %add_const(@GAS_ACCESSLISTSTORAGE) - %mstore_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_DATA_COST) -%endmacro - -insert_accessed_storage_keys_with_original_value: - %stack (addr, key, retdest) -> (key, addr, after_read, addr, key, retdest) - %jump(sload_with_addr) -after_read: - %stack (value, addr, key, retdest) -> ( addr, key, value, retdest) - %insert_accessed_storage_keys - %pop2 - JUMP - - -sload_with_addr: - %stack (slot, addr) -> (slot, addr, after_storage_read) - %slot_to_storage_key - // stack: storage_key, addr, after_storage_read - PUSH 64 // storage_key has 64 nibbles - %stack (n64, storage_key, addr, after_storage_read) -> (addr, n64, storage_key, after_storage_read) - %mpt_read_state_trie - // stack: account_ptr, 64, storage_key, after_storage_read - DUP1 ISZERO %jumpi(ret_zero) // TODO: Fix this. This should never happen. - // stack: account_ptr, 64, storage_key, after_storage_read - %add_const(2) - // stack: storage_root_ptr_ptr - %mload_trie_data - // stack: storage_root_ptr, 64, storage_key, after_storage_read - %jump(mpt_read) - -ret_zero: - // stack: account_ptr, 64, storage_key, after_storage_read, retdest - %pop4 - PUSH 0 SWAP1 JUMP diff --git a/evm/src/cpu/kernel/asm/transactions/router.asm b/evm/src/cpu/kernel/asm/transactions/router.asm deleted file mode 100644 index edabfbc43a..0000000000 --- a/evm/src/cpu/kernel/asm/transactions/router.asm +++ /dev/null @@ -1,64 +0,0 @@ -// This is the entry point of transaction processing. We load the transaction -// RLP data into memory, check the transaction type, then based on the type we -// jump to the appropriate transaction parsing method. - -global route_txn: - // stack: txn_counter, num_nibbles, retdest - // First load transaction data into memory, where it will be parsed. - %stack(txn_counter, num_nibbles) -> (update_txn_trie, txn_counter, num_nibbles, read_txn_from_memory) - // stack: update_txn_trie, txn_counter, num_nibbles, read_txn_from_memory, retdest - %jump(read_rlp_to_memory) - -// At this point, the raw txn data is in memory. -read_txn_from_memory: - // stack: retdest - - // We will peak at the first byte to determine what type of transaction this is. - // Note that type 1 and 2 transactions have a first byte of 1 and 2, respectively. - // Type 0 (legacy) transactions have no such prefix, but their RLP will have a - // first byte >= 0xc0, so there is no overlap. - - PUSH @SEGMENT_RLP_RAW // ctx == virt == 0 - MLOAD_GENERAL - %eq_const(1) - // stack: first_byte == 1, retdest - %jumpi(process_type_1_txn) - // stack: retdest - - PUSH @SEGMENT_RLP_RAW // ctx == virt == 0 - MLOAD_GENERAL - %eq_const(2) - // stack: first_byte == 2, retdest - %jumpi(process_type_2_txn) - // stack: retdest - - // At this point, since it's not a type 1 or 2 transaction, - // it must be a legacy (aka type 0) transaction. - %jump(process_type_0_txn) - -global update_txn_trie: - // stack: txn_rlp_len, txn_counter, num_nibbles, retdest - // Copy the transaction rlp to the trie data segment. - %get_trie_data_size - // stack: value_ptr, txn_rlp_len, txn_counter, num_nibbles, retdest - SWAP1 - // First we write txn rlp length - DUP1 %append_to_trie_data - // stack: txn_rlp_len, value_ptr, txn_counter, num_nibbles, ret_dest - DUP2 %increment - // stack: rlp_start=value_ptr+1, txn_rlp_len, value_ptr, txn_counter, num_nibbles, retdest - - - // and now copy txn_rlp to the new block - %stack (rlp_start, txn_rlp_len, value_ptr, txn_counter, num_nibbles) -> ( - @SEGMENT_RLP_RAW, // src addr. ctx == virt == 0 - rlp_start, @SEGMENT_TRIE_DATA, // swapped dest addr, ctx == 0 - txn_rlp_len, // mcpy len - txn_rlp_len, rlp_start, txn_counter, num_nibbles, value_ptr) - SWAP2 %build_kernel_address - // stack: DST, SRC, txn_rlp_len, txn_rlp_len, rlp_start, txn_counter, num_nibbles, value_ptr - %memcpy_bytes - ADD - %set_trie_data_size - // stack: txn_counter, num_nibbles, value_ptr, retdest - %jump(mpt_insert_txn_trie) diff --git a/evm/src/cpu/kernel/asm/transactions/type_0.asm b/evm/src/cpu/kernel/asm/transactions/type_0.asm deleted file mode 100644 index a3f3bb0d25..0000000000 --- a/evm/src/cpu/kernel/asm/transactions/type_0.asm +++ /dev/null @@ -1,173 +0,0 @@ -// Type 0 transactions, aka legacy transaction, have the format -// rlp([nonce, gas_price, gas_limit, to, value, data, v, r, s]) -// -// The field v was originally encoded as -// 27 + y_parity -// but as of EIP 155 it can also be encoded as -// 35 + 2 * chain_id + y_parity -// -// If a chain_id is present in v, the signed data is -// keccak256(rlp([nonce, gas_price, gas_limit, to, value, data, chain_id, 0, 0])) -// otherwise, it is -// keccak256(rlp([nonce, gas_price, gas_limit, to, value, data])) - -global process_type_0_txn: - // stack: retdest - PUSH @SEGMENT_RLP_RAW // ctx == virt == 0 - // stack: rlp_addr, retdest - %decode_rlp_list_len - // We don't actually need the length. - %stack (rlp_addr, len) -> (rlp_addr) - - // stack: rlp_addr, retdest - %decode_and_store_nonce - %decode_and_store_gas_price_legacy - %decode_and_store_gas_limit - %decode_and_store_to - %decode_and_store_value - %decode_and_store_data - // stack: rlp_addr, retdest - - // Parse the "v" field. - // stack: rlp_addr, retdest - %decode_rlp_scalar - // stack: rlp_addr, v, retdest - SWAP1 - // stack: v, rlp_addr, retdest - DUP1 - %gt_const(28) - // stack: v > 28, v, rlp_addr, retdest - %jumpi(process_v_new_style) - - // We have an old style v, so y_parity = v - 27. - // No chain ID is present, so we can leave TXN_FIELD_CHAIN_ID_PRESENT and - // TXN_FIELD_CHAIN_ID with their default values of zero. - // stack: v, rlp_addr, retdest - %sub_const(27) - %stack (y_parity, rlp_addr) -> (y_parity, rlp_addr) - %mstore_txn_field(@TXN_FIELD_Y_PARITY) - - // stack: rlp_addr, retdest - %jump(decode_r_and_s) - -process_v_new_style: - // stack: v, rlp_addr, retdest - // We have a new style v, so chain_id_present = 1, - // chain_id = (v - 35) / 2, and y_parity = (v - 35) % 2. - %stack (v, rlp_addr) -> (1, v, rlp_addr) - %mstore_txn_field(@TXN_FIELD_CHAIN_ID_PRESENT) - - // stack: v, rlp_addr, retdest - %sub_const(35) - DUP1 - // stack: v - 35, v - 35, rlp_addr, retdest - %div2 - // stack: chain_id, v - 35, rlp_addr, retdest - %mstore_txn_field(@TXN_FIELD_CHAIN_ID) - - // stack: v - 35, rlp_addr, retdest - %mod_const(2) - // stack: y_parity, rlp_addr, retdest - %mstore_txn_field(@TXN_FIELD_Y_PARITY) - -decode_r_and_s: - // stack: rlp_addr, retdest - %decode_and_store_r - %decode_and_store_s - // stack: rlp_addr, retdest - POP - // stack: retdest - -type_0_compute_signed_data: - // If a chain_id is present in v, the signed data is - // keccak256(rlp([nonce, gas_price, gas_limit, to, value, data, chain_id, 0, 0])) - // otherwise, it is - // keccak256(rlp([nonce, gas_price, gas_limit, to, value, data])) - - %alloc_rlp_block - // stack: rlp_addr_start, retdest - %mload_txn_field(@TXN_FIELD_NONCE) - // stack: nonce, rlp_addr_start, retdest - DUP2 - // stack: rlp_addr, nonce, rlp_addr_start, retdest - %encode_rlp_scalar - // stack: rlp_addr, rlp_addr_start, retdest - - %mload_txn_field(@TXN_FIELD_MAX_FEE_PER_GAS) - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_addr_start, retdest - - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_addr_start, retdest - - %mload_txn_field(@TXN_FIELD_TO) - %mload_global_metadata(@GLOBAL_METADATA_CONTRACT_CREATION) %jumpi(zero_to) - // stack: to, rlp_addr, rlp_addr_start, retdest - SWAP1 %encode_rlp_160 - %jump(after_to) -zero_to: - // stack: to, rlp_addr, rlp_addr_start, retdest - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_addr_start, retdest - -after_to: - %mload_txn_field(@TXN_FIELD_VALUE) - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_addr_start, retdest - - // Encode txn data. - %mload_txn_field(@TXN_FIELD_DATA_LEN) - PUSH @SEGMENT_TXN_DATA - // stack: ADDR, len, rlp_addr, rlp_addr_start, retdest - PUSH after_serializing_txn_data - // stack: after_serializing_txn_data, ADDR, len, rlp_addr, rlp_addr_start, retdest - SWAP3 - // stack: rlp_addr, ADDR, len, after_serializing_txn_data, rlp_addr_start, retdest - %jump(encode_rlp_string) - -after_serializing_txn_data: - // stack: rlp_addr, rlp_addr_start, retdest - %mload_txn_field(@TXN_FIELD_CHAIN_ID_PRESENT) - ISZERO %jumpi(finish_rlp_list) - // stack: rlp_addr, rlp_addr_start, retdest - - %mload_txn_field(@TXN_FIELD_CHAIN_ID) - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_addr_start, retdest - - PUSH 0 - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_addr_start, retdest - - PUSH 0 - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_addr_start, retdest - -finish_rlp_list: - %prepend_rlp_list_prefix - // stack: ADDR, rlp_len, retdest - KECCAK_GENERAL - // stack: hash, retdest - - %mload_txn_field(@TXN_FIELD_S) - %mload_txn_field(@TXN_FIELD_R) - %mload_txn_field(@TXN_FIELD_Y_PARITY) %add_const(27) // ecrecover interprets v as y_parity + 27 - - PUSH store_origin - // stack: store_origin, v, r, s, hash, retdest - SWAP4 - // stack: hash, v, r, s, store_origin, retdest - %jump(ecrecover) - -store_origin: - // stack: address, retdest - // If ecrecover returned u256::MAX, that indicates failure. - DUP1 - %eq_const(0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff) - %jumpi(panic) - - // stack: address, retdest - %mstore_txn_field(@TXN_FIELD_ORIGIN) - // stack: retdest - %jump(process_normalized_txn) diff --git a/evm/src/cpu/kernel/asm/transactions/type_1.asm b/evm/src/cpu/kernel/asm/transactions/type_1.asm deleted file mode 100644 index e64a4aee03..0000000000 --- a/evm/src/cpu/kernel/asm/transactions/type_1.asm +++ /dev/null @@ -1,138 +0,0 @@ -// Type 1 transactions, introduced by EIP 2930, have the format -// 0x01 || rlp([chain_id, nonce, gas_price, gas_limit, to, value, data, -// access_list, y_parity, r, s]) -// -// The signed data is -// keccak256(0x01 || rlp([chain_id, nonce, gas_price, gas_limit, to, value, -// data, access_list])) - -global process_type_1_txn: - // stack: retdest - // Initial rlp address offset of 1 (skipping over the 0x01 byte) - PUSH 1 - PUSH @SEGMENT_RLP_RAW - %build_kernel_address - // stack: rlp_addr, retdest - %decode_rlp_list_len - // We don't actually need the length. - %stack (rlp_addr, len) -> (rlp_addr) - - %store_chain_id_present_true - %decode_and_store_chain_id - %decode_and_store_nonce - %decode_and_store_gas_price_legacy - %decode_and_store_gas_limit - %decode_and_store_to - %decode_and_store_value - %decode_and_store_data - %decode_and_store_access_list - %decode_and_store_y_parity - %decode_and_store_r - %decode_and_store_s - - // stack: rlp_addr, retdest - POP - // stack: retdest - -// From EIP-2930: -// The signatureYParity, signatureR, signatureS elements of this transaction represent a secp256k1 signature -// over keccak256(0x01 || rlp([chainId, nonce, gasPrice, gasLimit, to, value, data, accessList])). -type_1_compute_signed_data: - %alloc_rlp_block - // stack: rlp_addr_start, retdest - %mload_txn_field(@TXN_FIELD_CHAIN_ID) - // stack: chain_id, rlp_addr_start, retdest - DUP2 - // stack: rlp_addr, chain_id, rlp_addr_start, retdest - %encode_rlp_scalar - // stack: rlp_addr, rlp_addr_start, retdest - - %mload_txn_field(@TXN_FIELD_NONCE) - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_addr_start, retdest - - %mload_txn_field(@TXN_FIELD_MAX_FEE_PER_GAS) - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_addr_start, retdest - - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_addr_start, retdest - - %mload_txn_field(@TXN_FIELD_TO) - %mload_global_metadata(@GLOBAL_METADATA_CONTRACT_CREATION) %jumpi(zero_to) - // stack: to, rlp_addr, rlp_addr_start, retdest - SWAP1 %encode_rlp_160 - %jump(after_to) -zero_to: - // stack: to, rlp_addr, rlp_addr_start, retdest - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_addr_start, retdest - -after_to: - %mload_txn_field(@TXN_FIELD_VALUE) - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_addr_start, retdest - - // Encode txn data. - %mload_txn_field(@TXN_FIELD_DATA_LEN) - PUSH @SEGMENT_TXN_DATA // ctx == virt == 0 - // stack: ADDR, len, rlp_addr, rlp_addr_start, retdest - PUSH after_serializing_txn_data - // stack: after_serializing_txn_data, ADDR, len, rlp_addr, rlp_addr_start, retdest - SWAP3 - // stack: rlp_addr, ADDR, len, after_serializing_txn_data, rlp_addr_start, retdest - %jump(encode_rlp_string) - -after_serializing_txn_data: - // Instead of manually encoding the access list, we just copy the raw RLP from the transaction. - %mload_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_RLP_START) - %mload_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_RLP_LEN) - %stack (al_len, al_start, rlp_addr, rlp_addr_start, retdest) -> - ( - rlp_addr, - al_start, - al_len, - after_serializing_access_list, - rlp_addr, rlp_addr_start, retdest) - %jump(memcpy_bytes) -after_serializing_access_list: - // stack: rlp_addr, rlp_addr_start, retdest - %mload_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_RLP_LEN) ADD - // stack: rlp_addr, rlp_addr_start, retdest - %prepend_rlp_list_prefix - // stack: prefix_start_rlp_addr, rlp_len, retdest - - // Store a `1` in front of the RLP - %decrement - %stack (rlp_addr) -> (1, rlp_addr, rlp_addr) - MSTORE_GENERAL - // stack: rlp_addr, rlp_len, retdest - - // Hash the RLP + the leading `1` - SWAP1 %increment SWAP1 - // stack: ADDR, len, retdest - KECCAK_GENERAL - // stack: hash, retdest - - %mload_txn_field(@TXN_FIELD_S) - %mload_txn_field(@TXN_FIELD_R) - %mload_txn_field(@TXN_FIELD_Y_PARITY) %add_const(27) // ecrecover interprets v as y_parity + 27 - - PUSH store_origin - // stack: store_origin, v, r, s, hash, retdest - SWAP4 - // stack: hash, v, r, s, store_origin, retdest - %jump(ecrecover) - -store_origin: - // stack: address, retdest - // If ecrecover returned u256::MAX, that indicates failure. - DUP1 - %eq_const(0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff) - %jumpi(panic) - - // stack: address, retdest - %mstore_txn_field(@TXN_FIELD_ORIGIN) - // stack: retdest - %jump(process_normalized_txn) diff --git a/evm/src/cpu/kernel/asm/transactions/type_2.asm b/evm/src/cpu/kernel/asm/transactions/type_2.asm deleted file mode 100644 index 5074c57950..0000000000 --- a/evm/src/cpu/kernel/asm/transactions/type_2.asm +++ /dev/null @@ -1,145 +0,0 @@ -// Type 2 transactions, introduced by EIP 1559, have the format -// 0x02 || rlp([chain_id, nonce, max_priority_fee_per_gas, max_fee_per_gas, -// gas_limit, to, value, data, access_list, y_parity, r, s]) -// -// The signed data is -// keccak256(0x02 || rlp([chain_id, nonce, max_priority_fee_per_gas, -// max_fee_per_gas, gas_limit, to, value, data, -// access_list])) - -global process_type_2_txn: - // stack: retdest - // Initial rlp address offset of 1 (skipping over the 0x02 byte) - PUSH 1 - PUSH @SEGMENT_RLP_RAW - %build_kernel_address - // stack: rlp_addr, retdest - %decode_rlp_list_len - // We don't actually need the length. - %stack (rlp_addr, len) -> (rlp_addr) - - // stack: rlp_addr, retdest - %store_chain_id_present_true - %decode_and_store_chain_id - %decode_and_store_nonce - %decode_and_store_max_priority_fee - %decode_and_store_max_fee - %decode_and_store_gas_limit - %decode_and_store_to - %decode_and_store_value - %decode_and_store_data - %decode_and_store_access_list - %decode_and_store_y_parity - %decode_and_store_r - %decode_and_store_s - - // stack: rlp_addr, retdest - POP - // stack: retdest - -// From EIP-1559: -// The signature_y_parity, signature_r, signature_s elements of this transaction represent a secp256k1 signature over -// keccak256(0x02 || rlp([chain_id, nonce, max_priority_fee_per_gas, max_fee_per_gas, gas_limit, destination, amount, data, access_list])) -type_2_compute_signed_data: - %alloc_rlp_block - // stack: rlp_addr_start, retdest - %mload_txn_field(@TXN_FIELD_CHAIN_ID) - // stack: chain_id, rlp_start, retdest - DUP2 - // stack: rlp_addr, chain_id, rlp_start, retdest - %encode_rlp_scalar - // stack: rlp_addr, rlp_start, retdest - - %mload_txn_field(@TXN_FIELD_NONCE) - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_start, retdest - - %mload_txn_field(@TXN_FIELD_MAX_PRIORITY_FEE_PER_GAS) - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_start, retdest - - %mload_txn_field(@TXN_FIELD_MAX_FEE_PER_GAS) - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_start, retdest - - %mload_txn_field(@TXN_FIELD_GAS_LIMIT) - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_start, retdest - - %mload_txn_field(@TXN_FIELD_TO) - %mload_global_metadata(@GLOBAL_METADATA_CONTRACT_CREATION) %jumpi(zero_to) - // stack: to, rlp_addr, rlp_start, retdest - SWAP1 %encode_rlp_160 - %jump(after_to) -zero_to: - // stack: to, rlp_addr, rlp_start, retdest - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_start, retdest - -after_to: - %mload_txn_field(@TXN_FIELD_VALUE) - %encode_rlp_scalar_swapped_inputs - // stack: rlp_addr, rlp_start, retdest - - // Encode txn data. - %mload_txn_field(@TXN_FIELD_DATA_LEN) - PUSH @SEGMENT_TXN_DATA // ctx == virt == 0 - // stack: ADDR, len, rlp_addr, rlp_start, retdest - PUSH after_serializing_txn_data - // stack: after_serializing_txn_data, ADDR, len, rlp_addr, rlp_start, retdest - SWAP3 - // stack: rlp_addr, ADDR, len, after_serializing_txn_data, rlp_start, retdest - %jump(encode_rlp_string) - -after_serializing_txn_data: - // Instead of manually encoding the access list, we just copy the raw RLP from the transaction. - %mload_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_RLP_START) - %mload_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_RLP_LEN) - %stack (al_len, al_start, rlp_addr, rlp_start, retdest) -> - ( - rlp_addr, - al_start, - al_len, - after_serializing_access_list, - rlp_addr, rlp_start, retdest) - %jump(memcpy_bytes) -after_serializing_access_list: - // stack: rlp_addr, rlp_start, retdest - %mload_global_metadata(@GLOBAL_METADATA_ACCESS_LIST_RLP_LEN) ADD - // stack: rlp_addr, rlp_start, retdest - %prepend_rlp_list_prefix - // stack: prefix_start_pos, rlp_len, retdest - - // Store a `2` in front of the RLP - %decrement - %stack (rlp_addr) -> (2, rlp_addr, rlp_addr) - MSTORE_GENERAL - // stack: rlp_addr, rlp_len, retdest - - // Hash the RLP + the leading `2` - SWAP1 %increment SWAP1 - // stack: ADDR, len, retdest - KECCAK_GENERAL - // stack: hash, retdest - - %mload_txn_field(@TXN_FIELD_S) - %mload_txn_field(@TXN_FIELD_R) - %mload_txn_field(@TXN_FIELD_Y_PARITY) %add_const(27) // ecrecover interprets v as y_parity + 27 - - PUSH store_origin - // stack: store_origin, v, r, s, hash, retdest - SWAP4 - // stack: hash, v, r, s, store_origin, retdest - %jump(ecrecover) - -store_origin: - // stack: address, retdest - // If ecrecover returned u256::MAX, that indicates failure. - DUP1 - %eq_const(0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff) - %jumpi(panic) - - // stack: address, retdest - %mstore_txn_field(@TXN_FIELD_ORIGIN) - // stack: retdest - %jump(process_normalized_txn) diff --git a/evm/src/cpu/kernel/asm/util/assertions.asm b/evm/src/cpu/kernel/asm/util/assertions.asm deleted file mode 100644 index 6c517407b1..0000000000 --- a/evm/src/cpu/kernel/asm/util/assertions.asm +++ /dev/null @@ -1,116 +0,0 @@ -// It is convenient to have a single panic routine, which we can jump to from -// anywhere. -global panic: - PANIC - -// Consumes the top element and asserts that it is zero. -%macro assert_zero - %jumpi(panic) -%endmacro - -%macro assert_zero(ret) - %jumpi($ret) -%endmacro - -// Consumes the top element and asserts that it is nonzero. -%macro assert_nonzero - ISZERO - %jumpi(panic) -%endmacro - -%macro assert_nonzero(ret) - ISZERO - %jumpi($ret) -%endmacro - -%macro assert_eq - SUB - %jumpi(panic) -%endmacro - -%macro assert_eq(ret) - SUB - %jumpi($ret) -%endmacro - -%macro assert_lt - // %assert_zero is cheaper than %assert_nonzero, so we will leverage the - // fact that (x < y) == !(x >= y). - GE - %assert_zero -%endmacro - -%macro assert_lt(ret) - GE - %assert_zero($ret) -%endmacro - -%macro assert_le - // %assert_zero is cheaper than %assert_nonzero, so we will leverage the - // fact that (x <= y) == !(x > y). - GT - %assert_zero -%endmacro - -%macro assert_le(ret) - GT - %assert_zero($ret) -%endmacro - -%macro assert_gt - // %assert_zero is cheaper than %assert_nonzero, so we will leverage the - // fact that (x > y) == !(x <= y). - LE - %assert_zero -%endmacro - -%macro assert_gt(ret) - LE - %assert_zero($ret) -%endmacro - -%macro assert_ge - // %assert_zero is cheaper than %assert_nonzero, so we will leverage the - // fact that (x >= y) == !(x < y). - LT - %assert_zero -%endmacro - -%macro assert_ge(ret) - LT - %assert_zero($ret) -%endmacro - -%macro assert_eq_const(c) - PUSH $c - SUB - %jumpi(panic) -%endmacro - -%macro assert_lt_const(c) - // %assert_zero is cheaper than %assert_nonzero, so we will leverage the - // fact that (x < c) == !(x >= c). - %ge_const($c) - %assert_zero -%endmacro - -%macro assert_le_const(c) - // %assert_zero is cheaper than %assert_nonzero, so we will leverage the - // fact that (x <= c) == !(x > c). - %gt_const($c) - %assert_zero -%endmacro - -%macro assert_gt_const(c) - // %assert_zero is cheaper than %assert_nonzero, so we will leverage the - // fact that (x > c) == !(x <= c). - %le_const($c) - %assert_zero -%endmacro - -%macro assert_ge_const(c) - // %assert_zero is cheaper than %assert_nonzero, so we will leverage the - // fact that (x >= c) == !(x < c). - %lt_const($c) - %assert_zero -%endmacro diff --git a/evm/src/cpu/kernel/asm/util/basic_macros.asm b/evm/src/cpu/kernel/asm/util/basic_macros.asm deleted file mode 100644 index 78fd34fc1c..0000000000 --- a/evm/src/cpu/kernel/asm/util/basic_macros.asm +++ /dev/null @@ -1,485 +0,0 @@ -%macro jump(dst) - PUSH $dst - jump -%endmacro - -%macro jumpi(dst) - PUSH $dst - jumpi -%endmacro - -// Jump to `jumpdest` if the top of the stack is != c -%macro jump_neq_const(c, jumpdest) - PUSH $c - SUB - %jumpi($jumpdest) -%endmacro - -// Jump to `jumpdest` if the top of the stack is < c -%macro jumpi_lt_const(c, jumpdest) - %ge_const($c) - %jumpi($jumpdest) -%endmacro - -%macro pop2 - %rep 2 - POP - %endrep -%endmacro - -%macro pop3 - %rep 3 - POP - %endrep -%endmacro - -%macro pop4 - %rep 4 - POP - %endrep -%endmacro - -%macro pop5 - %rep 5 - POP - %endrep -%endmacro - -%macro pop6 - %rep 6 - POP - %endrep -%endmacro - -%macro pop7 - %rep 7 - POP - %endrep -%endmacro - -%macro pop8 - %rep 8 - POP - %endrep -%endmacro - -%macro pop9 - %rep 9 - POP - %endrep -%endmacro - -%macro pop10 - %rep 10 - POP - %endrep -%endmacro - -%macro and_const(c) - // stack: input, ... - PUSH $c - AND - // stack: input & c, ... -%endmacro - -%macro add_const(c) - // stack: input, ... - PUSH $c - ADD - // stack: input + c, ... -%endmacro - -// Slightly inefficient as we need to swap the inputs. -// Consider avoiding this in performance-critical code. -%macro sub_const(c) - // stack: input, ... - PUSH $c - // stack: c, input, ... - SWAP1 - // stack: input, c, ... - SUB - // stack: input - c, ... -%endmacro - -%macro mul_const(c) - // stack: input, ... - PUSH $c - MUL - // stack: input * c, ... -%endmacro - -// Slightly inefficient as we need to swap the inputs. -// Consider avoiding this in performance-critical code. -%macro div_const(c) - // stack: input, ... - PUSH $c - // stack: c, input, ... - SWAP1 - // stack: input, c, ... - DIV - // stack: input / c, ... -%endmacro - -// Slightly inefficient as we need to swap the inputs. -// Consider avoiding this in performance-critical code. -%macro mod_const(c) - // stack: input, ... - PUSH $c - // stack: c, input, ... - SWAP1 - // stack: input, c, ... - MOD - // stack: input % c, ... -%endmacro - -%macro shl_const(c) - // stack: input, ... - PUSH $c - SHL - // stack: input << c, ... -%endmacro - -%macro shr_const(c) - // stack: input, ... - PUSH $c - SHR - // stack: input >> c, ... -%endmacro - -%macro eq_const(c) - // stack: input, ... - PUSH $c - EQ - // stack: input == c, ... -%endmacro - -%macro lt_const(c) - // stack: input, ... - PUSH $c - // stack: c, input, ... - GT // Check it backwards: (input < c) == (c > input) - // stack: input < c, ... -%endmacro - -%macro le_const(c) - // stack: input, ... - PUSH $c - // stack: c, input, ... - LT ISZERO // Check it backwards: (input <= c) == !(c < input) - // stack: input <= c, ... -%endmacro - -%macro gt_const(c) - // stack: input, ... - PUSH $c - // stack: c, input, ... - LT // Check it backwards: (input > c) == (c < input) - // stack: input >= c, ... -%endmacro - -%macro ge_const(c) - // stack: input, ... - PUSH $c - // stack: c, input, ... - GT ISZERO // Check it backwards: (input >= c) == !(c > input) - // stack: input >= c, ... -%endmacro - -// If pred is zero, yields z; otherwise, yields nz -%macro select - // stack: pred, nz, z - ISZERO - // stack: pred == 0, nz, z - DUP1 - // stack: pred == 0, pred == 0, nz, z - ISZERO - // stack: pred != 0, pred == 0, nz, z - SWAP3 - // stack: z, pred == 0, nz, pred != 0 - MUL - // stack: (pred == 0) * z, nz, pred != 0 - SWAP2 - // stack: pred != 0, nz, (pred == 0) * z - MUL - // stack: (pred != 0) * nz, (pred == 0) * z - ADD - // stack: (pred != 0) * nz + (pred == 0) * z -%endmacro - -// If pred, yields x; otherwise, yields y -// Assumes pred is boolean (either 0 or 1). -%macro select_bool - // stack: pred, y, x - DUP1 - // stack: pred, pred, y, x - ISZERO - // stack: notpred, pred, y, x - SWAP3 - // stack: x, pred, y, notpred - MUL - // stack: pred * x, y, notpred - SWAP2 - // stack: notpred, y, pred * x - MUL - // stack: notpred * y, pred * x - ADD - // stack: notpred * y + pred * x -%endmacro - -%macro square - // stack: x - DUP1 - // stack: x, x - MUL - // stack: x^2 -%endmacro - -%macro min - // stack: x, y - DUP2 - DUP2 - // stack: x, y, x, y - GT - // stack: x > y, x, y - %select_bool - // stack: min -%endmacro - -%macro max - // stack: x, y - DUP2 - DUP2 - // stack: x, y, x, y - LT - // stack: x < y, x, y - %select_bool - // stack: max -%endmacro - -%macro max_3 - // stack: x, y, z - %max - // stack: max(x, y), z - SWAP1 - // stack: z, max(x, y) - %max - // stack: max(x, y, z) -%endmacro - -%macro max_const(c) - // stack: input, ... - PUSH $c - // stack: c, input, ... - %max - // stack: max(input, c), ... -%endmacro - -%macro min_const(c) - // stack: input, ... - PUSH $c - // stack: c, input, ... - %min - // stack: min(input, c), ... -%endmacro - -%macro ceil_div - // stack: x, y - PUSH 1 - DUP3 - SUB // y - 1 - // stack: y - 1, x, y - ADD - DIV - // stack: ceil(x / y) -%endmacro - -%macro ceil_div_const(c) - // stack: x, ... - PUSH $c - // stack: c, x, ... - SWAP1 - // stack: x, c, ... - %ceil_div - // stack: ceil(x / c), ... -%endmacro - -%macro as_u32 - %and_const(0xffffffff) -%endmacro - -%macro as_u64 - %and_const(0xffffffffffffffff) -%endmacro - -%macro not_u32 - // stack: x - PUSH 0xffffffff - // stack: 0xffffffff, x - SUB - // stack: 0xffffffff - x -%endmacro - -// u32 addition (discarding 2^32 bit) -%macro add_u32 - // stack: x, y - ADD - // stack: x + y - %as_u32 - // stack: (x + y) & u32::MAX -%endmacro - -%macro add3_u32 - // stack: x , y , z - ADD - // stack: x + y , z - ADD - // stack: x + y + z - %as_u32 -%endmacro - -%macro increment - %add_const(1) -%endmacro - -%macro decrement - %sub_const(1) -%endmacro - -%macro div2 - // stack: x - PUSH 1 - SHR - // stack: x >> 1 -%endmacro - -%macro iseven - %mod_const(2) - ISZERO -%endmacro - -// given u32 bytestring abcd return dcba -%macro reverse_bytes_u32 - // stack: abcd - DUP1 - PUSH 28 - BYTE - // stack: a, abcd - DUP2 - PUSH 29 - BYTE - %shl_const(8) - // stack: b0, a, abcd - DUP3 - PUSH 30 - BYTE - %shl_const(16) - // stack: c00, b0, a, abcd - SWAP3 - PUSH 31 - BYTE - %shl_const(24) - // stack: d000, b0, a, c00 - ADD // OR - ADD // OR - ADD // OR - // stack: dcba -%endmacro - -%macro reverse_bytes_u64 - // stack: word - DUP1 - // stack: word, word - %and_const(0xffffffff) - // stack: word_lo, word - SWAP1 - // stack: word, word_lo - %shr_const(32) - // stack: word_hi, word_lo - %reverse_bytes_u32 - // stack: word_hi_inverted, word_lo - SWAP1 - // stack: word_lo, word_hi_inverted - %reverse_bytes_u32 - // stack: word_lo_inverted, word_hi_inverted - %shl_const(32) - ADD // OR - // stack: word_inverted -%endmacro - -// Combine four big-endian u64s into a u256. -%macro u64s_to_u256 - // stack: a, b, c, d - %rep 3 - %shl_const(64) - ADD // OR - %endrep - // stack: a || b || c || d -%endmacro - -%macro u256_to_addr - // stack: x - %mod_const(0x10000000000000000000000000000000000000000) // 2^160 -%endmacro - -%macro not_bit - // stack: b - ISZERO - // stack: not b -%endmacro - -%macro build_address - // stack: ctx, seg, off - ADD - ADD - // stack: addr -%endmacro - -%macro build_address_no_offset - // stack: ctx, seg - ADD - // stack: addr -%endmacro - -%macro build_current_general_address - // stack: offset - PUSH @SEGMENT_KERNEL_GENERAL - GET_CONTEXT - %build_address - // stack: addr -%endmacro - -%macro build_current_general_address_no_offset - // stack: - PUSH @SEGMENT_KERNEL_GENERAL - GET_CONTEXT - %build_address_no_offset - // stack: addr (offset == 0) -%endmacro - -%macro build_kernel_address - // stack: seg, off - ADD - // stack: addr (ctx == 0) -%endmacro - -%macro build_address_with_ctx(seg, off) - // stack: ctx - PUSH $seg - PUSH $off - %build_address - // stack: addr -%endmacro - -%macro build_address_with_ctx_no_offset(seg) - // stack: ctx - PUSH $seg - ADD - // stack: addr -%endmacro - -%macro build_address_with_ctx_no_segment(off) - // stack: ctx - PUSH $off - ADD - // stack: addr -%endmacro diff --git a/evm/src/cpu/kernel/asm/util/keccak.asm b/evm/src/cpu/kernel/asm/util/keccak.asm deleted file mode 100644 index dceb7b195b..0000000000 --- a/evm/src/cpu/kernel/asm/util/keccak.asm +++ /dev/null @@ -1,64 +0,0 @@ -global sys_keccak256: - // stack: kexit_info, offset, len - PUSH @GAS_KECCAK256 - DUP4 - // stack: len, static_gas, kexit_info, offset, len - ISZERO %jumpi(sys_keccak256_empty) - // stack: static_gas, kexit_info, offset, len - DUP4 %num_bytes_to_num_words %mul_const(@GAS_KECCAK256WORD) - ADD - %charge_gas - // stack: kexit_info, offset, len - - %stack (kexit_info, offset, len) -> (offset, len, kexit_info, offset, len) - %add_or_fault - DUP1 %ensure_reasonable_offset - %update_mem_bytes - - %stack (kexit_info, offset, len) -> (offset, len, kexit_info) - PUSH @SEGMENT_MAIN_MEMORY - GET_CONTEXT - %build_address - // stack: ADDR, len, kexit_info - KECCAK_GENERAL - // stack: hash, kexit_info - SWAP1 - EXIT_KERNEL - -sys_keccak256_empty: - // stack: static_gas, kexit_info, offset, len - %charge_gas - %stack (kexit_info, offset, len) -> (kexit_info, @EMPTY_STRING_HASH) - EXIT_KERNEL - -// Computes Keccak256(input_word). Clobbers @SEGMENT_KERNEL_GENERAL. -// -// Pre stack: input_word -// Post stack: hash -%macro keccak256_word(num_bytes) - // Since KECCAK_GENERAL takes its input from memory, we will first write - // input_word's bytes to @SEGMENT_KERNEL_GENERAL[0..$num_bytes]. - %stack (word) -> (@SEGMENT_KERNEL_GENERAL, word, $num_bytes, %%after_mstore, $num_bytes, $num_bytes) - %jump(mstore_unpacking) -%%after_mstore: - // stack: addr, $num_bytes, $num_bytes - SUB - KECCAK_GENERAL -%endmacro - -// Computes Keccak256(a || b). Clobbers @SEGMENT_KERNEL_GENERAL. -// -// Pre stack: a, b -// Post stack: hash -%macro keccak256_u256_pair - // Since KECCAK_GENERAL takes its input from memory, we will first write - // a's bytes to @SEGMENT_KERNEL_GENERAL[0..32], then b's bytes to - // @SEGMENT_KERNEL_GENERAL[32..64]. - %stack (a) -> (@SEGMENT_KERNEL_GENERAL, a) - MSTORE_32BYTES_32 - // stack: addr, b - MSTORE_32BYTES_32 - %stack (addr) -> (addr, 64, 64) // reset the address offset - SUB - KECCAK_GENERAL -%endmacro diff --git a/evm/src/cpu/kernel/asm/util/math.asm b/evm/src/cpu/kernel/asm/util/math.asm deleted file mode 100644 index 4bdf690238..0000000000 --- a/evm/src/cpu/kernel/asm/util/math.asm +++ /dev/null @@ -1,37 +0,0 @@ -log2_floor_helper: - // stack: val, counter, retdest - DUP1 - // stack: val, val, counter, retdest - ISZERO - %jumpi(end) - // stack: val, counter, retdest - %div2 - // stack: val/2, counter, retdest - SWAP1 - %increment - SWAP1 - // stack: val/2, counter + 1, retdest - %jump(log2_floor_helper) -end: - // stack: val, counter, retdest - POP - // stack: counter, retdest - SWAP1 - // stack: retdest, counter - JUMP - -global log2_floor: - // stack: val, retdest - %div2 - // stack: val/2, retdest - PUSH 0 - // stack: 0, val/2, retdest - SWAP1 - // stack: val/2, 0, retdest - %jump(log2_floor_helper) - -%macro log2_floor - %stack (val) -> (val, %%after) - %jump(log2_floor) -%%after: -%endmacro diff --git a/evm/src/cpu/kernel/assembler.rs b/evm/src/cpu/kernel/assembler.rs deleted file mode 100644 index 2dc79d6111..0000000000 --- a/evm/src/cpu/kernel/assembler.rs +++ /dev/null @@ -1,731 +0,0 @@ -use std::collections::HashMap; -use std::fs; -use std::time::Instant; - -use ethereum_types::{H256, U256}; -use itertools::{izip, Itertools}; -use keccak_hash::keccak; -use log::debug; -use serde::{Deserialize, Serialize}; - -use super::ast::{BytesTarget, PushTarget}; -use crate::cpu::kernel::ast::Item::LocalLabelDeclaration; -use crate::cpu::kernel::ast::{File, Item, StackReplacement}; -use crate::cpu::kernel::opcodes::{get_opcode, get_push_opcode}; -use crate::cpu::kernel::optimizer::optimize_asm; -use crate::cpu::kernel::stack::stack_manipulation::expand_stack_manipulation; -use crate::cpu::kernel::utils::u256_to_trimmed_be_bytes; -use crate::generation::prover_input::ProverInputFn; - -/// The number of bytes to push when pushing an offset within the code (i.e. when assembling jumps). -/// Ideally we would automatically use the minimal number of bytes required, but that would be -/// nontrivial given the circular dependency between an offset and its size. -pub(crate) const BYTES_PER_OFFSET: u8 = 3; - -#[derive(PartialEq, Eq, Debug, Serialize, Deserialize)] -pub struct Kernel { - pub(crate) code: Vec, - - /// Computed using `hash_kernel`. - pub(crate) code_hash: H256, - - pub(crate) global_labels: HashMap, - pub(crate) ordered_labels: Vec, - - /// Map from `PROVER_INPUT` offsets to their corresponding `ProverInputFn`. - pub(crate) prover_inputs: HashMap, -} - -impl Kernel { - fn new( - code: Vec, - global_labels: HashMap, - prover_inputs: HashMap, - ) -> Self { - let code_hash = keccak(&code); - let ordered_labels = global_labels - .keys() - .cloned() - .sorted_by_key(|label| global_labels[label]) - .inspect(|key| debug!("Global label: {} => {:?}", key, global_labels[key])) - .collect(); - Self { - code, - code_hash, - global_labels, - ordered_labels, - prover_inputs, - } - } - - pub fn to_file(&self, path: &str) { - let kernel_serialized = serde_json::to_string(self).unwrap(); - fs::write(path, kernel_serialized).expect("Unable to write kernel to file"); - } - - pub fn from_file(path: &str) -> Self { - let bytes = fs::read(path).expect("Unable to read kernel file"); - serde_json::from_slice(&bytes).unwrap() - } - - /// Get a string representation of the current offset for debugging purposes. - pub(crate) fn offset_name(&self, offset: usize) -> String { - match self - .ordered_labels - .binary_search_by_key(&offset, |label| self.global_labels[label]) - { - Ok(idx) => self.ordered_labels[idx].clone(), - Err(0) => offset.to_string(), - Err(idx) => format!("{}, below {}", offset, self.ordered_labels[idx - 1]), - } - } - - pub(crate) fn offset_label(&self, offset: usize) -> Option { - self.global_labels - .iter() - .find_map(|(k, v)| (*v == offset).then(|| k.clone())) - } -} - -#[derive(Eq, PartialEq, Hash, Clone, Debug)] -struct MacroSignature { - name: String, - num_params: usize, -} - -struct Macro { - params: Vec, - items: Vec, -} - -impl Macro { - fn get_param_index(&self, param: &str) -> usize { - self.params - .iter() - .position(|p| p == param) - .unwrap_or_else(|| panic!("No such param: {param} {:?}", &self.params)) - } -} - -pub(crate) fn assemble( - files: Vec, - constants: HashMap, - optimize: bool, -) -> Kernel { - let macros = find_macros(&files); - let mut global_labels = HashMap::new(); - let mut prover_inputs = HashMap::new(); - let mut offset = 0; - let mut expanded_files = Vec::with_capacity(files.len()); - let mut local_labels = Vec::with_capacity(files.len()); - let mut macro_counter = 0; - for file in files { - let start = Instant::now(); - let mut file = file.body; - file = expand_macros(file, ¯os, &mut macro_counter); - file = inline_constants(file, &constants); - file = expand_stack_manipulation(file); - if optimize { - optimize_asm(&mut file); - } - local_labels.push(find_labels( - &file, - &mut offset, - &mut global_labels, - &mut prover_inputs, - )); - expanded_files.push(file); - debug!("Expanding file took {:?}", start.elapsed()); - } - let mut code = vec![]; - for (file, locals) in izip!(expanded_files, local_labels) { - let prev_len = code.len(); - assemble_file(file, &mut code, locals, &global_labels); - let file_len = code.len() - prev_len; - debug!("Assembled file size: {} bytes", file_len); - } - assert_eq!(code.len(), offset, "Code length doesn't match offset."); - debug!("Total kernel size: {} bytes", code.len()); - Kernel::new(code, global_labels, prover_inputs) -} - -fn find_macros(files: &[File]) -> HashMap { - let mut macros = HashMap::new(); - for file in files { - for item in &file.body { - if let Item::MacroDef(name, params, items) = item { - let signature = MacroSignature { - name: name.clone(), - num_params: params.len(), - }; - let macro_ = Macro { - params: params.clone(), - items: items.clone(), - }; - let old = macros.insert(signature.clone(), macro_); - assert!(old.is_none(), "Duplicate macro signature: {signature:?}"); - } - } - } - macros -} - -fn expand_macros( - body: Vec, - macros: &HashMap, - macro_counter: &mut u32, -) -> Vec { - let mut expanded = vec![]; - for item in body { - match item { - Item::MacroDef(_, _, _) => { - // At this phase, we no longer need macro definitions. - } - Item::MacroCall(m, args) => { - expanded.extend(expand_macro_call(m, args, macros, macro_counter)); - } - Item::Repeat(count, body) => { - for _ in 0..count.as_usize() { - expanded.extend(expand_macros(body.clone(), macros, macro_counter)); - } - } - item => { - expanded.push(item); - } - } - } - expanded -} - -fn expand_macro_call( - name: String, - args: Vec, - macros: &HashMap, - macro_counter: &mut u32, -) -> Vec { - let signature = MacroSignature { - name, - num_params: args.len(), - }; - let macro_ = macros - .get(&signature) - .unwrap_or_else(|| panic!("No such macro: {signature:?}")); - - let get_actual_label = |macro_label| format!("@{macro_counter}.{macro_label}"); - - let get_arg = |var| { - let param_index = macro_.get_param_index(var); - args[param_index].clone() - }; - - let expanded_item = macro_ - .items - .iter() - .map(|item| match item { - Item::MacroLabelDeclaration(label) => LocalLabelDeclaration(get_actual_label(label)), - Item::Push(PushTarget::MacroLabel(label)) => { - Item::Push(PushTarget::Label(get_actual_label(label))) - } - Item::Push(PushTarget::MacroVar(var)) => Item::Push(get_arg(var)), - Item::MacroCall(name, args) => { - let expanded_args = args - .iter() - .map(|arg| match arg { - PushTarget::MacroVar(var) => get_arg(var), - PushTarget::MacroLabel(l) => PushTarget::Label(get_actual_label(l)), - _ => arg.clone(), - }) - .collect(); - Item::MacroCall(name.clone(), expanded_args) - } - Item::StackManipulation(before, after) => { - let after = after - .iter() - .map(|replacement| match replacement { - StackReplacement::MacroLabel(label) => { - StackReplacement::Identifier(get_actual_label(label)) - } - StackReplacement::MacroVar(var) => get_arg(var).into(), - _ => replacement.clone(), - }) - .collect(); - Item::StackManipulation(before.clone(), after) - } - _ => item.clone(), - }) - .collect(); - - *macro_counter += 1; - - // Recursively expand any macros in the expanded code. - expand_macros(expanded_item, macros, macro_counter) -} - -fn inline_constants(body: Vec, constants: &HashMap) -> Vec { - let resolve_const = |c| { - *constants - .get(&c) - .unwrap_or_else(|| panic!("No such constant: {c}")) - }; - - body.into_iter() - .map(|item| { - if let Item::Push(PushTarget::Constant(c)) = item { - Item::Push(PushTarget::Literal(resolve_const(c))) - } else if let Item::Bytes(targets) = item { - let targets = targets - .into_iter() - .map(|target| { - if let BytesTarget::Constant(c) = target { - let c = resolve_const(c); - assert!( - c < U256::from(256), - "Constant in a BYTES object should be a byte" - ); - BytesTarget::Literal(c.byte(0)) - } else { - target - } - }) - .collect(); - Item::Bytes(targets) - } else if let Item::StackManipulation(from, to) = item { - let to = to - .into_iter() - .map(|replacement| { - if let StackReplacement::Constant(c) = replacement { - StackReplacement::Literal(resolve_const(c)) - } else { - replacement - } - }) - .collect(); - Item::StackManipulation(from, to) - } else { - item - } - }) - .collect() -} - -fn find_labels( - body: &[Item], - offset: &mut usize, - global_labels: &mut HashMap, - prover_inputs: &mut HashMap, -) -> HashMap { - // Discover the offset of each label in this file. - let mut local_labels = HashMap::::new(); - for item in body { - match item { - Item::MacroDef(_, _, _) - | Item::MacroCall(_, _) - | Item::Repeat(_, _) - | Item::StackManipulation(_, _) - | Item::MacroLabelDeclaration(_) => { - panic!("Item should have been expanded already: {item:?}"); - } - Item::GlobalLabelDeclaration(label) => { - let old = global_labels.insert(label.clone(), *offset); - assert!(old.is_none(), "Duplicate global label: {label}"); - } - Item::LocalLabelDeclaration(label) => { - let old = local_labels.insert(label.clone(), *offset); - assert!(old.is_none(), "Duplicate local label: {label}"); - } - Item::Push(target) => *offset += 1 + push_target_size(target) as usize, - Item::ProverInput(prover_input_fn) => { - prover_inputs.insert(*offset, prover_input_fn.clone()); - *offset += 1; - } - Item::StandardOp(_) => *offset += 1, - Item::Bytes(bytes) => *offset += bytes.len(), - Item::Jumptable(labels) => *offset += labels.len() * (BYTES_PER_OFFSET as usize), - } - } - local_labels -} - -fn look_up_label( - label: &String, - local_labels: &HashMap, - global_labels: &HashMap, -) -> Vec { - let offset = local_labels - .get(label) - .or_else(|| global_labels.get(label)) - .unwrap_or_else(|| panic!("No such label: {label}")); - // We want the BYTES_PER_OFFSET least significant bytes in BE order. - // It's easiest to rev the first BYTES_PER_OFFSET bytes of the LE encoding. - (0..BYTES_PER_OFFSET) - .rev() - .map(|i| offset.to_le_bytes()[i as usize]) - .collect() -} - -fn assemble_file( - body: Vec, - code: &mut Vec, - local_labels: HashMap, - global_labels: &HashMap, -) { - // Assemble the file. - for item in body { - match item { - Item::MacroDef(_, _, _) - | Item::MacroCall(_, _) - | Item::Repeat(_, _) - | Item::StackManipulation(_, _) - | Item::MacroLabelDeclaration(_) => { - panic!("Item should have been expanded already: {item:?}"); - } - Item::GlobalLabelDeclaration(_) | Item::LocalLabelDeclaration(_) => { - // Nothing to do; we processed labels in the prior phase. - } - Item::Push(target) => { - let target_bytes: Vec = match target { - PushTarget::Literal(n) => u256_to_trimmed_be_bytes(&n), - PushTarget::Label(label) => look_up_label(&label, &local_labels, global_labels), - PushTarget::MacroLabel(v) => panic!("Macro label not in a macro: {v}"), - PushTarget::MacroVar(v) => panic!("Variable not in a macro: {v}"), - PushTarget::Constant(c) => panic!("Constant wasn't inlined: {c}"), - }; - code.push(get_push_opcode(target_bytes.len() as u8)); - code.extend(target_bytes); - } - Item::ProverInput(_) => { - code.push(get_opcode("PROVER_INPUT")); - } - Item::StandardOp(opcode) => { - code.push(get_opcode(&opcode)); - } - Item::Bytes(targets) => { - for target in targets { - match target { - BytesTarget::Literal(n) => code.push(n), - BytesTarget::Constant(c) => panic!("Constant wasn't inlined: {c}"), - } - } - } - Item::Jumptable(labels) => { - for label in labels { - let bytes = look_up_label(&label, &local_labels, global_labels); - code.extend(bytes); - } - } - } - } -} - -/// The size of a `PushTarget`, in bytes. -fn push_target_size(target: &PushTarget) -> u8 { - match target { - PushTarget::Literal(n) => u256_to_trimmed_be_bytes(n).len() as u8, - PushTarget::Label(_) => BYTES_PER_OFFSET, - PushTarget::MacroLabel(v) => panic!("Macro label not in a macro: {v}"), - PushTarget::MacroVar(v) => panic!("Variable not in a macro: {v}"), - PushTarget::Constant(c) => panic!("Constant wasn't inlined: {c}"), - } -} - -#[cfg(test)] -mod tests { - use super::*; - use crate::cpu::kernel::parser::parse; - - #[test] - fn two_files() { - // We will test two simple files, with a label and a jump, to ensure that jump offsets - // are correctly shifted based on the offset of the containing file. - - let file_1 = File { - body: vec![ - Item::GlobalLabelDeclaration("function_1".to_string()), - Item::StandardOp("JUMPDEST".to_string()), - Item::StandardOp("ADD".to_string()), - Item::StandardOp("MUL".to_string()), - ], - }; - - let file_2 = File { - body: vec![ - Item::GlobalLabelDeclaration("function_2".to_string()), - Item::StandardOp("JUMPDEST".to_string()), - Item::StandardOp("DIV".to_string()), - Item::LocalLabelDeclaration("mylabel".to_string()), - Item::StandardOp("JUMPDEST".to_string()), - Item::StandardOp("MOD".to_string()), - Item::Push(PushTarget::Label("mylabel".to_string())), - Item::StandardOp("JUMP".to_string()), - ], - }; - - let expected_code = vec![ - get_opcode("JUMPDEST"), - get_opcode("ADD"), - get_opcode("MUL"), - get_opcode("JUMPDEST"), - get_opcode("DIV"), - get_opcode("JUMPDEST"), - get_opcode("MOD"), - get_push_opcode(BYTES_PER_OFFSET), - // The label offset, 5, in 3-byte BE form. - 0, - 0, - 5, - get_opcode("JUMP"), - ]; - - let mut expected_global_labels = HashMap::new(); - expected_global_labels.insert("function_1".to_string(), 0); - expected_global_labels.insert("function_2".to_string(), 3); - - let expected_kernel = Kernel::new(expected_code, expected_global_labels, HashMap::new()); - - let program = vec![file_1, file_2]; - assert_eq!(assemble(program, HashMap::new(), false), expected_kernel); - } - - #[test] - #[should_panic] - fn global_label_collision() { - let file_1 = File { - body: vec![ - Item::GlobalLabelDeclaration("foo".to_string()), - Item::StandardOp("JUMPDEST".to_string()), - ], - }; - let file_2 = File { - body: vec![ - Item::GlobalLabelDeclaration("foo".to_string()), - Item::StandardOp("JUMPDEST".to_string()), - ], - }; - assemble(vec![file_1, file_2], HashMap::new(), false); - } - - #[test] - #[should_panic] - fn local_label_collision() { - let file = File { - body: vec![ - Item::LocalLabelDeclaration("foo".to_string()), - Item::StandardOp("JUMPDEST".to_string()), - Item::LocalLabelDeclaration("foo".to_string()), - Item::StandardOp("ADD".to_string()), - ], - }; - assemble(vec![file], HashMap::new(), false); - } - - #[test] - fn literal_bytes() { - let file = File { - body: vec![ - Item::Bytes(vec![BytesTarget::Literal(0x12), BytesTarget::Literal(42)]), - Item::Bytes(vec![BytesTarget::Literal(0xFE), BytesTarget::Literal(255)]), - ], - }; - let code = assemble(vec![file], HashMap::new(), false).code; - assert_eq!(code, vec![0x12, 42, 0xfe, 255]); - } - - #[test] - fn macro_in_macro() { - let kernel = parse_and_assemble(&[ - "%macro foo %bar %bar %endmacro", - "%macro bar ADD %endmacro", - "%foo", - ]); - let add = get_opcode("ADD"); - assert_eq!(kernel.code, vec![add, add]); - } - - #[test] - fn macro_with_vars() { - let files = &[ - "%macro add(x, y) PUSH $x PUSH $y ADD %endmacro", - "%add(2, 3)", - ]; - let kernel = parse_and_assemble_ext(files, HashMap::new(), false); - let push1 = get_push_opcode(1); - let add = get_opcode("ADD"); - assert_eq!(kernel.code, vec![push1, 2, push1, 3, add]); - } - - #[test] - fn macro_with_label() { - let files = &[ - "%macro jump(x) PUSH $x JUMP %endmacro", - "%macro spin %%start: %jump(%%start) %endmacro", - "%spin %spin", - ]; - let kernel = parse_and_assemble_ext(files, HashMap::new(), false); - let push3 = get_push_opcode(BYTES_PER_OFFSET); - let jump = get_opcode("JUMP"); - assert_eq!( - kernel.code, - vec![push3, 0, 0, 0, jump, push3, 0, 0, 5, jump] - ); - } - - #[test] - fn macro_in_macro_with_vars() { - let kernel = parse_and_assemble(&[ - "%macro foo(x) %bar($x) %bar($x) %endmacro", - "%macro bar(y) PUSH $y %endmacro", - "%foo(42)", - ]); - let push1 = get_push_opcode(1); - assert_eq!(kernel.code, vec![push1, 42, push1, 42]); - } - - #[test] - fn macro_with_reserved_prefix() { - // The name `repeat` should be allowed, even though `rep` is reserved. - parse_and_assemble(&["%macro repeat %endmacro", "%repeat"]); - } - - #[test] - fn overloaded_macros() { - let kernel = parse_and_assemble(&[ - "%macro push(x) PUSH $x %endmacro", - "%macro push(x, y) PUSH $x PUSH $y %endmacro", - "%push(5)", - "%push(6, 7)", - ]); - let push1 = get_push_opcode(1); - assert_eq!(kernel.code, vec![push1, 5, push1, 6, push1, 7]); - } - - #[test] - fn pop2_macro() { - parse_and_assemble(&["%macro pop2 %rep 2 pop %endrep %endmacro", "%pop2"]); - } - - #[test] - #[should_panic] - fn macro_with_wrong_vars() { - parse_and_assemble(&[ - "%macro add(x, y) PUSH $x PUSH $y ADD %endmacro", - "%add(2, 3, 4)", - ]); - } - - #[test] - #[should_panic] - fn var_not_in_macro() { - parse_and_assemble(&["push $abc"]); - } - - #[test] - fn constants() { - let code = &["PUSH @DEAD_BEEF"]; - let mut constants = HashMap::new(); - constants.insert("DEAD_BEEF".into(), 0xDEADBEEFu64.into()); - - let kernel = parse_and_assemble_ext(code, constants, true); - let push4 = get_push_opcode(4); - assert_eq!(kernel.code, vec![push4, 0xDE, 0xAD, 0xBE, 0xEF]); - } - - #[test] - fn repeat() { - let kernel = parse_and_assemble(&["%rep 3 ADD %endrep"]); - let add = get_opcode("ADD"); - assert_eq!(kernel.code, vec![add, add, add]); - } - - #[test] - fn stack_manipulation() { - let pop = get_opcode("POP"); - let dup1 = get_opcode("DUP1"); - let swap1 = get_opcode("SWAP1"); - let swap2 = get_opcode("SWAP2"); - let swap3 = get_opcode("SWAP3"); - let push_one_byte = get_push_opcode(1); - let push_label = get_push_opcode(BYTES_PER_OFFSET); - - let kernel = parse_and_assemble(&["%stack () -> (1, 2, 3)"]); - assert_eq!( - kernel.code, - vec![push_one_byte, 3, push_one_byte, 2, push_one_byte, 1] - ); - - let kernel = parse_and_assemble(&["%stack (a) -> (a)"]); - assert_eq!(kernel.code, vec![] as Vec); - - let kernel = parse_and_assemble(&["%stack (a, b, c) -> (c, b, a)"]); - assert_eq!(kernel.code, vec![swap2]); - - let kernel = parse_and_assemble(&["%stack (a, b, c) -> (b)"]); - assert_eq!(kernel.code, vec![pop, swap1, pop]); - - let kernel = parse_and_assemble(&["%stack (a, b, c) -> (7, b)"]); - assert_eq!(kernel.code, vec![pop, swap1, pop, push_one_byte, 7]); - - let kernel = parse_and_assemble(&["%stack (a, b: 3, c) -> (c)"]); - assert_eq!(kernel.code, vec![pop, pop, pop, pop]); - - let kernel = parse_and_assemble(&["%stack (a: 2, b: 2) -> (b, a)"]); - assert_eq!(kernel.code, vec![swap1, swap3, swap1, swap2]); - - let kernel1 = parse_and_assemble(&["%stack (a: 3, b: 3, c) -> (c, b, a)"]); - let kernel2 = - parse_and_assemble(&["%stack (a, b, c, d, e, f, g) -> (g, d, e, f, a, b, c)"]); - assert_eq!(kernel1.code, kernel2.code); - - let mut consts = HashMap::new(); - consts.insert("LIFE".into(), 42.into()); - parse_and_assemble_ext(&["%stack (a, b) -> (b, @LIFE)"], consts, true); - // We won't check the code since there are two equally efficient implementations. - - let kernel = parse_and_assemble(&["start: %stack (a, b) -> (start)"]); - assert_eq!(kernel.code, vec![pop, pop, push_label, 0, 0, 0]); - - // The "start" label gets shadowed by the "start" named stack item. - let kernel = parse_and_assemble(&["start: %stack (start) -> (start, start)"]); - assert_eq!(kernel.code, vec![dup1]); - } - - #[test] - fn stack_manipulation_in_macro() { - let pop = get_opcode("POP"); - let push1 = get_push_opcode(1); - - let kernel = parse_and_assemble(&[ - "%macro set_top(x) %stack (a) -> ($x) %endmacro", - "%set_top(42)", - ]); - assert_eq!(kernel.code, vec![pop, push1, 42]); - } - - #[test] - fn stack_manipulation_in_macro_with_name_collision() { - let pop = get_opcode("POP"); - let push_label = get_push_opcode(BYTES_PER_OFFSET); - - // In the stack directive, there's a named item `foo`. - // But when we invoke `%foo(foo)`, the argument refers to the `foo` label. - // Thus the expanded macro is `%stack (foo) -> (label foo)` (not real syntax). - let kernel = parse_and_assemble(&[ - "global foo:", - "%macro foo(x) %stack (foo) -> ($x) %endmacro", - "%foo(foo)", - ]); - assert_eq!(kernel.code, vec![pop, push_label, 0, 0, 0]); - } - - fn parse_and_assemble(files: &[&str]) -> Kernel { - parse_and_assemble_ext(files, HashMap::new(), true) - } - - fn parse_and_assemble_ext( - files: &[&str], - constants: HashMap, - optimize: bool, - ) -> Kernel { - let parsed_files = files.iter().map(|f| parse(f)).collect_vec(); - assemble(parsed_files, constants, optimize) - } -} diff --git a/evm/src/cpu/kernel/ast.rs b/evm/src/cpu/kernel/ast.rs deleted file mode 100644 index 0af3bdabeb..0000000000 --- a/evm/src/cpu/kernel/ast.rs +++ /dev/null @@ -1,84 +0,0 @@ -use ethereum_types::U256; - -use crate::generation::prover_input::ProverInputFn; - -#[derive(Debug)] -pub(crate) struct File { - pub(crate) body: Vec, -} - -#[derive(Eq, PartialEq, Clone, Debug)] -pub(crate) enum Item { - /// Defines a new macro: name, params, body. - MacroDef(String, Vec, Vec), - /// Calls a macro: name, args. - MacroCall(String, Vec), - /// Repetition, like `%rep` in NASM. - Repeat(U256, Vec), - /// A directive to manipulate the stack according to a specified pattern. - /// The first list gives names to items on the top of the stack. - /// The second list specifies replacement items. - /// Example: `(a, b, c) -> (c, 5, 0x20, @SOME_CONST, a)`. - StackManipulation(Vec, Vec), - /// Declares a global label. - GlobalLabelDeclaration(String), - /// Declares a label that is local to the current file. - LocalLabelDeclaration(String), - /// Declares a label that is local to the macro it's declared in. - MacroLabelDeclaration(String), - /// A `PUSH` operation. - Push(PushTarget), - /// A `ProverInput` operation. - ProverInput(ProverInputFn), - /// Any opcode besides a PUSH opcode. - StandardOp(String), - /// Literal hex data; should contain an even number of hex chars. - Bytes(Vec), - /// Creates a table of addresses from a list of labels. - Jumptable(Vec), -} - -/// The left hand side of a %stack stack-manipulation macro. -#[derive(Eq, PartialEq, Clone, Debug)] -pub(crate) struct StackPlaceholder(pub String, pub usize); - -/// The right hand side of a %stack stack-manipulation macro. -#[derive(Eq, PartialEq, Clone, Debug)] -pub(crate) enum StackReplacement { - Literal(U256), - /// Can be either a named item or a label. - Identifier(String), - Label(String), - MacroLabel(String), - MacroVar(String), - Constant(String), -} - -impl From for StackReplacement { - fn from(target: PushTarget) -> Self { - match target { - PushTarget::Literal(x) => Self::Literal(x), - PushTarget::Label(l) => Self::Label(l), - PushTarget::MacroLabel(l) => Self::MacroLabel(l), - PushTarget::MacroVar(v) => Self::MacroVar(v), - PushTarget::Constant(c) => Self::Constant(c), - } - } -} - -/// The target of a `PUSH` operation. -#[derive(Clone, Debug, Eq, PartialEq, Hash)] -pub(crate) enum PushTarget { - Literal(U256), - Label(String), - MacroLabel(String), - MacroVar(String), - Constant(String), -} - -/// The target of a `BYTES` item. -#[derive(Clone, Debug, Eq, PartialEq, Hash)] -pub(crate) enum BytesTarget { - Literal(u8), - Constant(String), -} diff --git a/evm/src/cpu/kernel/constants/context_metadata.rs b/evm/src/cpu/kernel/constants/context_metadata.rs deleted file mode 100644 index ffcc65387a..0000000000 --- a/evm/src/cpu/kernel/constants/context_metadata.rs +++ /dev/null @@ -1,87 +0,0 @@ -use crate::memory::segments::Segment; - -/// These metadata fields contain VM state specific to a particular context. -/// -/// Each value is directly scaled by the corresponding `Segment::ContextMetadata` value for faster -/// memory access in the kernel. -#[allow(clippy::enum_clike_unportable_variant)] -#[repr(usize)] -#[derive(Copy, Clone, Eq, PartialEq, Hash, Ord, PartialOrd, Debug)] -pub(crate) enum ContextMetadata { - /// The ID of the context which created this one. - ParentContext = Segment::ContextMetadata as usize, - /// The program counter to return to when we return to the parent context. - ParentProgramCounter, - CalldataSize, - ReturndataSize, - /// The address of the account associated with this context. - Address, - /// The size of the code under the account associated with this context. - /// While this information could be obtained from the state trie, it is best to cache it since - /// the `CODESIZE` instruction is very cheap. - CodeSize, - /// The address of the caller who spawned this context. - Caller, - /// The value (in wei) deposited by the caller. - CallValue, - /// Whether this context was created by `STATICCALL`, in which case state changes are - /// prohibited. - Static, - /// Pointer to the initial version of the state trie, at the creation of this context. Used when - /// we need to revert a context. - StateTrieCheckpointPointer, - /// Size of the active main memory, in (32 byte) words. - MemWords, - StackSize, - /// The gas limit for this call (not the entire transaction). - GasLimit, - ContextCheckpointsLen, -} - -impl ContextMetadata { - pub(crate) const COUNT: usize = 14; - - /// Unscales this virtual offset by their respective `Segment` value. - pub(crate) const fn unscale(&self) -> usize { - *self as usize - Segment::ContextMetadata as usize - } - - pub(crate) const fn all() -> [Self; Self::COUNT] { - [ - Self::ParentContext, - Self::ParentProgramCounter, - Self::CalldataSize, - Self::ReturndataSize, - Self::Address, - Self::CodeSize, - Self::Caller, - Self::CallValue, - Self::Static, - Self::StateTrieCheckpointPointer, - Self::MemWords, - Self::StackSize, - Self::GasLimit, - Self::ContextCheckpointsLen, - ] - } - - /// The variable name that gets passed into kernel assembly code. - pub(crate) const fn var_name(&self) -> &'static str { - match self { - ContextMetadata::ParentContext => "CTX_METADATA_PARENT_CONTEXT", - ContextMetadata::ParentProgramCounter => "CTX_METADATA_PARENT_PC", - ContextMetadata::CalldataSize => "CTX_METADATA_CALLDATA_SIZE", - ContextMetadata::ReturndataSize => "CTX_METADATA_RETURNDATA_SIZE", - ContextMetadata::Address => "CTX_METADATA_ADDRESS", - ContextMetadata::CodeSize => "CTX_METADATA_CODE_SIZE", - ContextMetadata::Caller => "CTX_METADATA_CALLER", - ContextMetadata::CallValue => "CTX_METADATA_CALL_VALUE", - ContextMetadata::Static => "CTX_METADATA_STATIC", - ContextMetadata::StateTrieCheckpointPointer => "CTX_METADATA_STATE_TRIE_CHECKPOINT_PTR", - ContextMetadata::MemWords => "CTX_METADATA_MEM_WORDS", - ContextMetadata::StackSize => "CTX_METADATA_STACK_SIZE", - ContextMetadata::GasLimit => "CTX_METADATA_GAS_LIMIT", - ContextMetadata::ContextCheckpointsLen => "CTX_METADATA_CHECKPOINTS_LEN", - } - } -} diff --git a/evm/src/cpu/kernel/constants/exc_bitfields.rs b/evm/src/cpu/kernel/constants/exc_bitfields.rs deleted file mode 100644 index 59dec8b1e8..0000000000 --- a/evm/src/cpu/kernel/constants/exc_bitfields.rs +++ /dev/null @@ -1,53 +0,0 @@ -use core::ops::RangeInclusive; - -use ethereum_types::U256; - -/// Create a U256, where the bits at indices inside the specified ranges are set to 1, and all other -/// bits are set to 0. -const fn u256_from_set_index_ranges(ranges: &[RangeInclusive; N]) -> U256 { - let mut j = 0; - let mut res_limbs = [0u64; 4]; - while j < ranges.len() { - let range = &ranges[j]; - let mut i = *range.start(); - if i > *range.end() { - continue; - } - loop { - let i_lo = i & 0x3f; - let i_hi = i >> 6; - res_limbs[i_hi as usize] |= 1 << i_lo; - - if i >= *range.end() { - break; - } - i += 1; - } - j += 1; - } - U256(res_limbs) -} - -pub(crate) const STACK_LENGTH_INCREASING_OPCODES_USER: U256 = u256_from_set_index_ranges(&[ - 0x30..=0x30, // ADDRESS - 0x32..=0x34, // ORIGIN, CALLER, CALLVALUE - 0x36..=0x36, // CALLDATASIZE - 0x38..=0x38, // CODESIZE - 0x3a..=0x3a, // GASPRICE - 0x3d..=0x3d, // RETURNDATASIZE - 0x41..=0x48, // COINBASE, TIMESTAMP, NUMBER, DIFFICULTY, GASLIMIT, CHAINID, SELFBALANCE, BASEFEE - 0x58..=0x5a, // PC, MSIZE, GAS - 0x5f..=0x8f, // PUSH*, DUP* -]); - -pub(crate) const INVALID_OPCODES_USER: U256 = u256_from_set_index_ranges(&[ - 0x0c..=0x0f, - 0x1e..=0x1f, - 0x21..=0x2f, - 0x49..=0x4f, - 0x5c..=0x5e, - 0xa5..=0xef, - 0xf6..=0xf9, - 0xfb..=0xfc, - 0xfe..=0xfe, -]); diff --git a/evm/src/cpu/kernel/constants/global_metadata.rs b/evm/src/cpu/kernel/constants/global_metadata.rs deleted file mode 100644 index 0b3f66481e..0000000000 --- a/evm/src/cpu/kernel/constants/global_metadata.rs +++ /dev/null @@ -1,208 +0,0 @@ -use crate::memory::segments::Segment; - -/// These metadata fields contain global VM state, stored in the `Segment::Metadata` segment of the -/// kernel's context (which is zero). -/// -/// Each value is directly scaled by the corresponding `Segment::GlobalMetadata` value for faster -/// memory access in the kernel. -#[allow(clippy::enum_clike_unportable_variant)] -#[repr(usize)] -#[derive(Copy, Clone, Eq, PartialEq, Hash, Ord, PartialOrd, Debug)] -pub(crate) enum GlobalMetadata { - /// The largest context ID that has been used so far in this execution. Tracking this allows us - /// give each new context a unique ID, so that its memory will be zero-initialized. - LargestContext = Segment::GlobalMetadata as usize, - /// The size of active memory, in bytes. - MemorySize, - /// The size of the `TrieData` segment, in bytes. In other words, the next address available for - /// appending additional trie data. - TrieDataSize, - /// The size of the `TrieData` segment, in bytes, represented as a whole address. - /// In other words, the next address available for appending additional trie data. - RlpDataSize, - /// A pointer to the root of the state trie within the `TrieData` buffer. - StateTrieRoot, - /// A pointer to the root of the transaction trie within the `TrieData` buffer. - TransactionTrieRoot, - /// A pointer to the root of the receipt trie within the `TrieData` buffer. - ReceiptTrieRoot, - - // The root digests of each Merkle trie before these transactions. - StateTrieRootDigestBefore, - TransactionTrieRootDigestBefore, - ReceiptTrieRootDigestBefore, - - // The root digests of each Merkle trie after these transactions. - StateTrieRootDigestAfter, - TransactionTrieRootDigestAfter, - ReceiptTrieRootDigestAfter, - - // Block metadata. - BlockBeneficiary, - BlockTimestamp, - BlockNumber, - BlockDifficulty, - BlockRandom, - BlockGasLimit, - BlockChainId, - BlockBaseFee, - BlockGasUsed, - /// Before current transactions block values. - BlockGasUsedBefore, - /// After current transactions block values. - BlockGasUsedAfter, - /// Current block header hash - BlockCurrentHash, - - /// Gas to refund at the end of the transaction. - RefundCounter, - /// Length of the addresses access list. - AccessedAddressesLen, - /// Length of the storage keys access list. - AccessedStorageKeysLen, - /// Length of the self-destruct list. - SelfDestructListLen, - /// Length of the bloom entry buffer. - BloomEntryLen, - - /// Length of the journal. - JournalLen, - /// Length of the `JournalData` segment. - JournalDataLen, - /// Current checkpoint. - CurrentCheckpoint, - TouchedAddressesLen, - // Gas cost for the access list in type-1 txns. See EIP-2930. - AccessListDataCost, - // Start of the access list in the RLP for type-1 txns. - AccessListRlpStart, - // Length of the access list in the RLP for type-1 txns. - AccessListRlpLen, - // Boolean flag indicating if the txn is a contract creation txn. - ContractCreation, - IsPrecompileFromEoa, - CallStackDepth, - /// Transaction logs list length - LogsLen, - LogsDataLen, - LogsPayloadLen, - TxnNumberBefore, - TxnNumberAfter, - - KernelHash, - KernelLen, -} - -impl GlobalMetadata { - pub(crate) const COUNT: usize = 47; - - /// Unscales this virtual offset by their respective `Segment` value. - pub(crate) const fn unscale(&self) -> usize { - *self as usize - Segment::GlobalMetadata as usize - } - - pub(crate) const fn all() -> [Self; Self::COUNT] { - [ - Self::LargestContext, - Self::MemorySize, - Self::TrieDataSize, - Self::RlpDataSize, - Self::StateTrieRoot, - Self::TransactionTrieRoot, - Self::ReceiptTrieRoot, - Self::StateTrieRootDigestBefore, - Self::TransactionTrieRootDigestBefore, - Self::ReceiptTrieRootDigestBefore, - Self::StateTrieRootDigestAfter, - Self::TransactionTrieRootDigestAfter, - Self::ReceiptTrieRootDigestAfter, - Self::BlockBeneficiary, - Self::BlockTimestamp, - Self::BlockNumber, - Self::BlockDifficulty, - Self::BlockRandom, - Self::BlockGasLimit, - Self::BlockChainId, - Self::BlockBaseFee, - Self::BlockGasUsed, - Self::BlockGasUsedBefore, - Self::BlockGasUsedAfter, - Self::RefundCounter, - Self::AccessedAddressesLen, - Self::AccessedStorageKeysLen, - Self::SelfDestructListLen, - Self::BloomEntryLen, - Self::JournalLen, - Self::JournalDataLen, - Self::CurrentCheckpoint, - Self::TouchedAddressesLen, - Self::AccessListDataCost, - Self::AccessListRlpStart, - Self::AccessListRlpLen, - Self::ContractCreation, - Self::IsPrecompileFromEoa, - Self::CallStackDepth, - Self::LogsLen, - Self::LogsDataLen, - Self::LogsPayloadLen, - Self::BlockCurrentHash, - Self::TxnNumberBefore, - Self::TxnNumberAfter, - Self::KernelHash, - Self::KernelLen, - ] - } - - /// The variable name that gets passed into kernel assembly code. - pub(crate) const fn var_name(&self) -> &'static str { - match self { - Self::LargestContext => "GLOBAL_METADATA_LARGEST_CONTEXT", - Self::MemorySize => "GLOBAL_METADATA_MEMORY_SIZE", - Self::TrieDataSize => "GLOBAL_METADATA_TRIE_DATA_SIZE", - Self::RlpDataSize => "GLOBAL_METADATA_RLP_DATA_SIZE", - Self::StateTrieRoot => "GLOBAL_METADATA_STATE_TRIE_ROOT", - Self::TransactionTrieRoot => "GLOBAL_METADATA_TXN_TRIE_ROOT", - Self::ReceiptTrieRoot => "GLOBAL_METADATA_RECEIPT_TRIE_ROOT", - Self::StateTrieRootDigestBefore => "GLOBAL_METADATA_STATE_TRIE_DIGEST_BEFORE", - Self::TransactionTrieRootDigestBefore => "GLOBAL_METADATA_TXN_TRIE_DIGEST_BEFORE", - Self::ReceiptTrieRootDigestBefore => "GLOBAL_METADATA_RECEIPT_TRIE_DIGEST_BEFORE", - Self::StateTrieRootDigestAfter => "GLOBAL_METADATA_STATE_TRIE_DIGEST_AFTER", - Self::TransactionTrieRootDigestAfter => "GLOBAL_METADATA_TXN_TRIE_DIGEST_AFTER", - Self::ReceiptTrieRootDigestAfter => "GLOBAL_METADATA_RECEIPT_TRIE_DIGEST_AFTER", - Self::BlockBeneficiary => "GLOBAL_METADATA_BLOCK_BENEFICIARY", - Self::BlockTimestamp => "GLOBAL_METADATA_BLOCK_TIMESTAMP", - Self::BlockNumber => "GLOBAL_METADATA_BLOCK_NUMBER", - Self::BlockDifficulty => "GLOBAL_METADATA_BLOCK_DIFFICULTY", - Self::BlockRandom => "GLOBAL_METADATA_BLOCK_RANDOM", - Self::BlockGasLimit => "GLOBAL_METADATA_BLOCK_GAS_LIMIT", - Self::BlockChainId => "GLOBAL_METADATA_BLOCK_CHAIN_ID", - Self::BlockBaseFee => "GLOBAL_METADATA_BLOCK_BASE_FEE", - Self::BlockGasUsed => "GLOBAL_METADATA_BLOCK_GAS_USED", - Self::BlockGasUsedBefore => "GLOBAL_METADATA_BLOCK_GAS_USED_BEFORE", - Self::BlockGasUsedAfter => "GLOBAL_METADATA_BLOCK_GAS_USED_AFTER", - Self::BlockCurrentHash => "GLOBAL_METADATA_BLOCK_CURRENT_HASH", - Self::RefundCounter => "GLOBAL_METADATA_REFUND_COUNTER", - Self::AccessedAddressesLen => "GLOBAL_METADATA_ACCESSED_ADDRESSES_LEN", - Self::AccessedStorageKeysLen => "GLOBAL_METADATA_ACCESSED_STORAGE_KEYS_LEN", - Self::SelfDestructListLen => "GLOBAL_METADATA_SELFDESTRUCT_LIST_LEN", - Self::BloomEntryLen => "GLOBAL_METADATA_BLOOM_ENTRY_LEN", - Self::JournalLen => "GLOBAL_METADATA_JOURNAL_LEN", - Self::JournalDataLen => "GLOBAL_METADATA_JOURNAL_DATA_LEN", - Self::CurrentCheckpoint => "GLOBAL_METADATA_CURRENT_CHECKPOINT", - Self::TouchedAddressesLen => "GLOBAL_METADATA_TOUCHED_ADDRESSES_LEN", - Self::AccessListDataCost => "GLOBAL_METADATA_ACCESS_LIST_DATA_COST", - Self::AccessListRlpStart => "GLOBAL_METADATA_ACCESS_LIST_RLP_START", - Self::AccessListRlpLen => "GLOBAL_METADATA_ACCESS_LIST_RLP_LEN", - Self::ContractCreation => "GLOBAL_METADATA_CONTRACT_CREATION", - Self::IsPrecompileFromEoa => "GLOBAL_METADATA_IS_PRECOMPILE_FROM_EOA", - Self::CallStackDepth => "GLOBAL_METADATA_CALL_STACK_DEPTH", - Self::LogsLen => "GLOBAL_METADATA_LOGS_LEN", - Self::LogsDataLen => "GLOBAL_METADATA_LOGS_DATA_LEN", - Self::LogsPayloadLen => "GLOBAL_METADATA_LOGS_PAYLOAD_LEN", - Self::TxnNumberBefore => "GLOBAL_METADATA_TXN_NUMBER_BEFORE", - Self::TxnNumberAfter => "GLOBAL_METADATA_TXN_NUMBER_AFTER", - Self::KernelHash => "GLOBAL_METADATA_KERNEL_HASH", - Self::KernelLen => "GLOBAL_METADATA_KERNEL_LEN", - } - } -} diff --git a/evm/src/cpu/kernel/constants/journal_entry.rs b/evm/src/cpu/kernel/constants/journal_entry.rs deleted file mode 100644 index d84f2ade8f..0000000000 --- a/evm/src/cpu/kernel/constants/journal_entry.rs +++ /dev/null @@ -1,51 +0,0 @@ -#[derive(Copy, Clone, Eq, PartialEq, Hash, Ord, PartialOrd, Debug)] -pub(crate) enum JournalEntry { - AccountLoaded = 0, - AccountDestroyed = 1, - AccountTouched = 2, - BalanceTransfer = 3, - NonceChange = 4, - StorageChange = 5, - StorageLoaded = 6, - CodeChange = 7, - Refund = 8, - AccountCreated = 9, - Log = 10, -} - -impl JournalEntry { - pub(crate) const COUNT: usize = 11; - - pub(crate) const fn all() -> [Self; Self::COUNT] { - [ - Self::AccountLoaded, - Self::AccountDestroyed, - Self::AccountTouched, - Self::BalanceTransfer, - Self::NonceChange, - Self::StorageChange, - Self::StorageLoaded, - Self::CodeChange, - Self::Refund, - Self::AccountCreated, - Self::Log, - ] - } - - /// The variable name that gets passed into kernel assembly code. - pub(crate) const fn var_name(&self) -> &'static str { - match self { - Self::AccountLoaded => "JOURNAL_ENTRY_ACCOUNT_LOADED", - Self::AccountDestroyed => "JOURNAL_ENTRY_ACCOUNT_DESTROYED", - Self::AccountTouched => "JOURNAL_ENTRY_ACCOUNT_TOUCHED", - Self::BalanceTransfer => "JOURNAL_ENTRY_BALANCE_TRANSFER", - Self::NonceChange => "JOURNAL_ENTRY_NONCE_CHANGE", - Self::StorageChange => "JOURNAL_ENTRY_STORAGE_CHANGE", - Self::StorageLoaded => "JOURNAL_ENTRY_STORAGE_LOADED", - Self::CodeChange => "JOURNAL_ENTRY_CODE_CHANGE", - Self::Refund => "JOURNAL_ENTRY_REFUND", - Self::AccountCreated => "JOURNAL_ENTRY_ACCOUNT_CREATED", - Self::Log => "JOURNAL_ENTRY_LOG", - } - } -} diff --git a/evm/src/cpu/kernel/constants/mod.rs b/evm/src/cpu/kernel/constants/mod.rs deleted file mode 100644 index 82c820f054..0000000000 --- a/evm/src/cpu/kernel/constants/mod.rs +++ /dev/null @@ -1,286 +0,0 @@ -use std::collections::HashMap; - -use ethereum_types::U256; -use hex_literal::hex; - -use crate::cpu::kernel::constants::context_metadata::ContextMetadata; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cpu::kernel::constants::journal_entry::JournalEntry; -use crate::cpu::kernel::constants::trie_type::PartialTrieType; -use crate::cpu::kernel::constants::txn_fields::NormalizedTxnField; -use crate::memory::segments::Segment; - -pub(crate) mod context_metadata; -mod exc_bitfields; -pub(crate) mod global_metadata; -pub(crate) mod journal_entry; -pub(crate) mod trie_type; -pub(crate) mod txn_fields; - -/// Constants that are accessible to our kernel assembly code. -pub(crate) fn evm_constants() -> HashMap { - let mut c = HashMap::new(); - - let hex_constants = MISC_CONSTANTS - .iter() - .chain(EC_CONSTANTS.iter()) - .chain(HASH_CONSTANTS.iter()) - .cloned(); - for (name, value) in hex_constants { - c.insert(name.into(), U256::from_big_endian(&value)); - } - - for (name, value) in GAS_CONSTANTS { - c.insert(name.into(), U256::from(value)); - } - - for (name, value) in REFUND_CONSTANTS { - c.insert(name.into(), U256::from(value)); - } - - for (name, value) in PRECOMPILES { - c.insert(name.into(), U256::from(value)); - } - - for (name, value) in PRECOMPILES_GAS { - c.insert(name.into(), U256::from(value)); - } - - for (name, value) in CODE_SIZE_LIMIT { - c.insert(name.into(), U256::from(value)); - } - - for (name, value) in SNARKV_POINTERS { - c.insert(name.into(), U256::from(value)); - } - - c.insert(MAX_NONCE.0.into(), U256::from(MAX_NONCE.1)); - c.insert(CALL_STACK_LIMIT.0.into(), U256::from(CALL_STACK_LIMIT.1)); - - for segment in Segment::all() { - c.insert(segment.var_name().into(), (segment as usize).into()); - } - for txn_field in NormalizedTxnField::all() { - // These offsets are already scaled by their respective segment. - c.insert(txn_field.var_name().into(), (txn_field as usize).into()); - } - for txn_field in GlobalMetadata::all() { - // These offsets are already scaled by their respective segment. - c.insert(txn_field.var_name().into(), (txn_field as usize).into()); - } - for txn_field in ContextMetadata::all() { - // These offsets are already scaled by their respective segment. - c.insert(txn_field.var_name().into(), (txn_field as usize).into()); - } - for trie_type in PartialTrieType::all() { - c.insert(trie_type.var_name().into(), (trie_type as u32).into()); - } - for entry in JournalEntry::all() { - c.insert(entry.var_name().into(), (entry as u32).into()); - } - c.insert( - "INVALID_OPCODES_USER".into(), - exc_bitfields::INVALID_OPCODES_USER, - ); - c.insert( - "STACK_LENGTH_INCREASING_OPCODES_USER".into(), - exc_bitfields::STACK_LENGTH_INCREASING_OPCODES_USER, - ); - c -} - -const MISC_CONSTANTS: [(&str, [u8; 32]); 3] = [ - // Base for limbs used in bignum arithmetic. - ( - "BIGNUM_LIMB_BASE", - hex!("0000000000000000000000000000000100000000000000000000000000000000"), - ), - // Position in SEGMENT_RLP_RAW where the empty node encoding is stored. It is - // equal to u32::MAX + @SEGMENT_RLP_RAW so that all rlp pointers are much smaller than that. - ( - "ENCODED_EMPTY_NODE_POS", - hex!("0000000000000000000000000000000000000000000000000000000CFFFFFFFF"), - ), - // 0x10000 = 2^16 bytes, much larger than any RLP blob the EVM could possibly create. - ( - "MAX_RLP_BLOB_SIZE", - hex!("0000000000000000000000000000000000000000000000000000000000010000"), - ), -]; - -const HASH_CONSTANTS: [(&str, [u8; 32]); 2] = [ - // Hash of an empty string: keccak(b'').hex() - ( - "EMPTY_STRING_HASH", - hex!("c5d2460186f7233c927e7db2dcc703c0e500b653ca82273b7bfad8045d85a470"), - ), - // Hash of an empty node: keccak(rlp.encode(b'')).hex() - ( - "EMPTY_NODE_HASH", - hex!("56e81f171bcc55a6ff8345e692c0f86e5b48e01b996cadc001622fb5e363b421"), - ), -]; - -const EC_CONSTANTS: [(&str, [u8; 32]); 20] = [ - ( - "U256_MAX", - hex!("ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"), - ), - ( - "BN_BASE", - hex!("30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47"), - ), - ( - "BN_TWISTED_RE", - hex!("2b149d40ceb8aaae81be18991be06ac3b5b4c5e559dbefa33267e6dc24a138e5"), - ), - ( - "BN_TWISTED_IM", - hex!("009713b03af0fed4cd2cafadeed8fdf4a74fa084e52d1852e4a2bd0685c315d2"), - ), - ( - "BN_SCALAR", - hex!("30644e72e131a029b85045b68181585d2833e84879b9709143e1f593f0000001"), - ), - ( - "BN_GLV_BETA", - hex!("000000000000000059e26bcea0d48bacd4f263f1acdb5c4f5763473177fffffe"), - ), - ( - "BN_GLV_S", - hex!("0000000000000000b3c4d79d41a917585bfc41088d8daaa78b17ea66b99c90dd"), - ), - ( - "BN_GLV_MINUS_G1", - hex!("000000000000000000000000000000024ccef014a773d2cf7a7bd9d4391eb18d"), - ), - ( - "BN_GLV_G2", - hex!("000000000000000000000000000000000000000000000002d91d232ec7e0b3d7"), - ), - ( - "BN_GLV_B1", - hex!("30644e72e131a029b85045b68181585cb8e665ff8b011694c1d039a872b0eed9"), - ), - ( - "BN_GLV_B2", - hex!("00000000000000000000000000000000000000000000000089d3256894d213e3"), - ), - ( - "BN_BNEG_LOC", - // This just needs to be large enough to not interfere with anything else in SEGMENT_BN_TABLE_Q. - hex!("0000000000000000000000000000000000000000000000000000000000001337"), - ), - ( - "SECP_BASE", - hex!("fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f"), - ), - ( - "SECP_SCALAR", - hex!("fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141"), - ), - ( - "SECP_GLV_BETA", - hex!("7ae96a2b657c07106e64479eac3434e99cf0497512f58995c1396c28719501ee"), - ), - ( - "SECP_GLV_S", - hex!("5363ad4cc05c30e0a5261c028812645a122e22ea20816678df02967c1b23bd72"), - ), - ( - "SECP_GLV_MINUS_G1", - hex!("00000000000000000000000000000000e4437ed6010e88286f547fa90abfe4c4"), - ), - ( - "SECP_GLV_G2", - hex!("000000000000000000000000000000003086d221a7d46bcde86c90e49284eb15"), - ), - ( - "SECP_GLV_B1", - hex!("fffffffffffffffffffffffffffffffdd66b5e10ae3a1813507ddee3c5765c7e"), - ), - ( - "SECP_GLV_B2", - hex!("000000000000000000000000000000003086d221a7d46bcde86c90e49284eb15"), - ), -]; - -const GAS_CONSTANTS: [(&str, u16); 36] = [ - ("GAS_ZERO", 0), - ("GAS_JUMPDEST", 1), - ("GAS_BASE", 2), - ("GAS_VERYLOW", 3), - ("GAS_LOW", 5), - ("GAS_MID", 8), - ("GAS_HIGH", 10), - ("GAS_WARMACCESS", 100), - ("GAS_ACCESSLISTADDRESS", 2_400), - ("GAS_ACCESSLISTSTORAGE", 1_900), - ("GAS_COLDACCOUNTACCESS", 2_600), - ("GAS_COLDACCOUNTACCESS_MINUS_WARMACCESS", 2_500), - ("GAS_COLDSLOAD", 2_100), - ("GAS_COLDSLOAD_MINUS_WARMACCESS", 2_000), - ("GAS_SSET", 20_000), - ("GAS_SRESET", 2_900), - ("GAS_SELFDESTRUCT", 5_000), - ("GAS_CREATE", 32_000), - ("GAS_CODEDEPOSIT", 200), - ("GAS_CALLVALUE", 9_000), - ("GAS_CALLSTIPEND", 2_300), - ("GAS_NEWACCOUNT", 25_000), - ("GAS_EXP", 10), - ("GAS_EXPBYTE", 50), - ("GAS_MEMORY", 3), - ("GAS_TXCREATE", 32_000), - ("GAS_TXDATAZERO", 4), - ("GAS_TXDATANONZERO", 16), - ("GAS_TRANSACTION", 21_000), - ("GAS_LOG", 375), - ("GAS_LOGDATA", 8), - ("GAS_LOGTOPIC", 375), - ("GAS_KECCAK256", 30), - ("GAS_KECCAK256WORD", 6), - ("GAS_COPY", 3), - ("GAS_BLOCKHASH", 20), -]; - -const REFUND_CONSTANTS: [(&str, u16); 2] = [("REFUND_SCLEAR", 4_800), ("MAX_REFUND_QUOTIENT", 5)]; - -const PRECOMPILES: [(&str, u16); 9] = [ - ("ECREC", 1), - ("SHA256", 2), - ("RIP160", 3), - ("ID", 4), - ("EXPMOD", 5), - ("BN_ADD", 6), - ("BN_MUL", 7), - ("SNARKV", 8), - ("BLAKE2_F", 9), -]; - -const PRECOMPILES_GAS: [(&str, u16); 13] = [ - ("ECREC_GAS", 3_000), - ("SHA256_STATIC_GAS", 60), - ("SHA256_DYNAMIC_GAS", 12), - ("RIP160_STATIC_GAS", 600), - ("RIP160_DYNAMIC_GAS", 120), - ("ID_STATIC_GAS", 15), - ("ID_DYNAMIC_GAS", 3), - ("EXPMOD_MIN_GAS", 200), - ("BN_ADD_GAS", 150), - ("BN_MUL_GAS", 6_000), - ("SNARKV_STATIC_GAS", 45_000), - ("SNARKV_DYNAMIC_GAS", 34_000), - ("BLAKE2_F__GAS", 1), -]; - -const SNARKV_POINTERS: [(&str, u64); 2] = [("SNARKV_INP", 112), ("SNARKV_OUT", 100)]; - -const CODE_SIZE_LIMIT: [(&str, u64); 3] = [ - ("MAX_CODE_SIZE", 0x6000), - ("MAX_INITCODE_SIZE", 0xc000), - ("INITCODE_WORD_COST", 2), -]; - -const MAX_NONCE: (&str, u64) = ("MAX_NONCE", 0xffffffffffffffff); -const CALL_STACK_LIMIT: (&str, u64) = ("CALL_STACK_LIMIT", 1024); diff --git a/evm/src/cpu/kernel/constants/trie_type.rs b/evm/src/cpu/kernel/constants/trie_type.rs deleted file mode 100644 index fd89f41000..0000000000 --- a/evm/src/cpu/kernel/constants/trie_type.rs +++ /dev/null @@ -1,49 +0,0 @@ -use core::ops::Deref; - -use eth_trie_utils::partial_trie::HashedPartialTrie; - -use crate::Node; - -#[derive(Copy, Clone, Debug)] -pub(crate) enum PartialTrieType { - Empty = 0, - Hash = 1, - Branch = 2, - Extension = 3, - Leaf = 4, -} - -impl PartialTrieType { - pub(crate) const COUNT: usize = 5; - - pub(crate) fn of(trie: &HashedPartialTrie) -> Self { - match trie.deref() { - Node::Empty => Self::Empty, - Node::Hash(_) => Self::Hash, - Node::Branch { .. } => Self::Branch, - Node::Extension { .. } => Self::Extension, - Node::Leaf { .. } => Self::Leaf, - } - } - - pub(crate) const fn all() -> [Self; Self::COUNT] { - [ - Self::Empty, - Self::Hash, - Self::Branch, - Self::Extension, - Self::Leaf, - ] - } - - /// The variable name that gets passed into kernel assembly code. - pub(crate) const fn var_name(&self) -> &'static str { - match self { - Self::Empty => "MPT_NODE_EMPTY", - Self::Hash => "MPT_NODE_HASH", - Self::Branch => "MPT_NODE_BRANCH", - Self::Extension => "MPT_NODE_EXTENSION", - Self::Leaf => "MPT_NODE_LEAF", - } - } -} diff --git a/evm/src/cpu/kernel/constants/txn_fields.rs b/evm/src/cpu/kernel/constants/txn_fields.rs deleted file mode 100644 index 0b74409b37..0000000000 --- a/evm/src/cpu/kernel/constants/txn_fields.rs +++ /dev/null @@ -1,88 +0,0 @@ -use crate::memory::segments::Segment; - -/// These are normalized transaction fields, i.e. not specific to any transaction type. -/// -/// Each value is directly scaled by the corresponding `Segment::TxnFields` value for faster -/// memory access in the kernel. -#[allow(dead_code)] -#[allow(clippy::enum_clike_unportable_variant)] -#[repr(usize)] -#[derive(Copy, Clone, Eq, PartialEq, Hash, Ord, PartialOrd, Debug)] -pub(crate) enum NormalizedTxnField { - /// Whether a chain ID was present in the txn data. Type 0 transaction with v=27 or v=28 have - /// no chain ID. This affects what fields get signed. - ChainIdPresent = Segment::TxnFields as usize, - ChainId, - Nonce, - MaxPriorityFeePerGas, - MaxFeePerGas, - GasLimit, - IntrinsicGas, - To, - Value, - /// The length of the data field. The data itself is stored in another segment. - DataLen, - YParity, - R, - S, - Origin, - - /// The actual computed gas price for this transaction in the block. - /// This is not technically a transaction field, as it depends on the block's base fee. - ComputedFeePerGas, - ComputedPriorityFeePerGas, -} - -impl NormalizedTxnField { - pub(crate) const COUNT: usize = 16; - - /// Unscales this virtual offset by their respective `Segment` value. - pub(crate) const fn unscale(&self) -> usize { - *self as usize - Segment::TxnFields as usize - } - - pub(crate) const fn all() -> [Self; Self::COUNT] { - [ - Self::ChainIdPresent, - Self::ChainId, - Self::Nonce, - Self::MaxPriorityFeePerGas, - Self::MaxFeePerGas, - Self::GasLimit, - Self::IntrinsicGas, - Self::To, - Self::Value, - Self::DataLen, - Self::YParity, - Self::R, - Self::S, - Self::Origin, - Self::ComputedFeePerGas, - Self::ComputedPriorityFeePerGas, - ] - } - - /// The variable name that gets passed into kernel assembly code. - pub(crate) const fn var_name(&self) -> &'static str { - match self { - NormalizedTxnField::ChainIdPresent => "TXN_FIELD_CHAIN_ID_PRESENT", - NormalizedTxnField::ChainId => "TXN_FIELD_CHAIN_ID", - NormalizedTxnField::Nonce => "TXN_FIELD_NONCE", - NormalizedTxnField::MaxPriorityFeePerGas => "TXN_FIELD_MAX_PRIORITY_FEE_PER_GAS", - NormalizedTxnField::MaxFeePerGas => "TXN_FIELD_MAX_FEE_PER_GAS", - NormalizedTxnField::GasLimit => "TXN_FIELD_GAS_LIMIT", - NormalizedTxnField::IntrinsicGas => "TXN_FIELD_INTRINSIC_GAS", - NormalizedTxnField::To => "TXN_FIELD_TO", - NormalizedTxnField::Value => "TXN_FIELD_VALUE", - NormalizedTxnField::DataLen => "TXN_FIELD_DATA_LEN", - NormalizedTxnField::YParity => "TXN_FIELD_Y_PARITY", - NormalizedTxnField::R => "TXN_FIELD_R", - NormalizedTxnField::S => "TXN_FIELD_S", - NormalizedTxnField::Origin => "TXN_FIELD_ORIGIN", - NormalizedTxnField::ComputedFeePerGas => "TXN_FIELD_COMPUTED_FEE_PER_GAS", - NormalizedTxnField::ComputedPriorityFeePerGas => { - "TXN_FIELD_COMPUTED_PRIORITY_FEE_PER_GAS" - } - } - } -} diff --git a/evm/src/cpu/kernel/cost_estimator.rs b/evm/src/cpu/kernel/cost_estimator.rs deleted file mode 100644 index 70cc726772..0000000000 --- a/evm/src/cpu/kernel/cost_estimator.rs +++ /dev/null @@ -1,36 +0,0 @@ -use crate::cpu::kernel::assembler::BYTES_PER_OFFSET; -use crate::cpu::kernel::ast::Item; -use crate::cpu::kernel::ast::Item::*; -use crate::cpu::kernel::ast::PushTarget::*; -use crate::cpu::kernel::utils::u256_to_trimmed_be_bytes; - -pub(crate) fn is_code_improved(before: &[Item], after: &[Item]) -> bool { - cost_estimate(after) < cost_estimate(before) -} - -fn cost_estimate(code: &[Item]) -> u32 { - code.iter().map(cost_estimate_item).sum() -} - -fn cost_estimate_item(item: &Item) -> u32 { - match item { - MacroDef(_, _, _) => 0, - GlobalLabelDeclaration(_) => 0, - LocalLabelDeclaration(_) => 0, - Push(Literal(n)) => cost_estimate_push(u256_to_trimmed_be_bytes(n).len()), - Push(Label(_)) => cost_estimate_push(BYTES_PER_OFFSET as usize), - ProverInput(_) => 1, - StandardOp(op) => cost_estimate_standard_op(op.as_str()), - _ => panic!("Unexpected item: {item:?}"), - } -} - -const fn cost_estimate_standard_op(_op: &str) -> u32 { - // For now we just treat any standard operation as having the same cost. This is pretty naive, - // but should work fine with our current set of simple optimization rules. - 1 -} - -const fn cost_estimate_push(num_bytes: usize) -> u32 { - num_bytes as u32 -} diff --git a/evm/src/cpu/kernel/evm_asm.pest b/evm/src/cpu/kernel/evm_asm.pest deleted file mode 100644 index 40dec03b3e..0000000000 --- a/evm/src/cpu/kernel/evm_asm.pest +++ /dev/null @@ -1,47 +0,0 @@ -// Grammar for our EVM assembly code. -// Loosely based on https://gist.github.com/axic/17ddbbce4738ccf4040d30cbb5de484e - -WHITESPACE = _{ " " | "\t" | NEWLINE } -COMMENT = _{ "/*" ~ (!"*/" ~ ANY)* ~ "*/" | "//" ~ (!NEWLINE ~ ANY)* ~ NEWLINE } - -identifier_first_char = _{ ASCII_ALPHA | "_" } -identifier_char = _{ ASCII_ALPHANUMERIC | "_" } -identifier = @{ identifier_first_char ~ identifier_char* } - -literal_decimal = @{ ASCII_DIGIT+ } -literal_hex = @{ ^"0x" ~ ASCII_HEX_DIGIT+ } -literal = { literal_hex | literal_decimal } - -variable = ${ "$" ~ identifier } -constant = ${ "@" ~ identifier } - -item = { macro_def | macro_call | repeat | stack | global_label_decl | local_label_decl | macro_label_decl | bytes_item | jumptable_item | push_instruction | prover_input_instruction | nullary_instruction } -macro_def = { ^"%macro" ~ identifier ~ paramlist? ~ item* ~ ^"%endmacro" } -macro_call = ${ "%" ~ !((^"macro" | ^"endmacro" | ^"rep" | ^"endrep" | ^"stack") ~ !identifier_char) ~ identifier ~ macro_arglist? } -repeat = { ^"%rep" ~ literal ~ item* ~ ^"%endrep" } -paramlist = { "(" ~ identifier ~ ("," ~ identifier)* ~ ")" } -macro_arglist = !{ "(" ~ push_target ~ ("," ~ push_target)* ~ ")" } - -stack = { ^"%stack" ~ stack_placeholders ~ "->" ~ stack_replacements } -stack_placeholders = { "(" ~ (stack_placeholder ~ ("," ~ stack_placeholder)*)? ~ ")" } -stack_placeholder = { stack_block | identifier } -stack_block = { identifier ~ ":" ~ literal_decimal } -stack_replacements = { "(" ~ (stack_replacement ~ ("," ~ stack_replacement)*)? ~ ")" } -stack_replacement = { literal | identifier | constant | macro_label | variable } - -global_label_decl = ${ ^"GLOBAL " ~ identifier ~ ":" } -local_label_decl = ${ identifier ~ ":" } -macro_label_decl = ${ "%%" ~ identifier ~ ":" } -macro_label = ${ "%%" ~ identifier } - -bytes_item = { ^"BYTES " ~ bytes_target ~ ("," ~ bytes_target)* } -bytes_target = { literal | constant } -jumptable_item = { ^"JUMPTABLE " ~ identifier ~ ("," ~ identifier)* } -push_instruction = { ^"PUSH " ~ push_target } -push_target = { literal | identifier | macro_label | variable | constant } -prover_input_instruction = { ^"PROVER_INPUT" ~ "(" ~ prover_input_fn ~ ")" } -prover_input_fn = { identifier ~ ("::" ~ identifier)*} -nullary_instruction = { identifier } - -file = { SOI ~ item* ~ silent_eoi } -silent_eoi = _{ !ANY } diff --git a/evm/src/cpu/kernel/interpreter.rs b/evm/src/cpu/kernel/interpreter.rs deleted file mode 100644 index 5a65ace3d5..0000000000 --- a/evm/src/cpu/kernel/interpreter.rs +++ /dev/null @@ -1,1682 +0,0 @@ -//! An EVM interpreter for testing and debugging purposes. - -use core::cmp::Ordering; -use core::ops::Range; -use std::collections::{BTreeSet, HashMap}; - -use anyhow::bail; -use eth_trie_utils::partial_trie::PartialTrie; -use ethereum_types::{BigEndianHash, H160, H256, U256, U512}; -use keccak_hash::keccak; -use plonky2::field::goldilocks_field::GoldilocksField; - -use super::assembler::BYTES_PER_OFFSET; -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::context_metadata::ContextMetadata; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cpu::kernel::constants::txn_fields::NormalizedTxnField; -use crate::cpu::stack::MAX_USER_STACK_SIZE; -use crate::extension_tower::BN_BASE; -use crate::generation::mpt::load_all_mpts; -use crate::generation::prover_input::ProverInputFn; -use crate::generation::rlp::all_rlp_prover_inputs_reversed; -use crate::generation::state::{all_withdrawals_prover_inputs_reversed, GenerationState}; -use crate::generation::GenerationInputs; -use crate::memory::segments::{Segment, SEGMENT_SCALING_FACTOR}; -use crate::util::{h2u, u256_to_usize}; -use crate::witness::errors::{ProgramError, ProverInputError}; -use crate::witness::gas::gas_to_charge; -use crate::witness::memory::{MemoryAddress, MemoryContextState, MemorySegmentState, MemoryState}; -use crate::witness::operation::{Operation, CONTEXT_SCALING_FACTOR}; -use crate::witness::state::RegistersState; -use crate::witness::transition::decode; -use crate::witness::util::stack_peek; - -type F = GoldilocksField; - -/// Halt interpreter execution whenever a jump to this offset is done. -const DEFAULT_HALT_OFFSET: usize = 0xdeadbeef; - -impl MemoryState { - pub(crate) fn mload_general(&self, context: usize, segment: Segment, offset: usize) -> U256 { - self.get(MemoryAddress::new(context, segment, offset)) - } - - fn mstore_general( - &mut self, - context: usize, - segment: Segment, - offset: usize, - value: U256, - ) -> InterpreterMemOpKind { - let old_value = self.mload_general(context, segment, offset); - self.set(MemoryAddress::new(context, segment, offset), value); - InterpreterMemOpKind::Write(old_value, context, segment as usize, offset) - } -} - -pub(crate) struct Interpreter<'a> { - pub(crate) generation_state: GenerationState, - prover_inputs_map: &'a HashMap, - pub(crate) halt_offsets: Vec, - pub(crate) debug_offsets: Vec, - running: bool, - opcode_count: [usize; 0x100], - memops: Vec, -} - -/// Structure storing the state of the interpreter's registers. -struct InterpreterRegistersState { - kernel_mode: bool, - context: usize, - registers: RegistersState, -} - -/// Interpreter state at the last checkpoint: we only need to store -/// the state of the registers and the length of the vector of memory operations. -/// This data is enough to revert in case of an exception. -struct InterpreterCheckpoint { - registers: InterpreterRegistersState, - mem_len: usize, -} - -pub(crate) fn run_interpreter( - initial_offset: usize, - initial_stack: Vec, -) -> anyhow::Result> { - run( - &KERNEL.code, - initial_offset, - initial_stack, - &KERNEL.prover_inputs, - ) -} - -#[derive(Clone)] -pub(crate) struct InterpreterMemoryInitialization { - pub label: String, - pub stack: Vec, - pub segment: Segment, - pub memory: Vec<(usize, Vec)>, -} - -pub(crate) fn run_interpreter_with_memory( - memory_init: InterpreterMemoryInitialization, -) -> anyhow::Result> { - let label = KERNEL.global_labels[&memory_init.label]; - let mut stack = memory_init.stack; - stack.reverse(); - let mut interpreter = Interpreter::new_with_kernel(label, stack); - for (pointer, data) in memory_init.memory { - for (i, term) in data.iter().enumerate() { - interpreter.generation_state.memory.set( - MemoryAddress::new(0, memory_init.segment, pointer + i), - *term, - ) - } - } - interpreter.run()?; - Ok(interpreter) -} - -pub(crate) fn run<'a>( - code: &'a [u8], - initial_offset: usize, - initial_stack: Vec, - prover_inputs: &'a HashMap, -) -> anyhow::Result> { - let mut interpreter = Interpreter::new(code, initial_offset, initial_stack, prover_inputs); - interpreter.run()?; - Ok(interpreter) -} - -/// Different types of Memory operations in the interpreter, and the data required to revert them. -enum InterpreterMemOpKind { - /// We need to provide the context. - Push(usize), - /// If we pop a certain value, we need to push it back to the correct context when reverting. - Pop(U256, usize), - /// If we write a value at a certain address, we need to write the old value back when reverting. - Write(U256, usize, usize, usize), -} - -impl<'a> Interpreter<'a> { - pub(crate) fn new_with_kernel(initial_offset: usize, initial_stack: Vec) -> Self { - let mut result = Self::new( - &KERNEL.code, - initial_offset, - initial_stack, - &KERNEL.prover_inputs, - ); - result.initialize_rlp_segment(); - result - } - - /// Returns an instance of `Interpreter` given `GenerationInputs`, and assuming we are - /// initializing with the `KERNEL` code. - pub(crate) fn new_with_generation_inputs_and_kernel( - initial_offset: usize, - initial_stack: Vec, - inputs: GenerationInputs, - ) -> Self { - let mut result = Self::new_with_kernel(initial_offset, initial_stack); - result.initialize_interpreter_state_with_kernel(inputs); - result - } - - pub(crate) fn new( - code: &'a [u8], - initial_offset: usize, - initial_stack: Vec, - prover_inputs: &'a HashMap, - ) -> Self { - let mut result = Self { - generation_state: GenerationState::new(GenerationInputs::default(), code) - .expect("Default inputs are known-good"), - prover_inputs_map: prover_inputs, - // `DEFAULT_HALT_OFFSET` is used as a halting point for the interpreter, - // while the label `halt` is the halting label in the kernel. - halt_offsets: vec![DEFAULT_HALT_OFFSET, KERNEL.global_labels["halt"]], - debug_offsets: vec![], - running: false, - opcode_count: [0; 256], - memops: vec![], - }; - result.generation_state.registers.program_counter = initial_offset; - let initial_stack_len = initial_stack.len(); - result.generation_state.registers.stack_len = initial_stack_len; - if !initial_stack.is_empty() { - result.generation_state.registers.stack_top = initial_stack[initial_stack_len - 1]; - *result.stack_segment_mut() = initial_stack; - result.stack_segment_mut().truncate(initial_stack_len - 1); - } - - result - } - - /// Initializes the interpreter state given `GenerationInputs`, using the KERNEL code. - pub(crate) fn initialize_interpreter_state_with_kernel(&mut self, inputs: GenerationInputs) { - self.initialize_interpreter_state(inputs, KERNEL.code_hash, KERNEL.code.len()); - } - - /// Initializes the interpreter state given `GenerationInputs`. - pub(crate) fn initialize_interpreter_state( - &mut self, - inputs: GenerationInputs, - kernel_hash: H256, - kernel_code_len: usize, - ) { - let tries = &inputs.tries; - - // Set state's inputs. - self.generation_state.inputs = inputs.clone(); - - // Initialize the MPT's pointers. - let (trie_root_ptrs, trie_data) = - load_all_mpts(tries).expect("Invalid MPT data for preinitialization"); - let trie_roots_after = &inputs.trie_roots_after; - self.generation_state.trie_root_ptrs = trie_root_ptrs; - - // Initialize the `TrieData` segment. - for (i, data) in trie_data.iter().enumerate() { - let trie_addr = MemoryAddress::new(0, Segment::TrieData, i); - self.generation_state.memory.set(trie_addr, data.into()); - } - - // Update the RLP and withdrawal prover inputs. - let rlp_prover_inputs = - all_rlp_prover_inputs_reversed(inputs.clone().signed_txn.as_ref().unwrap_or(&vec![])); - let withdrawal_prover_inputs = all_withdrawals_prover_inputs_reversed(&inputs.withdrawals); - self.generation_state.rlp_prover_inputs = rlp_prover_inputs; - self.generation_state.withdrawal_prover_inputs = withdrawal_prover_inputs; - - // Set `GlobalMetadata` values. - let metadata = &inputs.block_metadata; - let global_metadata_to_set = [ - ( - GlobalMetadata::BlockBeneficiary, - U256::from_big_endian(&metadata.block_beneficiary.0), - ), - (GlobalMetadata::BlockTimestamp, metadata.block_timestamp), - (GlobalMetadata::BlockNumber, metadata.block_number), - (GlobalMetadata::BlockDifficulty, metadata.block_difficulty), - ( - GlobalMetadata::BlockRandom, - metadata.block_random.into_uint(), - ), - (GlobalMetadata::BlockGasLimit, metadata.block_gaslimit), - (GlobalMetadata::BlockChainId, metadata.block_chain_id), - (GlobalMetadata::BlockBaseFee, metadata.block_base_fee), - ( - GlobalMetadata::BlockCurrentHash, - h2u(inputs.block_hashes.cur_hash), - ), - (GlobalMetadata::BlockGasUsed, metadata.block_gas_used), - (GlobalMetadata::BlockGasUsedBefore, inputs.gas_used_before), - (GlobalMetadata::BlockGasUsedAfter, inputs.gas_used_after), - (GlobalMetadata::TxnNumberBefore, inputs.txn_number_before), - ( - GlobalMetadata::TxnNumberAfter, - inputs.txn_number_before + if inputs.signed_txn.is_some() { 1 } else { 0 }, - ), - ( - GlobalMetadata::StateTrieRootDigestBefore, - h2u(tries.state_trie.hash()), - ), - ( - GlobalMetadata::TransactionTrieRootDigestBefore, - h2u(tries.transactions_trie.hash()), - ), - ( - GlobalMetadata::ReceiptTrieRootDigestBefore, - h2u(tries.receipts_trie.hash()), - ), - ( - GlobalMetadata::StateTrieRootDigestAfter, - h2u(trie_roots_after.state_root), - ), - ( - GlobalMetadata::TransactionTrieRootDigestAfter, - h2u(trie_roots_after.transactions_root), - ), - ( - GlobalMetadata::ReceiptTrieRootDigestAfter, - h2u(trie_roots_after.receipts_root), - ), - (GlobalMetadata::KernelHash, h2u(kernel_hash)), - (GlobalMetadata::KernelLen, kernel_code_len.into()), - ]; - - self.set_global_metadata_multi_fields(&global_metadata_to_set); - - // Set final block bloom values. - let final_block_bloom_fields = (0..8) - .map(|i| { - ( - MemoryAddress::new_u256s( - U256::zero(), - (Segment::GlobalBlockBloom.unscale()).into(), - i.into(), - ) - .unwrap(), - metadata.block_bloom[i], - ) - }) - .collect::>(); - - self.set_memory_multi_addresses(&final_block_bloom_fields); - - // Set previous block hash. - let block_hashes_fields = (0..256) - .map(|i| { - ( - MemoryAddress::new_u256s( - U256::zero(), - (Segment::BlockHashes.unscale()).into(), - i.into(), - ) - .unwrap(), - h2u(inputs.block_hashes.prev_hashes[i]), - ) - }) - .collect::>(); - - self.set_memory_multi_addresses(&block_hashes_fields); - } - - fn checkpoint(&self) -> InterpreterCheckpoint { - let registers = InterpreterRegistersState { - kernel_mode: self.is_kernel(), - context: self.context(), - registers: self.generation_state.registers, - }; - InterpreterCheckpoint { - registers, - mem_len: self.memops.len(), - } - } - - fn roll_memory_back(&mut self, len: usize) { - // We roll the memory back until `memops` reaches length `len`. - debug_assert!(self.memops.len() >= len); - while self.memops.len() > len { - if let Some(op) = self.memops.pop() { - match op { - InterpreterMemOpKind::Push(context) => { - self.generation_state.memory.contexts[context].segments - [Segment::Stack.unscale()] - .content - .pop(); - } - InterpreterMemOpKind::Pop(value, context) => { - self.generation_state.memory.contexts[context].segments - [Segment::Stack.unscale()] - .content - .push(value) - } - InterpreterMemOpKind::Write(value, context, segment, offset) => { - self.generation_state.memory.contexts[context].segments - [segment >> SEGMENT_SCALING_FACTOR] // we need to unscale the segment value - .content[offset] = value - } - } - } - } - } - - fn rollback(&mut self, checkpoint: InterpreterCheckpoint) { - let InterpreterRegistersState { - kernel_mode, - context, - registers, - } = checkpoint.registers; - self.set_is_kernel(kernel_mode); - self.set_context(context); - self.generation_state.registers = registers; - self.roll_memory_back(checkpoint.mem_len); - } - - fn handle_error(&mut self, err: ProgramError) -> anyhow::Result<()> { - let exc_code: u8 = match err { - ProgramError::OutOfGas => 0, - ProgramError::InvalidOpcode => 1, - ProgramError::StackUnderflow => 2, - ProgramError::InvalidJumpDestination => 3, - ProgramError::InvalidJumpiDestination => 4, - ProgramError::StackOverflow => 5, - _ => bail!("TODO: figure out what to do with this..."), - }; - - self.run_exception(exc_code) - .map_err(|_| anyhow::Error::msg("error handling errored...")) - } - - pub(crate) fn run(&mut self) -> anyhow::Result<()> { - self.running = true; - while self.running { - let pc = self.generation_state.registers.program_counter; - if self.is_kernel() && self.halt_offsets.contains(&pc) { - return Ok(()); - }; - - let checkpoint = self.checkpoint(); - let result = self.run_opcode(); - match result { - Ok(()) => Ok(()), - Err(e) => { - if self.is_kernel() { - let offset_name = - KERNEL.offset_name(self.generation_state.registers.program_counter); - bail!( - "{:?} in kernel at pc={}, stack={:?}, memory={:?}", - e, - offset_name, - self.stack(), - self.generation_state.memory.contexts[0].segments - [Segment::KernelGeneral.unscale()] - .content, - ); - } - self.rollback(checkpoint); - self.handle_error(e) - } - }?; - } - println!("Opcode count:"); - for i in 0..0x100 { - if self.opcode_count[i] > 0 { - println!("{}: {}", get_mnemonic(i as u8), self.opcode_count[i]) - } - } - println!("Total: {}", self.opcode_count.into_iter().sum::()); - Ok(()) - } - - fn code(&self) -> &MemorySegmentState { - // The context is 0 if we are in kernel mode. - &self.generation_state.memory.contexts[(1 - self.is_kernel() as usize) * self.context()] - .segments[Segment::Code.unscale()] - } - - fn code_slice(&self, n: usize) -> Vec { - let pc = self.generation_state.registers.program_counter; - self.code().content[pc..pc + n] - .iter() - .map(|u256| u256.byte(0)) - .collect::>() - } - - pub(crate) fn get_txn_field(&self, field: NormalizedTxnField) -> U256 { - // These fields are already scaled by their respective segment. - self.generation_state.memory.contexts[0].segments[Segment::TxnFields.unscale()] - .get(field.unscale()) - } - - pub(crate) fn set_txn_field(&mut self, field: NormalizedTxnField, value: U256) { - // These fields are already scaled by their respective segment. - self.generation_state.memory.contexts[0].segments[Segment::TxnFields.unscale()] - .set(field.unscale(), value); - } - - pub(crate) fn get_txn_data(&self) -> &[U256] { - &self.generation_state.memory.contexts[0].segments[Segment::TxnData.unscale()].content - } - - pub(crate) fn get_context_metadata_field(&self, ctx: usize, field: ContextMetadata) -> U256 { - // These fields are already scaled by their respective segment. - self.generation_state.memory.contexts[ctx].segments[Segment::ContextMetadata.unscale()] - .get(field.unscale()) - } - - pub(crate) fn set_context_metadata_field( - &mut self, - ctx: usize, - field: ContextMetadata, - value: U256, - ) { - // These fields are already scaled by their respective segment. - self.generation_state.memory.contexts[ctx].segments[Segment::ContextMetadata.unscale()] - .set(field.unscale(), value) - } - - pub(crate) fn get_global_metadata_field(&self, field: GlobalMetadata) -> U256 { - // These fields are already scaled by their respective segment. - let field = field.unscale(); - self.generation_state.memory.contexts[0].segments[Segment::GlobalMetadata.unscale()] - .get(field) - } - - pub(crate) fn set_global_metadata_field(&mut self, field: GlobalMetadata, value: U256) { - // These fields are already scaled by their respective segment. - let field = field.unscale(); - self.generation_state.memory.contexts[0].segments[Segment::GlobalMetadata.unscale()] - .set(field, value) - } - - pub(crate) fn set_global_metadata_multi_fields(&mut self, metadata: &[(GlobalMetadata, U256)]) { - for &(field, value) in metadata { - let field = field.unscale(); - self.generation_state.memory.contexts[0].segments[Segment::GlobalMetadata.unscale()] - .set(field, value); - } - } - - pub(crate) fn get_trie_data(&self) -> &[U256] { - &self.generation_state.memory.contexts[0].segments[Segment::TrieData.unscale()].content - } - - pub(crate) fn get_trie_data_mut(&mut self) -> &mut Vec { - &mut self.generation_state.memory.contexts[0].segments[Segment::TrieData.unscale()].content - } - - pub(crate) fn get_memory_segment(&self, segment: Segment) -> Vec { - self.generation_state.memory.contexts[0].segments[segment.unscale()] - .content - .clone() - } - - pub(crate) fn get_memory_segment_bytes(&self, segment: Segment) -> Vec { - self.generation_state.memory.contexts[0].segments[segment.unscale()] - .content - .iter() - .map(|x| x.low_u32() as u8) - .collect() - } - - pub(crate) fn get_current_general_memory(&self) -> Vec { - self.generation_state.memory.contexts[self.context()].segments - [Segment::KernelGeneral.unscale()] - .content - .clone() - } - - pub(crate) fn get_kernel_general_memory(&self) -> Vec { - self.get_memory_segment(Segment::KernelGeneral) - } - - pub(crate) fn get_rlp_memory(&self) -> Vec { - self.get_memory_segment_bytes(Segment::RlpRaw) - } - - pub(crate) fn set_current_general_memory(&mut self, memory: Vec) { - let context = self.context(); - self.generation_state.memory.contexts[context].segments[Segment::KernelGeneral.unscale()] - .content = memory; - } - - pub(crate) fn set_memory_segment(&mut self, segment: Segment, memory: Vec) { - self.generation_state.memory.contexts[0].segments[segment.unscale()].content = memory; - } - - pub(crate) fn set_memory_segment_bytes(&mut self, segment: Segment, memory: Vec) { - self.generation_state.memory.contexts[0].segments[segment.unscale()].content = - memory.into_iter().map(U256::from).collect(); - } - - pub(crate) fn set_rlp_memory(&mut self, rlp: Vec) { - self.set_memory_segment_bytes(Segment::RlpRaw, rlp) - } - - pub(crate) fn set_code(&mut self, context: usize, code: Vec) { - assert_ne!(context, 0, "Can't modify kernel code."); - while self.generation_state.memory.contexts.len() <= context { - self.generation_state - .memory - .contexts - .push(MemoryContextState::default()); - } - self.generation_state.memory.set( - MemoryAddress::new( - context, - Segment::ContextMetadata, - ContextMetadata::CodeSize.unscale(), - ), - code.len().into(), - ); - self.generation_state.memory.contexts[context].segments[Segment::Code.unscale()].content = - code.into_iter().map(U256::from).collect(); - } - - pub(crate) fn set_memory_multi_addresses(&mut self, addrs: &[(MemoryAddress, U256)]) { - for &(addr, val) in addrs { - self.generation_state.memory.set(addr, val); - } - } - - pub(crate) fn get_jumpdest_bits(&self, context: usize) -> Vec { - self.generation_state.memory.contexts[context].segments[Segment::JumpdestBits.unscale()] - .content - .iter() - .map(|x| x.bit(0)) - .collect() - } - - pub(crate) fn set_jumpdest_analysis_inputs(&mut self, jumps: HashMap>) { - self.generation_state.set_jumpdest_analysis_inputs(jumps); - } - - pub(crate) fn incr(&mut self, n: usize) { - self.generation_state.registers.program_counter += n; - } - - pub(crate) fn stack(&self) -> Vec { - match self.stack_len().cmp(&1) { - Ordering::Greater => { - let mut stack = self.generation_state.memory.contexts[self.context()].segments - [Segment::Stack.unscale()] - .content - .clone(); - stack.truncate(self.stack_len() - 1); - stack.push( - self.stack_top() - .expect("The stack is checked to be nonempty"), - ); - stack - } - Ordering::Equal => { - vec![self - .stack_top() - .expect("The stack is checked to be nonempty")] - } - Ordering::Less => { - vec![] - } - } - } - fn stack_segment_mut(&mut self) -> &mut Vec { - let context = self.context(); - &mut self.generation_state.memory.contexts[context].segments[Segment::Stack.unscale()] - .content - } - - pub(crate) fn extract_kernel_memory(self, segment: Segment, range: Range) -> Vec { - let mut output: Vec = vec![]; - for i in range { - let term = self - .generation_state - .memory - .get(MemoryAddress::new(0, segment, i)); - output.push(term); - } - output - } - - pub(crate) fn push(&mut self, x: U256) -> Result<(), ProgramError> { - if !self.is_kernel() && self.stack_len() >= MAX_USER_STACK_SIZE { - return Err(ProgramError::StackOverflow); - } - if self.stack_len() > 0 { - let top = self - .stack_top() - .expect("The stack is checked to be nonempty"); - let cur_len = self.stack_len(); - let stack_addr = MemoryAddress::new(self.context(), Segment::Stack, cur_len - 1); - self.generation_state.memory.set(stack_addr, top); - } - self.generation_state.registers.stack_top = x; - self.generation_state.registers.stack_len += 1; - self.memops.push(InterpreterMemOpKind::Push(self.context())); - - Ok(()) - } - - fn push_bool(&mut self, x: bool) -> Result<(), ProgramError> { - self.push(if x { U256::one() } else { U256::zero() }) - } - - pub(crate) fn pop(&mut self) -> Result { - let result = stack_peek(&self.generation_state, 0); - - if let Ok(val) = result { - self.memops - .push(InterpreterMemOpKind::Pop(val, self.context())); - } - if self.stack_len() > 1 { - let top = stack_peek(&self.generation_state, 1).unwrap(); - self.generation_state.registers.stack_top = top; - } - self.generation_state.registers.stack_len -= 1; - - result - } - - fn run_opcode(&mut self) -> Result<(), ProgramError> { - let opcode = self - .code() - .get(self.generation_state.registers.program_counter) - .byte(0); - self.opcode_count[opcode as usize] += 1; - self.incr(1); - match opcode { - 0x00 => self.run_syscall(opcode, 0, false), // "STOP", - 0x01 => self.run_add(), // "ADD", - 0x02 => self.run_mul(), // "MUL", - 0x03 => self.run_sub(), // "SUB", - 0x04 => self.run_div(), // "DIV", - 0x05 => self.run_syscall(opcode, 2, false), // "SDIV", - 0x06 => self.run_mod(), // "MOD", - 0x07 => self.run_syscall(opcode, 2, false), // "SMOD", - 0x08 => self.run_addmod(), // "ADDMOD", - 0x09 => self.run_mulmod(), // "MULMOD", - 0x0a => self.run_syscall(opcode, 2, false), // "EXP", - 0x0b => self.run_syscall(opcode, 2, false), // "SIGNEXTEND", - 0x0c => self.run_addfp254(), // "ADDFP254", - 0x0d => self.run_mulfp254(), // "MULFP254", - 0x0e => self.run_subfp254(), // "SUBFP254", - 0x0f => self.run_submod(), // "SUBMOD", - 0x10 => self.run_lt(), // "LT", - 0x11 => self.run_gt(), // "GT", - 0x12 => self.run_syscall(opcode, 2, false), // "SLT", - 0x13 => self.run_syscall(opcode, 2, false), // "SGT", - 0x14 => self.run_eq(), // "EQ", - 0x15 => self.run_iszero(), // "ISZERO", - 0x16 => self.run_and(), // "AND", - 0x17 => self.run_or(), // "OR", - 0x18 => self.run_xor(), // "XOR", - 0x19 => self.run_not(), // "NOT", - 0x1a => self.run_byte(), // "BYTE", - 0x1b => self.run_shl(), // "SHL", - 0x1c => self.run_shr(), // "SHR", - 0x1d => self.run_syscall(opcode, 2, false), // "SAR", - 0x20 => self.run_syscall(opcode, 2, false), // "KECCAK256", - 0x21 => self.run_keccak_general(), // "KECCAK_GENERAL", - 0x30 => self.run_syscall(opcode, 0, true), // "ADDRESS", - 0x31 => self.run_syscall(opcode, 1, false), // "BALANCE", - 0x32 => self.run_syscall(opcode, 0, true), // "ORIGIN", - 0x33 => self.run_syscall(opcode, 0, true), // "CALLER", - 0x34 => self.run_syscall(opcode, 0, true), // "CALLVALUE", - 0x35 => self.run_syscall(opcode, 1, false), // "CALLDATALOAD", - 0x36 => self.run_syscall(opcode, 0, true), // "CALLDATASIZE", - 0x37 => self.run_syscall(opcode, 3, false), // "CALLDATACOPY", - 0x38 => self.run_syscall(opcode, 0, true), // "CODESIZE", - 0x39 => self.run_syscall(opcode, 3, false), // "CODECOPY", - 0x3a => self.run_syscall(opcode, 0, true), // "GASPRICE", - 0x3b => self.run_syscall(opcode, 1, false), // "EXTCODESIZE", - 0x3c => self.run_syscall(opcode, 4, false), // "EXTCODECOPY", - 0x3d => self.run_syscall(opcode, 0, true), // "RETURNDATASIZE", - 0x3e => self.run_syscall(opcode, 3, false), // "RETURNDATACOPY", - 0x3f => self.run_syscall(opcode, 1, false), // "EXTCODEHASH", - 0x40 => self.run_syscall(opcode, 1, false), // "BLOCKHASH", - 0x41 => self.run_syscall(opcode, 0, true), // "COINBASE", - 0x42 => self.run_syscall(opcode, 0, true), // "TIMESTAMP", - 0x43 => self.run_syscall(opcode, 0, true), // "NUMBER", - 0x44 => self.run_syscall(opcode, 0, true), // "DIFFICULTY", - 0x45 => self.run_syscall(opcode, 0, true), // "GASLIMIT", - 0x46 => self.run_syscall(opcode, 0, true), // "CHAINID", - 0x47 => self.run_syscall(opcode, 0, true), // SELFABALANCE, - 0x48 => self.run_syscall(opcode, 0, true), // "BASEFEE", - 0x49 => self.run_prover_input(), // "PROVER_INPUT", - 0x50 => self.run_pop(), // "POP", - 0x51 => self.run_syscall(opcode, 1, false), // "MLOAD", - 0x52 => self.run_syscall(opcode, 2, false), // "MSTORE", - 0x53 => self.run_syscall(opcode, 2, false), // "MSTORE8", - 0x54 => self.run_syscall(opcode, 1, false), // "SLOAD", - 0x55 => self.run_syscall(opcode, 2, false), // "SSTORE", - 0x56 => self.run_jump(), // "JUMP", - 0x57 => self.run_jumpi(), // "JUMPI", - 0x58 => self.run_pc(), // "PC", - 0x59 => self.run_syscall(opcode, 0, true), // "MSIZE", - 0x5a => self.run_syscall(opcode, 0, true), // "GAS", - 0x5b => self.run_jumpdest(), // "JUMPDEST", - x if (0x5f..0x80).contains(&x) => self.run_push(x - 0x5f), // "PUSH" - x if (0x80..0x90).contains(&x) => self.run_dup(x - 0x7f), // "DUP" - x if (0x90..0xa0).contains(&x) => self.run_swap(x - 0x8f), // "SWAP" - 0xa0 => self.run_syscall(opcode, 2, false), // "LOG0", - 0xa1 => self.run_syscall(opcode, 3, false), // "LOG1", - 0xa2 => self.run_syscall(opcode, 4, false), // "LOG2", - 0xa3 => self.run_syscall(opcode, 5, false), // "LOG3", - 0xa4 => self.run_syscall(opcode, 6, false), // "LOG4", - 0xa5 => { - log::warn!( - "Kernel panic at {}, stack = {:?}, memory = {:?}", - KERNEL.offset_name(self.generation_state.registers.program_counter), - self.stack(), - self.get_kernel_general_memory() - ); - Err(ProgramError::KernelPanic) - } // "PANIC", - x if (0xc0..0xe0).contains(&x) => self.run_mstore_32bytes(x - 0xc0 + 1), // "MSTORE_32BYTES", - 0xf0 => self.run_syscall(opcode, 3, false), // "CREATE", - 0xf1 => self.run_syscall(opcode, 7, false), // "CALL", - 0xf2 => self.run_syscall(opcode, 7, false), // "CALLCODE", - 0xf3 => self.run_syscall(opcode, 2, false), // "RETURN", - 0xf4 => self.run_syscall(opcode, 6, false), // "DELEGATECALL", - 0xf5 => self.run_syscall(opcode, 4, false), // "CREATE2", - 0xf6 => self.run_get_context(), // "GET_CONTEXT", - 0xf7 => self.run_set_context(), // "SET_CONTEXT", - 0xf8 => self.run_mload_32bytes(), // "MLOAD_32BYTES", - 0xf9 => self.run_exit_kernel(), // "EXIT_KERNEL", - 0xfa => self.run_syscall(opcode, 6, false), // "STATICCALL", - 0xfb => self.run_mload_general(), // "MLOAD_GENERAL", - 0xfc => self.run_mstore_general(), // "MSTORE_GENERAL", - 0xfd => self.run_syscall(opcode, 2, false), // "REVERT", - 0xfe => { - log::warn!( - "Invalid opcode at {}", - KERNEL.offset_name(self.generation_state.registers.program_counter), - ); - Err(ProgramError::InvalidOpcode) - } // "INVALID", - 0xff => self.run_syscall(opcode, 1, false), // "SELFDESTRUCT", - _ => { - log::warn!( - "Unrecognized opcode at {}", - KERNEL.offset_name(self.generation_state.registers.program_counter), - ); - Err(ProgramError::InvalidOpcode) - } - }?; - - if self - .debug_offsets - .contains(&self.generation_state.registers.program_counter) - { - println!("At {}, stack={:?}", self.offset_name(), self.stack()); - } else if let Some(label) = self.offset_label() { - println!("At {label}"); - } - - let op = decode(self.generation_state.registers, opcode) - // We default to prover inputs, as those are kernel-only instructions that charge nothing. - .unwrap_or(Operation::ProverInput); - self.generation_state.registers.gas_used += gas_to_charge(op); - - if !self.is_kernel() { - let gas_limit_address = MemoryAddress { - context: self.context(), - segment: Segment::ContextMetadata.unscale(), - virt: ContextMetadata::GasLimit.unscale(), - }; - let gas_limit = - u256_to_usize(self.generation_state.memory.get(gas_limit_address))? as u64; - if self.generation_state.registers.gas_used > gas_limit { - return Err(ProgramError::OutOfGas); - } - } - - Ok(()) - } - - fn offset_name(&self) -> String { - KERNEL.offset_name(self.generation_state.registers.program_counter) - } - - fn offset_label(&self) -> Option { - KERNEL.offset_label(self.generation_state.registers.program_counter) - } - - fn run_add(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - self.push(x.overflowing_add(y).0) - } - - fn run_mul(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - self.push(x.overflowing_mul(y).0) - } - - fn run_sub(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - self.push(x.overflowing_sub(y).0) - } - - fn run_addfp254(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()? % BN_BASE; - let y = self.pop()? % BN_BASE; - // BN_BASE is 254-bit so addition can't overflow - self.push((x + y) % BN_BASE) - } - - fn run_mulfp254(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - self.push( - U256::try_from(x.full_mul(y) % BN_BASE) - .expect("BN_BASE is 254 bit so the U512 fits in a U256"), - ) - } - - fn run_subfp254(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()? % BN_BASE; - let y = self.pop()? % BN_BASE; - // BN_BASE is 254-bit so addition can't overflow - self.push((x + (BN_BASE - y)) % BN_BASE) - } - - fn run_div(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - self.push(if y.is_zero() { U256::zero() } else { x / y }) - } - - fn run_mod(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - self.push(if y.is_zero() { U256::zero() } else { x % y }) - } - - fn run_addmod(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - let z = self.pop()?; - self.push(if z.is_zero() { - z - } else { - let (x, y, z) = (U512::from(x), U512::from(y), U512::from(z)); - U256::try_from((x + y) % z) - .expect("Inputs are U256 and their sum mod a U256 fits in a U256.") - }) - } - - fn run_submod(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - let z = self.pop()?; - self.push(if z.is_zero() { - z - } else { - let (x, y, z) = (U512::from(x), U512::from(y), U512::from(z)); - U256::try_from((z + x - y) % z) - .expect("Inputs are U256 and their difference mod a U256 fits in a U256.") - }) - } - - fn run_mulmod(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - let z = self.pop()?; - self.push(if z.is_zero() { - z - } else { - U256::try_from(x.full_mul(y) % z) - .expect("Inputs are U256 and their product mod a U256 fits in a U256.") - }) - } - - fn run_lt(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - self.push_bool(x < y) - } - - fn run_gt(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - self.push_bool(x > y) - } - - fn run_eq(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - self.push_bool(x == y) - } - - fn run_iszero(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - self.push_bool(x.is_zero()) - } - - fn run_and(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - self.push(x & y) - } - - fn run_or(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - self.push(x | y) - } - - fn run_xor(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let y = self.pop()?; - self.push(x ^ y) - } - - fn run_not(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - self.push(!x) - } - - fn run_byte(&mut self) -> anyhow::Result<(), ProgramError> { - let i = self.pop()?; - let x = self.pop()?; - let result = if i < 32.into() { - x.byte(31 - i.as_usize()) - } else { - 0 - }; - self.push(result.into()) - } - - fn run_shl(&mut self) -> anyhow::Result<(), ProgramError> { - let shift = self.pop()?; - let value = self.pop()?; - self.push(if shift < U256::from(256usize) { - value << shift - } else { - U256::zero() - }) - } - - fn run_shr(&mut self) -> anyhow::Result<(), ProgramError> { - let shift = self.pop()?; - let value = self.pop()?; - self.push(value >> shift) - } - - fn run_keccak_general(&mut self) -> anyhow::Result<(), ProgramError> { - let addr = self.pop()?; - let (context, segment, offset) = unpack_address!(addr); - - let size = self.pop()?.as_usize(); - let bytes = (offset..offset + size) - .map(|i| { - self.generation_state - .memory - .mload_general(context, segment, i) - .byte(0) - }) - .collect::>(); - println!("Hashing {:?}", &bytes); - let hash = keccak(bytes); - self.push(U256::from_big_endian(hash.as_bytes())) - } - - fn run_prover_input(&mut self) -> Result<(), ProgramError> { - let prover_input_fn = self - .prover_inputs_map - .get(&(self.generation_state.registers.program_counter - 1)) - .ok_or(ProgramError::ProverInputError( - ProverInputError::InvalidMptInput, - ))?; - let output = self.generation_state.prover_input(prover_input_fn)?; - self.push(output) - } - - fn run_pop(&mut self) -> anyhow::Result<(), ProgramError> { - self.pop().map(|_| ()) - } - - fn run_syscall( - &mut self, - opcode: u8, - stack_values_read: usize, - stack_len_increased: bool, - ) -> Result<(), ProgramError> { - TryInto::::try_into(self.generation_state.registers.gas_used) - .map_err(|_| ProgramError::GasLimitError)?; - if self.generation_state.registers.stack_len < stack_values_read { - return Err(ProgramError::StackUnderflow); - } - - if stack_len_increased - && !self.is_kernel() - && self.generation_state.registers.stack_len >= MAX_USER_STACK_SIZE - { - return Err(ProgramError::StackOverflow); - }; - - let handler_jumptable_addr = KERNEL.global_labels["syscall_jumptable"]; - let handler_addr = { - let offset = handler_jumptable_addr + (opcode as usize) * (BYTES_PER_OFFSET as usize); - self.get_memory_segment(Segment::Code)[offset..offset + 3] - .iter() - .fold(U256::from(0), |acc, &elt| acc * (1 << 8) + elt) - }; - - let new_program_counter = - u256_to_usize(handler_addr).map_err(|_| ProgramError::IntegerTooLarge)?; - - let syscall_info = U256::from(self.generation_state.registers.program_counter) - + U256::from((self.is_kernel() as usize) << 32) - + (U256::from(self.generation_state.registers.gas_used) << 192); - self.generation_state.registers.program_counter = new_program_counter; - - self.set_is_kernel(true); - self.generation_state.registers.gas_used = 0; - self.push(syscall_info) - } - - fn set_jumpdest_bit(&mut self, x: U256) -> U256 { - if self.generation_state.memory.contexts[self.context()].segments - [Segment::JumpdestBits.unscale()] - .content - .len() - > x.low_u32() as usize - { - self.generation_state.memory.get(MemoryAddress { - context: self.context(), - segment: Segment::JumpdestBits.unscale(), - virt: x.low_u32() as usize, - }) - } else { - 0.into() - } - } - fn run_jump(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - - let jumpdest_bit = self.set_jumpdest_bit(x); - - // Check that the destination is valid. - let x: u32 = x - .try_into() - .map_err(|_| ProgramError::InvalidJumpDestination)?; - - if !self.is_kernel() && jumpdest_bit != U256::one() { - return Err(ProgramError::InvalidJumpDestination); - } - - self.jump_to(x as usize, false) - } - - fn run_jumpi(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let b = self.pop()?; - if !b.is_zero() { - let x: u32 = x - .try_into() - .map_err(|_| ProgramError::InvalidJumpiDestination)?; - self.jump_to(x as usize, true)?; - } - let jumpdest_bit = self.set_jumpdest_bit(x); - - if !b.is_zero() && !self.is_kernel() && jumpdest_bit != U256::one() { - return Err(ProgramError::InvalidJumpiDestination); - } - Ok(()) - } - - fn run_pc(&mut self) -> anyhow::Result<(), ProgramError> { - self.push( - (self - .generation_state - .registers - .program_counter - .saturating_sub(1)) - .into(), - ) - } - - fn run_jumpdest(&mut self) -> anyhow::Result<(), ProgramError> { - assert!(!self.is_kernel(), "JUMPDEST is not needed in kernel code"); - Ok(()) - } - - fn jump_to(&mut self, offset: usize, is_jumpi: bool) -> anyhow::Result<(), ProgramError> { - self.generation_state.registers.program_counter = offset; - - if offset == KERNEL.global_labels["observe_new_address"] { - let tip_u256 = stack_peek(&self.generation_state, 0)?; - let tip_h256 = H256::from_uint(&tip_u256); - let tip_h160 = H160::from(tip_h256); - self.generation_state.observe_address(tip_h160); - } else if offset == KERNEL.global_labels["observe_new_contract"] { - let tip_u256 = stack_peek(&self.generation_state, 0)?; - let tip_h256 = H256::from_uint(&tip_u256); - self.generation_state.observe_contract(tip_h256)?; - } - - if self.halt_offsets.contains(&offset) { - self.running = false; - } - Ok(()) - } - - fn run_push(&mut self, num_bytes: u8) -> anyhow::Result<(), ProgramError> { - let x = U256::from_big_endian(&self.code_slice(num_bytes as usize)); - self.incr(num_bytes as usize); - self.push(x) - } - - fn run_dup(&mut self, n: u8) -> anyhow::Result<(), ProgramError> { - let len = self.stack_len(); - if !self.is_kernel() && len >= MAX_USER_STACK_SIZE { - return Err(ProgramError::StackOverflow); - } - if n as usize > self.stack_len() { - return Err(ProgramError::StackUnderflow); - } - self.push(stack_peek(&self.generation_state, n as usize - 1)?) - } - - fn run_swap(&mut self, n: u8) -> anyhow::Result<(), ProgramError> { - let len = self.stack_len(); - if n as usize >= len { - return Err(ProgramError::StackUnderflow); - } - let to_swap = stack_peek(&self.generation_state, n as usize)?; - let old_value = self.stack_segment_mut()[len - n as usize - 1]; - - self.stack_segment_mut()[len - n as usize - 1] = self.stack_top()?; - let mem_write_op = InterpreterMemOpKind::Write( - old_value, - self.context(), - Segment::Stack.unscale(), - len - n as usize - 1, - ); - self.memops.push(mem_write_op); - self.generation_state.registers.stack_top = to_swap; - Ok(()) - } - - fn run_get_context(&mut self) -> anyhow::Result<(), ProgramError> { - self.push(U256::from(self.context()) << CONTEXT_SCALING_FACTOR) - } - - fn run_set_context(&mut self) -> anyhow::Result<(), ProgramError> { - let x = self.pop()?; - let new_ctx = (x >> CONTEXT_SCALING_FACTOR).as_usize(); - let sp_to_save = self.stack_len().into(); - - let old_ctx = self.context(); - - let sp_field = ContextMetadata::StackSize.unscale(); - - let old_sp_addr = MemoryAddress::new(old_ctx, Segment::ContextMetadata, sp_field); - let new_sp_addr = MemoryAddress::new(new_ctx, Segment::ContextMetadata, sp_field); - self.generation_state.memory.set(old_sp_addr, sp_to_save); - - let new_sp = self.generation_state.memory.get(new_sp_addr).as_usize(); - - if new_sp > 0 { - let new_stack_top = self.generation_state.memory.contexts[new_ctx].segments - [Segment::Stack.unscale()] - .content[new_sp - 1]; - self.generation_state.registers.stack_top = new_stack_top; - } - self.set_context(new_ctx); - self.generation_state.registers.stack_len = new_sp; - Ok(()) - } - - fn run_mload_general(&mut self) -> anyhow::Result<(), ProgramError> { - let addr = self.pop()?; - let (context, segment, offset) = unpack_address!(addr); - let value = self - .generation_state - .memory - .mload_general(context, segment, offset); - assert!(value.bits() <= segment.bit_range()); - self.push(value) - } - - fn run_mload_32bytes(&mut self) -> anyhow::Result<(), ProgramError> { - let addr = self.pop()?; - let (context, segment, offset) = unpack_address!(addr); - let len = self.pop()?.as_usize(); - if len > 32 { - return Err(ProgramError::IntegerTooLarge); - } - let bytes: Vec = (0..len) - .map(|i| { - self.generation_state - .memory - .mload_general(context, segment, offset + i) - .low_u32() as u8 - }) - .collect(); - let value = U256::from_big_endian(&bytes); - self.push(value) - } - - fn run_mstore_general(&mut self) -> anyhow::Result<(), ProgramError> { - let value = self.pop()?; - let addr = self.pop()?; - let (context, segment, offset) = unpack_address!(addr); - let memop = self - .generation_state - .memory - .mstore_general(context, segment, offset, value); - self.memops.push(memop); - Ok(()) - } - - fn run_mstore_32bytes(&mut self, n: u8) -> anyhow::Result<(), ProgramError> { - let addr = self.pop()?; - let (context, segment, offset) = unpack_address!(addr); - let value = self.pop()?; - - let mut bytes = vec![0; 32]; - value.to_little_endian(&mut bytes); - bytes.resize(n as usize, 0); - bytes.reverse(); - - for (i, &byte) in bytes.iter().enumerate() { - let memop = self.generation_state.memory.mstore_general( - context, - segment, - offset + i, - byte.into(), - ); - self.memops.push(memop); - } - - self.push(addr + U256::from(n)) - } - - fn run_exit_kernel(&mut self) -> anyhow::Result<(), ProgramError> { - let kexit_info = self.pop()?; - - let kexit_info_u64 = kexit_info.0[0]; - let program_counter = kexit_info_u64 as u32 as usize; - let is_kernel_mode_val = (kexit_info_u64 >> 32) as u32; - assert!(is_kernel_mode_val == 0 || is_kernel_mode_val == 1); - let is_kernel_mode = is_kernel_mode_val != 0; - let gas_used_val = kexit_info.0[3]; - TryInto::::try_into(gas_used_val).map_err(|_| ProgramError::GasLimitError)?; - - self.generation_state.registers.program_counter = program_counter; - self.set_is_kernel(is_kernel_mode); - self.generation_state.registers.gas_used = gas_used_val; - - Ok(()) - } - - fn run_exception(&mut self, exc_code: u8) -> Result<(), ProgramError> { - let disallowed_len = MAX_USER_STACK_SIZE + 1; - - if self.stack_len() == disallowed_len { - // This is a stack overflow that should have been caught earlier. - return Err(ProgramError::StackOverflow); - }; - - let handler_jumptable_addr = KERNEL.global_labels["exception_jumptable"]; - let handler_addr = { - let offset = handler_jumptable_addr + (exc_code as usize) * (BYTES_PER_OFFSET as usize); - assert_eq!(BYTES_PER_OFFSET, 3, "Code below assumes 3 bytes per offset"); - self.get_memory_segment(Segment::Code)[offset..offset + 3] - .iter() - .fold(U256::from(0), |acc, &elt| acc * 256 + elt) - }; - - let new_program_counter = u256_to_usize(handler_addr)?; - - let exc_info = U256::from(self.generation_state.registers.program_counter) - + (U256::from(self.generation_state.registers.gas_used) << 192); - - self.push(exc_info)?; - - // Set registers before pushing to the stack; in particular, we need to set kernel mode so we - // can't incorrectly trigger a stack overflow. However, note that we have to do it _after_ we - // make `exc_info`, which should contain the old values. - self.generation_state.registers.program_counter = new_program_counter; - self.set_is_kernel(true); - self.generation_state.registers.gas_used = 0; - - Ok(()) - } - - pub(crate) const fn stack_len(&self) -> usize { - self.generation_state.registers.stack_len - } - - pub(crate) fn stack_top(&self) -> anyhow::Result { - if self.stack_len() > 0 { - Ok(self.generation_state.registers.stack_top) - } else { - Err(ProgramError::StackUnderflow) - } - } - - pub(crate) const fn is_kernel(&self) -> bool { - self.generation_state.registers.is_kernel - } - - pub(crate) fn set_is_kernel(&mut self, is_kernel: bool) { - self.generation_state.registers.is_kernel = is_kernel - } - - pub(crate) const fn context(&self) -> usize { - self.generation_state.registers.context - } - - pub(crate) fn set_context(&mut self, context: usize) { - if context == 0 { - assert!(self.is_kernel()); - } - self.generation_state.registers.context = context; - } - - /// Writes the encoding of 0 to position @ENCODED_EMPTY_NODE_POS. - pub(crate) fn initialize_rlp_segment(&mut self) { - self.generation_state.memory.set( - MemoryAddress::new(0, Segment::RlpRaw, 0xFFFFFFFF), - 128.into(), - ) - } -} - -fn get_mnemonic(opcode: u8) -> &'static str { - match opcode { - 0x00 => "STOP", - 0x01 => "ADD", - 0x02 => "MUL", - 0x03 => "SUB", - 0x04 => "DIV", - 0x05 => "SDIV", - 0x06 => "MOD", - 0x07 => "SMOD", - 0x08 => "ADDMOD", - 0x09 => "MULMOD", - 0x0a => "EXP", - 0x0b => "SIGNEXTEND", - 0x0c => "ADDFP254", - 0x0d => "MULFP254", - 0x0e => "SUBFP254", - 0x0f => "SUBMOD", - 0x10 => "LT", - 0x11 => "GT", - 0x12 => "SLT", - 0x13 => "SGT", - 0x14 => "EQ", - 0x15 => "ISZERO", - 0x16 => "AND", - 0x17 => "OR", - 0x18 => "XOR", - 0x19 => "NOT", - 0x1a => "BYTE", - 0x1b => "SHL", - 0x1c => "SHR", - 0x1d => "SAR", - 0x20 => "KECCAK256", - 0x21 => "KECCAK_GENERAL", - 0x30 => "ADDRESS", - 0x31 => "BALANCE", - 0x32 => "ORIGIN", - 0x33 => "CALLER", - 0x34 => "CALLVALUE", - 0x35 => "CALLDATALOAD", - 0x36 => "CALLDATASIZE", - 0x37 => "CALLDATACOPY", - 0x38 => "CODESIZE", - 0x39 => "CODECOPY", - 0x3a => "GASPRICE", - 0x3b => "EXTCODESIZE", - 0x3c => "EXTCODECOPY", - 0x3d => "RETURNDATASIZE", - 0x3e => "RETURNDATACOPY", - 0x3f => "EXTCODEHASH", - 0x40 => "BLOCKHASH", - 0x41 => "COINBASE", - 0x42 => "TIMESTAMP", - 0x43 => "NUMBER", - 0x44 => "DIFFICULTY", - 0x45 => "GASLIMIT", - 0x46 => "CHAINID", - 0x48 => "BASEFEE", - 0x49 => "PROVER_INPUT", - 0x50 => "POP", - 0x51 => "MLOAD", - 0x52 => "MSTORE", - 0x53 => "MSTORE8", - 0x54 => "SLOAD", - 0x55 => "SSTORE", - 0x56 => "JUMP", - 0x57 => "JUMPI", - 0x58 => "GETPC", - 0x59 => "MSIZE", - 0x5a => "GAS", - 0x5b => "JUMPDEST", - 0x5f => "PUSH0", - 0x60 => "PUSH1", - 0x61 => "PUSH2", - 0x62 => "PUSH3", - 0x63 => "PUSH4", - 0x64 => "PUSH5", - 0x65 => "PUSH6", - 0x66 => "PUSH7", - 0x67 => "PUSH8", - 0x68 => "PUSH9", - 0x69 => "PUSH10", - 0x6a => "PUSH11", - 0x6b => "PUSH12", - 0x6c => "PUSH13", - 0x6d => "PUSH14", - 0x6e => "PUSH15", - 0x6f => "PUSH16", - 0x70 => "PUSH17", - 0x71 => "PUSH18", - 0x72 => "PUSH19", - 0x73 => "PUSH20", - 0x74 => "PUSH21", - 0x75 => "PUSH22", - 0x76 => "PUSH23", - 0x77 => "PUSH24", - 0x78 => "PUSH25", - 0x79 => "PUSH26", - 0x7a => "PUSH27", - 0x7b => "PUSH28", - 0x7c => "PUSH29", - 0x7d => "PUSH30", - 0x7e => "PUSH31", - 0x7f => "PUSH32", - 0x80 => "DUP1", - 0x81 => "DUP2", - 0x82 => "DUP3", - 0x83 => "DUP4", - 0x84 => "DUP5", - 0x85 => "DUP6", - 0x86 => "DUP7", - 0x87 => "DUP8", - 0x88 => "DUP9", - 0x89 => "DUP10", - 0x8a => "DUP11", - 0x8b => "DUP12", - 0x8c => "DUP13", - 0x8d => "DUP14", - 0x8e => "DUP15", - 0x8f => "DUP16", - 0x90 => "SWAP1", - 0x91 => "SWAP2", - 0x92 => "SWAP3", - 0x93 => "SWAP4", - 0x94 => "SWAP5", - 0x95 => "SWAP6", - 0x96 => "SWAP7", - 0x97 => "SWAP8", - 0x98 => "SWAP9", - 0x99 => "SWAP10", - 0x9a => "SWAP11", - 0x9b => "SWAP12", - 0x9c => "SWAP13", - 0x9d => "SWAP14", - 0x9e => "SWAP15", - 0x9f => "SWAP16", - 0xa0 => "LOG0", - 0xa1 => "LOG1", - 0xa2 => "LOG2", - 0xa3 => "LOG3", - 0xa4 => "LOG4", - 0xa5 => "PANIC", - 0xc0 => "MSTORE_32BYTES_1", - 0xc1 => "MSTORE_32BYTES_2", - 0xc2 => "MSTORE_32BYTES_3", - 0xc3 => "MSTORE_32BYTES_4", - 0xc4 => "MSTORE_32BYTES_5", - 0xc5 => "MSTORE_32BYTES_6", - 0xc6 => "MSTORE_32BYTES_7", - 0xc7 => "MSTORE_32BYTES_8", - 0xc8 => "MSTORE_32BYTES_9", - 0xc9 => "MSTORE_32BYTES_10", - 0xca => "MSTORE_32BYTES_11", - 0xcb => "MSTORE_32BYTES_12", - 0xcc => "MSTORE_32BYTES_13", - 0xcd => "MSTORE_32BYTES_14", - 0xce => "MSTORE_32BYTES_15", - 0xcf => "MSTORE_32BYTES_16", - 0xd0 => "MSTORE_32BYTES_17", - 0xd1 => "MSTORE_32BYTES_18", - 0xd2 => "MSTORE_32BYTES_19", - 0xd3 => "MSTORE_32BYTES_20", - 0xd4 => "MSTORE_32BYTES_21", - 0xd5 => "MSTORE_32BYTES_22", - 0xd6 => "MSTORE_32BYTES_23", - 0xd7 => "MSTORE_32BYTES_24", - 0xd8 => "MSTORE_32BYTES_25", - 0xd9 => "MSTORE_32BYTES_26", - 0xda => "MSTORE_32BYTES_27", - 0xdb => "MSTORE_32BYTES_28", - 0xdc => "MSTORE_32BYTES_29", - 0xdd => "MSTORE_32BYTES_30", - 0xde => "MSTORE_32BYTES_31", - 0xdf => "MSTORE_32BYTES_32", - 0xf0 => "CREATE", - 0xf1 => "CALL", - 0xf2 => "CALLCODE", - 0xf3 => "RETURN", - 0xf4 => "DELEGATECALL", - 0xf5 => "CREATE2", - 0xf6 => "GET_CONTEXT", - 0xf7 => "SET_CONTEXT", - 0xf8 => "MLOAD_32BYTES", - 0xf9 => "EXIT_KERNEL", - 0xfa => "STATICCALL", - 0xfb => "MLOAD_GENERAL", - 0xfc => "MSTORE_GENERAL", - 0xfd => "REVERT", - 0xfe => "INVALID", - 0xff => "SELFDESTRUCT", - _ => panic!("Unrecognized opcode {opcode}"), - } -} - -macro_rules! unpack_address { - ($addr:ident) => {{ - let offset = $addr.low_u32() as usize; - let segment = Segment::all()[($addr >> SEGMENT_SCALING_FACTOR).low_u32() as usize]; - let context = ($addr >> CONTEXT_SCALING_FACTOR).low_u32() as usize; - (context, segment, offset) - }}; -} -pub(crate) use unpack_address; - -#[cfg(test)] -mod tests { - use super::*; - use crate::memory::segments::Segment; - - #[test] - fn test_run() -> anyhow::Result<()> { - let code = vec![ - 0x60, 0x1, 0x60, 0x2, 0x1, 0x63, 0xde, 0xad, 0xbe, 0xef, 0x56, - ]; // PUSH1, 1, PUSH1, 2, ADD, PUSH4 deadbeef, JUMP - assert_eq!( - run(&code, 0, vec![], &HashMap::new())?.stack(), - &[0x3.into()], - ); - Ok(()) - } - - #[test] - fn test_run_with_memory() -> anyhow::Result<()> { - // PUSH1 0xff - // PUSH1 0 - // MSTORE - - // PUSH1 0 - // MLOAD - - // PUSH1 1 - // MLOAD - - // PUSH1 0x42 - // PUSH1 0x27 - // MSTORE8 - let code = [ - 0x60, 0xff, 0x60, 0x0, 0x52, 0x60, 0, 0x51, 0x60, 0x1, 0x51, 0x60, 0x42, 0x60, 0x27, - 0x53, - ]; - let mut interpreter = Interpreter::new_with_kernel(0, vec![]); - - interpreter.set_code(1, code.to_vec()); - - interpreter.generation_state.memory.contexts[1].segments - [Segment::ContextMetadata.unscale()] - .set(ContextMetadata::GasLimit.unscale(), 100_000.into()); - // Set context and kernel mode. - interpreter.set_context(1); - interpreter.set_is_kernel(false); - // Set memory necessary to sys_stop. - interpreter.generation_state.memory.set( - MemoryAddress::new( - 1, - Segment::ContextMetadata, - ContextMetadata::ParentProgramCounter.unscale(), - ), - 0xdeadbeefu32.into(), - ); - interpreter.generation_state.memory.set( - MemoryAddress::new( - 1, - Segment::ContextMetadata, - ContextMetadata::ParentContext.unscale(), - ), - U256::one() << CONTEXT_SCALING_FACTOR, - ); - - interpreter.run()?; - - // sys_stop returns `success` and `cum_gas_used`, that we need to pop. - interpreter.pop().expect("Stack should not be empty"); - interpreter.pop().expect("Stack should not be empty"); - - assert_eq!(interpreter.stack(), &[0xff.into(), 0xff00.into()]); - assert_eq!( - interpreter.generation_state.memory.contexts[1].segments[Segment::MainMemory.unscale()] - .get(0x27), - 0x42.into() - ); - assert_eq!( - interpreter.generation_state.memory.contexts[1].segments[Segment::MainMemory.unscale()] - .get(0x1f), - 0xff.into() - ); - Ok(()) - } -} diff --git a/evm/src/cpu/kernel/keccak_util.rs b/evm/src/cpu/kernel/keccak_util.rs deleted file mode 100644 index e1cae7c27b..0000000000 --- a/evm/src/cpu/kernel/keccak_util.rs +++ /dev/null @@ -1,59 +0,0 @@ -use tiny_keccak::keccakf; - -use crate::keccak_sponge::columns::{KECCAK_WIDTH_BYTES, KECCAK_WIDTH_U32S}; - -/// Like tiny-keccak's `keccakf`, but deals with `u32` limbs instead of `u64` limbs. -pub(crate) fn keccakf_u32s(state_u32s: &mut [u32; KECCAK_WIDTH_U32S]) { - let mut state_u64s: [u64; 25] = core::array::from_fn(|i| { - let lo = state_u32s[i * 2] as u64; - let hi = state_u32s[i * 2 + 1] as u64; - lo | (hi << 32) - }); - keccakf(&mut state_u64s); - *state_u32s = core::array::from_fn(|i| { - let u64_limb = state_u64s[i / 2]; - let is_hi = i % 2; - (u64_limb >> (is_hi * 32)) as u32 - }); -} - -/// Like tiny-keccak's `keccakf`, but deals with bytes instead of `u64` limbs. -pub(crate) fn keccakf_u8s(state_u8s: &mut [u8; KECCAK_WIDTH_BYTES]) { - let mut state_u64s: [u64; 25] = - core::array::from_fn(|i| u64::from_le_bytes(state_u8s[i * 8..][..8].try_into().unwrap())); - keccakf(&mut state_u64s); - *state_u8s = core::array::from_fn(|i| { - let u64_limb = state_u64s[i / 8]; - u64_limb.to_le_bytes()[i % 8] - }); -} - -#[cfg(test)] -mod tests { - use tiny_keccak::keccakf; - - use crate::cpu::kernel::keccak_util::{keccakf_u32s, keccakf_u8s}; - - #[test] - #[rustfmt::skip] - fn test_consistency() { - // We will hash the same data using keccakf, keccakf_u32s and keccakf_u8s. - // The inputs were randomly generated in Python. - let mut state_u64s: [u64; 25] = [0x5dc43ed05dc64048, 0x7bb9e18cdc853880, 0xc1fde300665b008f, 0xeeab85e089d5e431, 0xf7d61298e9ef27ea, 0xc2c5149d1a492455, 0x37a2f4eca0c2d2f2, 0xa35e50c015b3e85c, 0xd2daeced29446ebe, 0x245845f1bac1b98e, 0x3b3aa8783f30a9bf, 0x209ca9a81956d241, 0x8b8ea714da382165, 0x6063e67e202c6d29, 0xf4bac2ded136b907, 0xb17301b461eae65, 0xa91ff0e134ed747c, 0xcc080b28d0c20f1d, 0xf0f79cbec4fb551c, 0x25e04cb0aa930cad, 0x803113d1b541a202, 0xfaf1e4e7cd23b7ec, 0x36a03bbf2469d3b0, 0x25217341908cdfc0, 0xe9cd83f88fdcd500]; - let mut state_u32s: [u32; 50] = [0x5dc64048, 0x5dc43ed0, 0xdc853880, 0x7bb9e18c, 0x665b008f, 0xc1fde300, 0x89d5e431, 0xeeab85e0, 0xe9ef27ea, 0xf7d61298, 0x1a492455, 0xc2c5149d, 0xa0c2d2f2, 0x37a2f4ec, 0x15b3e85c, 0xa35e50c0, 0x29446ebe, 0xd2daeced, 0xbac1b98e, 0x245845f1, 0x3f30a9bf, 0x3b3aa878, 0x1956d241, 0x209ca9a8, 0xda382165, 0x8b8ea714, 0x202c6d29, 0x6063e67e, 0xd136b907, 0xf4bac2de, 0x461eae65, 0xb17301b, 0x34ed747c, 0xa91ff0e1, 0xd0c20f1d, 0xcc080b28, 0xc4fb551c, 0xf0f79cbe, 0xaa930cad, 0x25e04cb0, 0xb541a202, 0x803113d1, 0xcd23b7ec, 0xfaf1e4e7, 0x2469d3b0, 0x36a03bbf, 0x908cdfc0, 0x25217341, 0x8fdcd500, 0xe9cd83f8]; - let mut state_u8s: [u8; 200] = [0x48, 0x40, 0xc6, 0x5d, 0xd0, 0x3e, 0xc4, 0x5d, 0x80, 0x38, 0x85, 0xdc, 0x8c, 0xe1, 0xb9, 0x7b, 0x8f, 0x0, 0x5b, 0x66, 0x0, 0xe3, 0xfd, 0xc1, 0x31, 0xe4, 0xd5, 0x89, 0xe0, 0x85, 0xab, 0xee, 0xea, 0x27, 0xef, 0xe9, 0x98, 0x12, 0xd6, 0xf7, 0x55, 0x24, 0x49, 0x1a, 0x9d, 0x14, 0xc5, 0xc2, 0xf2, 0xd2, 0xc2, 0xa0, 0xec, 0xf4, 0xa2, 0x37, 0x5c, 0xe8, 0xb3, 0x15, 0xc0, 0x50, 0x5e, 0xa3, 0xbe, 0x6e, 0x44, 0x29, 0xed, 0xec, 0xda, 0xd2, 0x8e, 0xb9, 0xc1, 0xba, 0xf1, 0x45, 0x58, 0x24, 0xbf, 0xa9, 0x30, 0x3f, 0x78, 0xa8, 0x3a, 0x3b, 0x41, 0xd2, 0x56, 0x19, 0xa8, 0xa9, 0x9c, 0x20, 0x65, 0x21, 0x38, 0xda, 0x14, 0xa7, 0x8e, 0x8b, 0x29, 0x6d, 0x2c, 0x20, 0x7e, 0xe6, 0x63, 0x60, 0x7, 0xb9, 0x36, 0xd1, 0xde, 0xc2, 0xba, 0xf4, 0x65, 0xae, 0x1e, 0x46, 0x1b, 0x30, 0x17, 0xb, 0x7c, 0x74, 0xed, 0x34, 0xe1, 0xf0, 0x1f, 0xa9, 0x1d, 0xf, 0xc2, 0xd0, 0x28, 0xb, 0x8, 0xcc, 0x1c, 0x55, 0xfb, 0xc4, 0xbe, 0x9c, 0xf7, 0xf0, 0xad, 0xc, 0x93, 0xaa, 0xb0, 0x4c, 0xe0, 0x25, 0x2, 0xa2, 0x41, 0xb5, 0xd1, 0x13, 0x31, 0x80, 0xec, 0xb7, 0x23, 0xcd, 0xe7, 0xe4, 0xf1, 0xfa, 0xb0, 0xd3, 0x69, 0x24, 0xbf, 0x3b, 0xa0, 0x36, 0xc0, 0xdf, 0x8c, 0x90, 0x41, 0x73, 0x21, 0x25, 0x0, 0xd5, 0xdc, 0x8f, 0xf8, 0x83, 0xcd, 0xe9]; - - // The first output was generated using tiny-keccak; the others were derived from it. - let out_u64s: [u64; 25] = [0x8a541df597e79a72, 0x5c26b8c84faaebb3, 0xc0e8f4e67ca50497, 0x95d98a688de12dec, 0x1c837163975ffaed, 0x9481ec7ef948900e, 0x6a072c65d050a9a1, 0x3b2817da6d615bee, 0x7ffb3c4f8b94bf21, 0x85d6c418cced4a11, 0x18edbe0442884135, 0x2bf265ef3204b7fd, 0xc1e12ce30630d105, 0x8c554dbc61844574, 0x5504db652ce9e42c, 0x2217f3294d0dabe5, 0x7df8eebbcf5b74df, 0x3a56ebb61956f501, 0x7840219dc6f37cc, 0x23194159c967947, 0x9da289bf616ba14d, 0x5a90aaeeca9e9e5b, 0x885dcdc4a549b4e3, 0x46cb188c20947df7, 0x1ef285948ee3d8ab]; - let out_u32s: [u32; 50] = [0x97e79a72, 0x8a541df5, 0x4faaebb3, 0x5c26b8c8, 0x7ca50497, 0xc0e8f4e6, 0x8de12dec, 0x95d98a68, 0x975ffaed, 0x1c837163, 0xf948900e, 0x9481ec7e, 0xd050a9a1, 0x6a072c65, 0x6d615bee, 0x3b2817da, 0x8b94bf21, 0x7ffb3c4f, 0xcced4a11, 0x85d6c418, 0x42884135, 0x18edbe04, 0x3204b7fd, 0x2bf265ef, 0x630d105, 0xc1e12ce3, 0x61844574, 0x8c554dbc, 0x2ce9e42c, 0x5504db65, 0x4d0dabe5, 0x2217f329, 0xcf5b74df, 0x7df8eebb, 0x1956f501, 0x3a56ebb6, 0xdc6f37cc, 0x7840219, 0x9c967947, 0x2319415, 0x616ba14d, 0x9da289bf, 0xca9e9e5b, 0x5a90aaee, 0xa549b4e3, 0x885dcdc4, 0x20947df7, 0x46cb188c, 0x8ee3d8ab, 0x1ef28594]; - let out_u8s: [u8; 200] = [0x72, 0x9a, 0xe7, 0x97, 0xf5, 0x1d, 0x54, 0x8a, 0xb3, 0xeb, 0xaa, 0x4f, 0xc8, 0xb8, 0x26, 0x5c, 0x97, 0x4, 0xa5, 0x7c, 0xe6, 0xf4, 0xe8, 0xc0, 0xec, 0x2d, 0xe1, 0x8d, 0x68, 0x8a, 0xd9, 0x95, 0xed, 0xfa, 0x5f, 0x97, 0x63, 0x71, 0x83, 0x1c, 0xe, 0x90, 0x48, 0xf9, 0x7e, 0xec, 0x81, 0x94, 0xa1, 0xa9, 0x50, 0xd0, 0x65, 0x2c, 0x7, 0x6a, 0xee, 0x5b, 0x61, 0x6d, 0xda, 0x17, 0x28, 0x3b, 0x21, 0xbf, 0x94, 0x8b, 0x4f, 0x3c, 0xfb, 0x7f, 0x11, 0x4a, 0xed, 0xcc, 0x18, 0xc4, 0xd6, 0x85, 0x35, 0x41, 0x88, 0x42, 0x4, 0xbe, 0xed, 0x18, 0xfd, 0xb7, 0x4, 0x32, 0xef, 0x65, 0xf2, 0x2b, 0x5, 0xd1, 0x30, 0x6, 0xe3, 0x2c, 0xe1, 0xc1, 0x74, 0x45, 0x84, 0x61, 0xbc, 0x4d, 0x55, 0x8c, 0x2c, 0xe4, 0xe9, 0x2c, 0x65, 0xdb, 0x4, 0x55, 0xe5, 0xab, 0xd, 0x4d, 0x29, 0xf3, 0x17, 0x22, 0xdf, 0x74, 0x5b, 0xcf, 0xbb, 0xee, 0xf8, 0x7d, 0x1, 0xf5, 0x56, 0x19, 0xb6, 0xeb, 0x56, 0x3a, 0xcc, 0x37, 0x6f, 0xdc, 0x19, 0x2, 0x84, 0x7, 0x47, 0x79, 0x96, 0x9c, 0x15, 0x94, 0x31, 0x2, 0x4d, 0xa1, 0x6b, 0x61, 0xbf, 0x89, 0xa2, 0x9d, 0x5b, 0x9e, 0x9e, 0xca, 0xee, 0xaa, 0x90, 0x5a, 0xe3, 0xb4, 0x49, 0xa5, 0xc4, 0xcd, 0x5d, 0x88, 0xf7, 0x7d, 0x94, 0x20, 0x8c, 0x18, 0xcb, 0x46, 0xab, 0xd8, 0xe3, 0x8e, 0x94, 0x85, 0xf2, 0x1e]; - - keccakf(&mut state_u64s); - keccakf_u32s(&mut state_u32s); - keccakf_u8s(&mut state_u8s); - - assert_eq!(state_u64s, out_u64s); - assert_eq!(state_u32s, out_u32s); - assert_eq!(state_u8s, out_u8s); - } -} diff --git a/evm/src/cpu/kernel/mod.rs b/evm/src/cpu/kernel/mod.rs deleted file mode 100644 index e82474914c..0000000000 --- a/evm/src/cpu/kernel/mod.rs +++ /dev/null @@ -1,29 +0,0 @@ -pub mod aggregator; -pub mod assembler; -mod ast; -pub(crate) mod constants; -mod cost_estimator; -pub(crate) mod keccak_util; -pub mod opcodes; -mod optimizer; -mod parser; -pub mod stack; -mod utils; - -#[cfg(test)] -mod interpreter; -#[cfg(test)] -mod tests; - -use assembler::assemble; -use parser::parse; - -use crate::cpu::kernel::constants::evm_constants; - -/// Assemble files, outputting bytes. -/// This is for debugging the kernel only. -pub fn assemble_to_bytes(files: &[String]) -> Vec { - let parsed_files: Vec<_> = files.iter().map(|f| parse(f)).collect(); - let kernel = assemble(parsed_files, evm_constants(), true); - kernel.code -} diff --git a/evm/src/cpu/kernel/opcodes.rs b/evm/src/cpu/kernel/opcodes.rs deleted file mode 100644 index 538fe0a104..0000000000 --- a/evm/src/cpu/kernel/opcodes.rs +++ /dev/null @@ -1,167 +0,0 @@ -/// The opcode of the `PUSH[n]` instruction, given a byte count `n`. -pub fn get_push_opcode(n: u8) -> u8 { - assert!(n <= 32); - 0x5f + n -} - -/// The opcode of a standard instruction (not a `PUSH`). -pub fn get_opcode(mnemonic: &str) -> u8 { - match mnemonic.to_uppercase().as_str() { - "STOP" => 0x00, - "ADD" => 0x01, - "MUL" => 0x02, - "SUB" => 0x03, - "DIV" => 0x04, - "SDIV" => 0x05, - "MOD" => 0x06, - "SMOD" => 0x07, - "ADDMOD" => 0x08, - "MULMOD" => 0x09, - "EXP" => 0x0a, - "SIGNEXTEND" => 0x0b, - "ADDFP254" => 0x0c, - "MULFP254" => 0x0d, - "SUBFP254" => 0x0e, - "SUBMOD" => 0x0f, - "LT" => 0x10, - "GT" => 0x11, - "SLT" => 0x12, - "SGT" => 0x13, - "EQ" => 0x14, - "ISZERO" => 0x15, - "AND" => 0x16, - "OR" => 0x17, - "XOR" => 0x18, - "NOT" => 0x19, - "BYTE" => 0x1a, - "SHL" => 0x1b, - "SHR" => 0x1c, - "SAR" => 0x1d, - "KECCAK256" => 0x20, - "KECCAK_GENERAL" => 0x21, - "ADDRESS" => 0x30, - "BALANCE" => 0x31, - "ORIGIN" => 0x32, - "CALLER" => 0x33, - "CALLVALUE" => 0x34, - "CALLDATALOAD" => 0x35, - "CALLDATASIZE" => 0x36, - "CALLDATACOPY" => 0x37, - "CODESIZE" => 0x38, - "CODECOPY" => 0x39, - "GASPRICE" => 0x3a, - "EXTCODESIZE" => 0x3b, - "EXTCODECOPY" => 0x3c, - "RETURNDATASIZE" => 0x3d, - "RETURNDATACOPY" => 0x3e, - "EXTCODEHASH" => 0x3f, - "BLOCKHASH" => 0x40, - "COINBASE" => 0x41, - "TIMESTAMP" => 0x42, - "NUMBER" => 0x43, - "DIFFICULTY" => 0x44, - "GASLIMIT" => 0x45, - "CHAINID" => 0x46, - "BASEFEE" => 0x48, - "PROVER_INPUT" => 0x49, - "POP" => 0x50, - "MLOAD" => 0x51, - "MSTORE" => 0x52, - "MSTORE8" => 0x53, - "SLOAD" => 0x54, - "SSTORE" => 0x55, - "JUMP" => 0x56, - "JUMPI" => 0x57, - "GETPC" => 0x58, - "MSIZE" => 0x59, - "GAS" => 0x5a, - "JUMPDEST" => 0x5b, - "DUP1" => 0x80, - "DUP2" => 0x81, - "DUP3" => 0x82, - "DUP4" => 0x83, - "DUP5" => 0x84, - "DUP6" => 0x85, - "DUP7" => 0x86, - "DUP8" => 0x87, - "DUP9" => 0x88, - "DUP10" => 0x89, - "DUP11" => 0x8a, - "DUP12" => 0x8b, - "DUP13" => 0x8c, - "DUP14" => 0x8d, - "DUP15" => 0x8e, - "DUP16" => 0x8f, - "SWAP1" => 0x90, - "SWAP2" => 0x91, - "SWAP3" => 0x92, - "SWAP4" => 0x93, - "SWAP5" => 0x94, - "SWAP6" => 0x95, - "SWAP7" => 0x96, - "SWAP8" => 0x97, - "SWAP9" => 0x98, - "SWAP10" => 0x99, - "SWAP11" => 0x9a, - "SWAP12" => 0x9b, - "SWAP13" => 0x9c, - "SWAP14" => 0x9d, - "SWAP15" => 0x9e, - "SWAP16" => 0x9f, - "LOG0" => 0xa0, - "LOG1" => 0xa1, - "LOG2" => 0xa2, - "LOG3" => 0xa3, - "LOG4" => 0xa4, - "PANIC" => 0xa5, - "MSTORE_32BYTES_1" => 0xc0, - "MSTORE_32BYTES_2" => 0xc1, - "MSTORE_32BYTES_3" => 0xc2, - "MSTORE_32BYTES_4" => 0xc3, - "MSTORE_32BYTES_5" => 0xc4, - "MSTORE_32BYTES_6" => 0xc5, - "MSTORE_32BYTES_7" => 0xc6, - "MSTORE_32BYTES_8" => 0xc7, - "MSTORE_32BYTES_9" => 0xc8, - "MSTORE_32BYTES_10" => 0xc9, - "MSTORE_32BYTES_11" => 0xca, - "MSTORE_32BYTES_12" => 0xcb, - "MSTORE_32BYTES_13" => 0xcc, - "MSTORE_32BYTES_14" => 0xcd, - "MSTORE_32BYTES_15" => 0xce, - "MSTORE_32BYTES_16" => 0xcf, - "MSTORE_32BYTES_17" => 0xd0, - "MSTORE_32BYTES_18" => 0xd1, - "MSTORE_32BYTES_19" => 0xd2, - "MSTORE_32BYTES_20" => 0xd3, - "MSTORE_32BYTES_21" => 0xd4, - "MSTORE_32BYTES_22" => 0xd5, - "MSTORE_32BYTES_23" => 0xd6, - "MSTORE_32BYTES_24" => 0xd7, - "MSTORE_32BYTES_25" => 0xd8, - "MSTORE_32BYTES_26" => 0xd9, - "MSTORE_32BYTES_27" => 0xda, - "MSTORE_32BYTES_28" => 0xdb, - "MSTORE_32BYTES_29" => 0xdc, - "MSTORE_32BYTES_30" => 0xdd, - "MSTORE_32BYTES_31" => 0xde, - "MSTORE_32BYTES_32" => 0xdf, - "CREATE" => 0xf0, - "CALL" => 0xf1, - "CALLCODE" => 0xf2, - "RETURN" => 0xf3, - "DELEGATECALL" => 0xf4, - "CREATE2" => 0xf5, - "GET_CONTEXT" => 0xf6, - "SET_CONTEXT" => 0xf7, - "MLOAD_32BYTES" => 0xf8, - "EXIT_KERNEL" => 0xf9, - "STATICCALL" => 0xfa, - "MLOAD_GENERAL" => 0xfb, - "MSTORE_GENERAL" => 0xfc, - "REVERT" => 0xfd, - "INVALID" => 0xfe, - "SELFDESTRUCT" => 0xff, - _ => panic!("Unrecognized mnemonic {mnemonic}"), - } -} diff --git a/evm/src/cpu/kernel/optimizer.rs b/evm/src/cpu/kernel/optimizer.rs deleted file mode 100644 index f29c96137b..0000000000 --- a/evm/src/cpu/kernel/optimizer.rs +++ /dev/null @@ -1,285 +0,0 @@ -use ethereum_types::U256; -use Item::{Push, StandardOp}; -use PushTarget::Literal; - -use crate::cpu::kernel::ast::Item::{GlobalLabelDeclaration, LocalLabelDeclaration}; -use crate::cpu::kernel::ast::PushTarget::Label; -use crate::cpu::kernel::ast::{Item, PushTarget}; -use crate::cpu::kernel::cost_estimator::is_code_improved; -use crate::cpu::kernel::utils::{replace_windows, u256_from_bool}; - -pub(crate) fn optimize_asm(code: &mut Vec) { - // Run the optimizer until nothing changes. - loop { - let old_code = code.clone(); - optimize_asm_once(code); - if code == &old_code { - break; - } - } -} - -/// A single optimization pass. -fn optimize_asm_once(code: &mut Vec) { - constant_propagation(code); - identity_operations(code); - no_op_jumps(code); - remove_swapped_pushes(code); - remove_swaps_commutative(code); - remove_ignored_values(code); -} - -/// Constant propagation. -fn constant_propagation(code: &mut Vec) { - // Constant propagation for unary ops: `[PUSH x, UNARYOP] -> [PUSH UNARYOP(x)]` - replace_windows_if_better(code, |window| { - if let [Push(Literal(x)), StandardOp(op)] = window { - match op.as_str() { - "ISZERO" => Some(vec![Push(Literal(u256_from_bool(x.is_zero())))]), - "NOT" => Some(vec![Push(Literal(!x))]), - _ => None, - } - } else { - None - } - }); - - // Constant propagation for binary ops: `[PUSH y, PUSH x, BINOP] -> [PUSH BINOP(x, y)]` - replace_windows_if_better(code, |window| { - if let [Push(Literal(y)), Push(Literal(x)), StandardOp(op)] = window { - match op.as_str() { - "ADD" => Some(x.overflowing_add(y).0), - "SUB" => Some(x.overflowing_sub(y).0), - "MUL" => Some(x.overflowing_mul(y).0), - "DIV" => Some(x.checked_div(y).unwrap_or(U256::zero())), - "MOD" => Some(x.checked_rem(y).unwrap_or(U256::zero())), - "EXP" => Some(x.overflowing_pow(y).0), - "SHL" => Some(y << x), - "SHR" => Some(y >> x), - "AND" => Some(x & y), - "OR" => Some(x | y), - "XOR" => Some(x ^ y), - "LT" => Some(u256_from_bool(x < y)), - "GT" => Some(u256_from_bool(x > y)), - "EQ" => Some(u256_from_bool(x == y)), - "BYTE" => Some(if x < 32.into() { - y.byte(x.as_usize()).into() - } else { - U256::zero() - }), - _ => None, - } - .map(|res| vec![Push(Literal(res))]) - } else { - None - } - }); -} - -/// Remove identity operations, e.g. `[PUSH 1, MUL] -> []`. -fn identity_operations(code: &mut Vec) { - let zero = U256::zero(); - let one = U256::one(); - replace_windows(code, |window| { - if let [Push(Literal(x)), StandardOp(op)] = window { - match op.as_str() { - "ADD" => (x == zero).then_some(vec![]), - "MUL" => (x == one).then_some(vec![]), - "OR" => (x == zero).then_some(vec![]), - "XOR" => (x == zero).then_some(vec![]), - _ => None, - } - } else { - None - } - }) -} - -/// Remove no-op jumps: `[PUSH label, JUMP, label:] -> [label:]`. -fn no_op_jumps(code: &mut Vec) { - replace_windows(code, |window| { - if let [Push(Label(l)), StandardOp(jump), decl] = window - && &jump == "JUMP" - && (decl == LocalLabelDeclaration(l.clone()) || decl == GlobalLabelDeclaration(l)) - { - Some(vec![decl]) - } else { - None - } - }); -} - -/// Remove swaps: `[PUSH x, PUSH y, SWAP1] -> [PUSH y, PUSH x]`. -// Could be generalized to recognize more than two pushes. -fn remove_swapped_pushes(code: &mut Vec) { - replace_windows(code, |window| { - if let [Push(x), Push(y), StandardOp(swap1)] = window - && &swap1 == "SWAP1" - { - Some(vec![Push(y), Push(x)]) - } else { - None - } - }); -} - -/// Remove SWAP1 before a commutative function. -fn remove_swaps_commutative(code: &mut Vec) { - replace_windows(code, |window| { - if let [StandardOp(swap1), StandardOp(f)] = window - && &swap1 == "SWAP1" - { - let commutative = matches!(f.as_str(), "ADD" | "MUL" | "AND" | "OR" | "XOR" | "EQ"); - commutative.then_some(vec![StandardOp(f)]) - } else { - None - } - }); -} - -/// Remove push-pop type patterns, such as: `[DUP1, POP]`. -// Could be extended to other non-side-effecting operations, e.g. [DUP1, ADD, POP] -> [POP]. -fn remove_ignored_values(code: &mut Vec) { - replace_windows(code, |[a, b]| { - if let StandardOp(pop) = b - && &pop == "POP" - { - match a { - Push(_) => Some(vec![]), - StandardOp(dup) if dup.starts_with("DUP") => Some(vec![]), - _ => None, - } - } else { - None - } - }); -} - -/// Like `replace_windows`, but specifically for code, and only makes replacements if our cost -/// estimator thinks that the new code is more efficient. -fn replace_windows_if_better(code: &mut Vec, maybe_replace: F) -where - F: Fn([Item; W]) -> Option>, -{ - replace_windows(code, |window| { - maybe_replace(window.clone()).filter(|suggestion| is_code_improved(&window, suggestion)) - }) -} - -#[cfg(test)] -mod tests { - use super::*; - - #[test] - fn test_constant_propagation_iszero() { - let mut code = vec![Push(Literal(3.into())), StandardOp("ISZERO".into())]; - constant_propagation(&mut code); - assert_eq!(code, vec![Push(Literal(0.into()))]); - } - - #[test] - fn test_constant_propagation_add_overflowing() { - let mut code = vec![ - Push(Literal(U256::max_value())), - Push(Literal(U256::max_value())), - StandardOp("ADD".into()), - ]; - constant_propagation(&mut code); - assert_eq!(code, vec![Push(Literal(U256::max_value() - 1))]); - } - - #[test] - fn test_constant_propagation_sub_underflowing() { - let original = vec![ - Push(Literal(U256::one())), - Push(Literal(U256::zero())), - StandardOp("SUB".into()), - ]; - let mut code = original.clone(); - constant_propagation(&mut code); - // Constant propagation could replace the code with [PUSH U256::MAX], but that's actually - // more expensive, so the code shouldn't be changed. - // (The code could also be replaced with [PUSH 0; NOT], which would be an improvement, but - // our optimizer isn't smart enough yet.) - assert_eq!(code, original); - } - - #[test] - fn test_constant_propagation_mul() { - let mut code = vec![ - Push(Literal(3.into())), - Push(Literal(4.into())), - StandardOp("MUL".into()), - ]; - constant_propagation(&mut code); - assert_eq!(code, vec![Push(Literal(12.into()))]); - } - - #[test] - fn test_constant_propagation_div() { - let mut code = vec![ - Push(Literal(3.into())), - Push(Literal(8.into())), - StandardOp("DIV".into()), - ]; - constant_propagation(&mut code); - assert_eq!(code, vec![Push(Literal(2.into()))]); - } - - #[test] - fn test_constant_propagation_div_zero() { - let mut code = vec![ - Push(Literal(0.into())), - Push(Literal(1.into())), - StandardOp("DIV".into()), - ]; - constant_propagation(&mut code); - assert_eq!(code, vec![Push(Literal(0.into()))]); - } - - #[test] - fn test_no_op_jump() { - let mut code = vec![ - Push(Label("mylabel".into())), - StandardOp("JUMP".into()), - LocalLabelDeclaration("mylabel".into()), - ]; - no_op_jumps(&mut code); - assert_eq!(code, vec![LocalLabelDeclaration("mylabel".into())]); - } - - #[test] - fn test_remove_swapped_pushes() { - let mut code = vec![ - Push(Literal("42".into())), - Push(Label("mylabel".into())), - StandardOp("SWAP1".into()), - ]; - remove_swapped_pushes(&mut code); - assert_eq!( - code, - vec![Push(Label("mylabel".into())), Push(Literal("42".into()))] - ); - } - - #[test] - fn test_remove_swap_mul() { - let mut code = vec![StandardOp("SWAP1".into()), StandardOp("MUL".into())]; - remove_swaps_commutative(&mut code); - assert_eq!(code, vec![StandardOp("MUL".into())]); - } - - #[test] - fn test_remove_push_pop() { - let mut code = vec![Push(Literal("42".into())), StandardOp("POP".into())]; - remove_ignored_values(&mut code); - assert_eq!(code, vec![]); - } - - #[test] - fn test_remove_dup_pop() { - let mut code = vec![StandardOp("DUP5".into()), StandardOp("POP".into())]; - remove_ignored_values(&mut code); - assert_eq!(code, vec![]); - } -} diff --git a/evm/src/cpu/kernel/parser.rs b/evm/src/cpu/kernel/parser.rs deleted file mode 100644 index 7864acfe0e..0000000000 --- a/evm/src/cpu/kernel/parser.rs +++ /dev/null @@ -1,210 +0,0 @@ -use std::str::FromStr; - -use ethereum_types::U256; -use pest::iterators::Pair; -use pest::Parser; - -use super::ast::{BytesTarget, StackPlaceholder}; -use crate::cpu::kernel::ast::{File, Item, PushTarget, StackReplacement}; - -/// Parses EVM assembly code. -#[derive(pest_derive::Parser)] -#[grammar = "cpu/kernel/evm_asm.pest"] -struct AsmParser; - -pub(crate) fn parse(s: &str) -> File { - let file = AsmParser::parse(Rule::file, s) - .expect("Parsing failed") - .next() - .unwrap(); - let body = file.into_inner().map(parse_item).collect(); - File { body } -} - -fn parse_item(item: Pair) -> Item { - assert_eq!(item.as_rule(), Rule::item); - let item = item.into_inner().next().unwrap(); - match item.as_rule() { - Rule::macro_def => parse_macro_def(item), - Rule::macro_call => parse_macro_call(item), - Rule::repeat => parse_repeat(item), - Rule::stack => parse_stack(item), - Rule::global_label_decl => { - Item::GlobalLabelDeclaration(item.into_inner().next().unwrap().as_str().into()) - } - Rule::local_label_decl => { - Item::LocalLabelDeclaration(item.into_inner().next().unwrap().as_str().into()) - } - Rule::macro_label_decl => { - Item::MacroLabelDeclaration(item.into_inner().next().unwrap().as_str().into()) - } - Rule::bytes_item => Item::Bytes(item.into_inner().map(parse_bytes_target).collect()), - Rule::jumptable_item => { - Item::Jumptable(item.into_inner().map(|i| i.as_str().into()).collect()) - } - Rule::push_instruction => Item::Push(parse_push_target(item.into_inner().next().unwrap())), - Rule::prover_input_instruction => Item::ProverInput( - item.into_inner() - .next() - .unwrap() - .into_inner() - .map(|x| x.as_str().into()) - .collect::>() - .into(), - ), - Rule::nullary_instruction => Item::StandardOp(item.as_str().to_uppercase()), - _ => panic!("Unexpected {:?}", item.as_rule()), - } -} - -fn parse_macro_def(item: Pair) -> Item { - assert_eq!(item.as_rule(), Rule::macro_def); - let mut inner = item.into_inner().peekable(); - - let name = inner.next().unwrap().as_str().into(); - - // The parameter list is optional. - let params = if let Some(Rule::paramlist) = inner.peek().map(|pair| pair.as_rule()) { - let params = inner.next().unwrap().into_inner(); - params.map(|param| param.as_str().to_string()).collect() - } else { - vec![] - }; - - Item::MacroDef(name, params, inner.map(parse_item).collect()) -} - -fn parse_macro_call(item: Pair) -> Item { - assert_eq!(item.as_rule(), Rule::macro_call); - let mut inner = item.into_inner(); - - let name = inner.next().unwrap().as_str().into(); - - // The arg list is optional. - let args = if let Some(arglist) = inner.next() { - assert_eq!(arglist.as_rule(), Rule::macro_arglist); - arglist.into_inner().map(parse_push_target).collect() - } else { - vec![] - }; - - Item::MacroCall(name, args) -} - -fn parse_repeat(item: Pair) -> Item { - assert_eq!(item.as_rule(), Rule::repeat); - let mut inner = item.into_inner(); - let count = parse_literal_u256(inner.next().unwrap()); - Item::Repeat(count, inner.map(parse_item).collect()) -} - -fn parse_stack(item: Pair) -> Item { - assert_eq!(item.as_rule(), Rule::stack); - let mut inner = item.into_inner(); - - let placeholders = inner.next().unwrap(); - assert_eq!(placeholders.as_rule(), Rule::stack_placeholders); - let replacements = inner.next().unwrap(); - assert_eq!(replacements.as_rule(), Rule::stack_replacements); - - let placeholders = placeholders - .into_inner() - .map(parse_stack_placeholder) - .collect(); - let replacements = replacements - .into_inner() - .map(parse_stack_replacement) - .collect(); - Item::StackManipulation(placeholders, replacements) -} - -fn parse_stack_placeholder(target: Pair) -> StackPlaceholder { - assert_eq!(target.as_rule(), Rule::stack_placeholder); - let inner = target.into_inner().next().unwrap(); - match inner.as_rule() { - Rule::identifier => StackPlaceholder(inner.as_str().into(), 1), - Rule::stack_block => { - let mut block = inner.into_inner(); - let identifier = block.next().unwrap().as_str(); - let length = block.next().unwrap().as_str().parse().unwrap(); - StackPlaceholder(identifier.to_string(), length) - } - _ => panic!("Unexpected {:?}", inner.as_rule()), - } -} - -fn parse_stack_replacement(target: Pair) -> StackReplacement { - assert_eq!(target.as_rule(), Rule::stack_replacement); - let inner = target.into_inner().next().unwrap(); - match inner.as_rule() { - Rule::identifier => StackReplacement::Identifier(inner.as_str().into()), - Rule::literal => StackReplacement::Literal(parse_literal_u256(inner)), - Rule::macro_label => { - StackReplacement::MacroLabel(inner.into_inner().next().unwrap().as_str().into()) - } - Rule::variable => { - StackReplacement::MacroVar(inner.into_inner().next().unwrap().as_str().into()) - } - Rule::constant => { - StackReplacement::Constant(inner.into_inner().next().unwrap().as_str().into()) - } - _ => panic!("Unexpected {:?}", inner.as_rule()), - } -} - -fn parse_push_target(target: Pair) -> PushTarget { - assert_eq!(target.as_rule(), Rule::push_target); - let inner = target.into_inner().next().unwrap(); - match inner.as_rule() { - Rule::literal => PushTarget::Literal(parse_literal_u256(inner)), - Rule::identifier => PushTarget::Label(inner.as_str().into()), - Rule::macro_label => { - PushTarget::MacroLabel(inner.into_inner().next().unwrap().as_str().into()) - } - Rule::variable => PushTarget::MacroVar(inner.into_inner().next().unwrap().as_str().into()), - Rule::constant => PushTarget::Constant(inner.into_inner().next().unwrap().as_str().into()), - _ => panic!("Unexpected {:?}", inner.as_rule()), - } -} - -fn parse_bytes_target(target: Pair) -> BytesTarget { - assert_eq!(target.as_rule(), Rule::bytes_target); - let inner = target.into_inner().next().unwrap(); - match inner.as_rule() { - Rule::literal => BytesTarget::Literal(parse_literal_u8(inner)), - Rule::constant => BytesTarget::Constant(inner.into_inner().next().unwrap().as_str().into()), - _ => panic!("Unexpected {:?}", inner.as_rule()), - } -} - -fn parse_literal_u8(literal: Pair) -> u8 { - let literal = literal.into_inner().next().unwrap(); - match literal.as_rule() { - Rule::literal_decimal => { - u8::from_str(literal.as_str()).expect("Failed to parse literal decimal byte") - } - Rule::literal_hex => { - u8::from_str_radix(&parse_hex(literal), 16).expect("Failed to parse literal hex byte") - } - _ => panic!("Unexpected {:?}", literal.as_rule()), - } -} - -fn parse_literal_u256(literal: Pair) -> U256 { - let literal = literal.into_inner().next().unwrap(); - match literal.as_rule() { - Rule::literal_decimal => { - U256::from_dec_str(literal.as_str()).expect("Failed to parse literal decimal") - } - Rule::literal_hex => { - U256::from_str_radix(&parse_hex(literal), 16).expect("Failed to parse literal hex") - } - _ => panic!("Unexpected {:?}", literal.as_rule()), - } -} - -fn parse_hex(hex: Pair) -> String { - let prefix = &hex.as_str()[..2]; - debug_assert!(prefix == "0x" || prefix == "0X"); - hex.as_str()[2..].to_string() -} diff --git a/evm/src/cpu/kernel/stack/mod.rs b/evm/src/cpu/kernel/stack/mod.rs deleted file mode 100644 index 4c7640e474..0000000000 --- a/evm/src/cpu/kernel/stack/mod.rs +++ /dev/null @@ -1,2 +0,0 @@ -mod permutations; -pub mod stack_manipulation; diff --git a/evm/src/cpu/kernel/stack/permutations.rs b/evm/src/cpu/kernel/stack/permutations.rs deleted file mode 100644 index 71304edd0c..0000000000 --- a/evm/src/cpu/kernel/stack/permutations.rs +++ /dev/null @@ -1,278 +0,0 @@ -//! This module contains logic for finding the optimal sequence of swaps to get from one stack state -//! to another, specifically for the case where the source and destination states are permutations -//! of one another. -//! -//! We solve the problem in three steps: -//! 1. Find a permutation `P` such that `P A = B`. -//! 2. If `A` contains duplicates, optimize `P` by reducing the number of cycles. -//! 3. Convert each cycle into a set of `(0 i)` transpositions, which correspond to swap -//! instructions in the EVM. -//! -//! We typically represent a permutation as a sequence of cycles. For example, the permutation -//! `(1 2 3)(1 2)(4 5)` acts as: -//! -//! ```ignore -//! (1 2 3)(1 2)(4 5)[A_0, A_1, A_2, A_3, A_4, A_5] = (1 2 3)(1 2)[A_0, A_1, A_2, A_3, A_5, A_4] -//! = (1 2 3)[A_0, A_2, A_1, A_3, A_5, A_4] -//! = [A_0, A_3, A_2, A_1, A_5, A_4] -//! ``` -//! -//! We typically represent a `(0 i)` transposition as a single scalar `i`. - -use core::hash::Hash; -use std::collections::{HashMap, HashSet}; - -use crate::cpu::kernel::stack::stack_manipulation::{StackItem, StackOp}; - -/// Find the optimal sequence of stack operations to get from `src` to `dst`. Assumes that `src` and -/// `dst` are permutations of one another. -pub(crate) fn get_stack_ops_for_perm(src: &[StackItem], dst: &[StackItem]) -> Vec { - // We store stacks with the tip at the end, but the permutation calls below use the opposite - // convention. They're a bit simpler when SWAP are (0 i) transposes. - let mut src = src.to_vec(); - let mut dst = dst.to_vec(); - src.reverse(); - dst.reverse(); - - let perm = find_permutation(&src, &dst); - let optimized_perm = combine_cycles(perm, &src); - let trans = permutation_to_transpositions(optimized_perm); - transpositions_to_stack_ops(trans) -} - -/// Apply the given permutation to the given list. -#[cfg(test)] -fn apply_perm(permutation: Vec>, mut lst: Vec) -> Vec { - // Run through perm in REVERSE order. - for cycl in permutation.iter().rev() { - let n = cycl.len(); - let last = lst[cycl[n - 1]].clone(); - for i in (0..n - 1).rev() { - let j = (i + 1) % n; - lst[cycl[j]] = lst[cycl[i]].clone(); - } - lst[cycl[0]] = last; - } - lst -} - -/// This function does STEP 1. -/// Given 2 lists A, B find a permutation P such that P . A = B. -pub(crate) fn find_permutation(lst_a: &[T], lst_b: &[T]) -> Vec> { - // We should check to ensure that A and B are indeed rearrangements of each other. - assert!(is_permutation(lst_a, lst_b)); - - let n = lst_a.len(); - - // Keep track of the A_i's which have been already placed into the correct position. - let mut correct_a = HashSet::new(); - - // loc_b is a dictionary where loc_b[b] is the indices i where b = B_i != A_i. - // We need to swap appropriate A_j's into these positions. - let mut loc_b: HashMap> = HashMap::new(); - - for i in 0..n { - if lst_a[i] == lst_b[i] { - // If A_i = B_i, we never do SWAP_i as we are already in the correct position. - correct_a.insert(i); - } else { - loc_b.entry(lst_b[i].clone()).or_default().push(i); - } - } - - // This will be a list of disjoint cycles. - let mut permutation = vec![]; - - // For technical reasons, it's handy to include [0] as a trivial cycle. - // This is because if A_0 = A_i for some other i in a cycle, - // we can save transpositions by expanding the cycle to include 0. - if correct_a.contains(&0) { - permutation.push(vec![0]); - } - - for i in 0..n { - // If i is both not in the correct position and not already in a cycle, it will start a new cycle. - if correct_a.contains(&i) { - continue; - } - - correct_a.insert(i); - let mut cycl = vec![i]; - - // lst_a[i] need to be swapped into an index j such that lst_b[j] = lst_a[i]. - // This exactly means j should be an element of loc_b[lst_a[i]]. - // We pop as each j should only be used once. - // In this step we simply find any permutation. We will improve it to an optimal one in STEP 2. - let mut j = loc_b.get_mut(&lst_a[i]).unwrap().pop().unwrap(); - - // Keep adding elements to the cycle until we return to our initial index - while j != i { - correct_a.insert(j); - cycl.push(j); - j = loc_b.get_mut(&lst_a[j]).unwrap().pop().unwrap(); - } - - permutation.push(cycl); - } - permutation -} - -/// This function does STEP 2. It tests to see if cycles can be combined which might occur if A has duplicates. -fn combine_cycles(mut perm: Vec>, lst_a: &[T]) -> Vec> { - // If perm is a single cycle, there is nothing to combine. - if perm.len() == 1 { - return perm; - } - - let n = lst_a.len(); - - // Need a dictionary to keep track of duplicates in lst_a. - let mut all_a_positions: HashMap> = HashMap::new(); - for i in 0..n { - all_a_positions.entry(lst_a[i].clone()).or_default().push(i); - } - - // For each element a which occurs at positions i1, ..., ij, combine cycles such that all - // ik which occur in a cycle occur in the same cycle. - for positions in all_a_positions.values() { - if positions.len() == 1 { - continue; - } - - let mut joinedperm = vec![]; - let mut newperm = vec![]; - let mut pos = 0; - for cycl in perm { - // Does cycl include an element of positions? - let mut disjoint = true; - - for term in positions { - if cycl.contains(term) { - if joinedperm.is_empty() { - // This is the first cycle we have found including an element of positions. - joinedperm = cycl.clone(); - pos = cycl.iter().position(|x| x == term).unwrap(); - } else { - // Need to merge 2 cycles. If A_i = A_j then the permutations - // (C_1, ..., C_k1, i, C_{k1 + 1}, ... C_k2)(D_1, ..., D_k3, j, D_{k3 + 1}, ... D_k4) - // (C_1, ..., C_k1, i, D_{k3 + 1}, ... D_k4, D_1, ..., D_k3, j, C_{k1 + 1}, ... C_k2) - // lead to the same oupput but the second will require less transpositions. - let newpos = cycl.iter().position(|x| x == term).unwrap(); - joinedperm = [ - &joinedperm[..pos + 1], - &cycl[newpos + 1..], - &cycl[..newpos + 1], - &joinedperm[pos + 1..], - ] - .concat(); - } - disjoint = false; - break; - } - } - if disjoint { - newperm.push(cycl); - } - } - if !joinedperm.is_empty() { - newperm.push(joinedperm); - } - perm = newperm; - } - perm -} - -// This function does STEP 3. Converting all cycles to [0, i] transpositions. -fn permutation_to_transpositions(perm: Vec>) -> Vec { - let mut trans = vec![]; - // The method is pretty simple, we have: - // (0 C_1 ... C_i) = (0 C_i) ... (0 C_1) - // (C_1 ... C_i) = (0 C_1) (0 C_i) ... (0\ C_1). - // We simply need to check to see if 0 is in our cycle to see which one to use. - for cycl in perm { - let n = cycl.len(); - let zero_pos = cycl.iter().position(|x| *x == 0); - if let Some(pos) = zero_pos { - trans.extend((1..n).map(|i| cycl[(n + pos - i) % n])); - } else { - trans.extend((0..=n).map(|i| cycl[(n - i) % n])); - } - } - trans -} - -#[cfg(test)] -fn trans_to_perm(trans: Vec) -> Vec> { - trans.into_iter().map(|i| vec![0, i]).collect() -} - -fn transpositions_to_stack_ops(trans: Vec) -> Vec { - trans.into_iter().map(|i| StackOp::Swap(i as u8)).collect() -} - -pub(crate) fn is_permutation(a: &[T], b: &[T]) -> bool { - make_multiset(a) == make_multiset(b) -} - -fn make_multiset(vals: &[T]) -> HashMap { - let mut counts = HashMap::new(); - for val in vals { - *counts.entry(val.clone()).or_default() += 1; - } - counts -} - -#[cfg(test)] -mod tests { - use rand::prelude::SliceRandom; - use rand::thread_rng; - - use crate::cpu::kernel::stack::permutations::{ - apply_perm, combine_cycles, find_permutation, is_permutation, - permutation_to_transpositions, trans_to_perm, - }; - - #[test] - fn test_combine_cycles() { - assert_eq!( - combine_cycles(vec![vec![0, 2], vec![3, 4]], &['a', 'b', 'c', 'd', 'a']), - vec![vec![0, 3, 4, 2]] - ); - } - - #[test] - fn test_is_permutation() { - assert!(is_permutation(&['a', 'b', 'c'], &['b', 'c', 'a'])); - assert!(!is_permutation(&['a', 'b', 'c'], &['a', 'b', 'b', 'c'])); - assert!(!is_permutation(&['a', 'b', 'c'], &['a', 'd', 'c'])); - } - - #[test] - fn test_all() { - let mut test_lst = vec![ - 'a', 'a', 'a', 'a', 'b', 'b', 'b', 'c', 'c', 'c', 'd', 'd', 'e', 'f', 'g', 'h', 'k', - ]; - - let mut rng = thread_rng(); - test_lst.shuffle(&mut rng); - for _ in 0..1000 { - let lst_a = test_lst.clone(); - test_lst.shuffle(&mut rng); - let lst_b = test_lst.clone(); - - let perm = find_permutation(&lst_a, &lst_b); - assert_eq!(apply_perm(perm.clone(), lst_a.clone()), lst_b); - - let shortperm = combine_cycles(perm.clone(), &lst_a); - assert_eq!(apply_perm(shortperm.clone(), lst_a.clone()), lst_b); - - let trans = trans_to_perm(permutation_to_transpositions(perm)); - assert_eq!(apply_perm(trans.clone(), lst_a.clone()), lst_b); - - let shorttrans = trans_to_perm(permutation_to_transpositions(shortperm)); - assert_eq!(apply_perm(shorttrans.clone(), lst_a.clone()), lst_b); - - assert!(shorttrans.len() <= trans.len()); - } - } -} diff --git a/evm/src/cpu/kernel/stack/stack_manipulation.rs b/evm/src/cpu/kernel/stack/stack_manipulation.rs deleted file mode 100644 index a7b376c5ea..0000000000 --- a/evm/src/cpu/kernel/stack/stack_manipulation.rs +++ /dev/null @@ -1,373 +0,0 @@ -use core::cmp::Ordering; -use core::hash::Hash; -use std::collections::hash_map::Entry::{Occupied, Vacant}; -use std::collections::{BinaryHeap, HashMap}; - -use itertools::Itertools; - -use crate::cpu::columns::NUM_CPU_COLUMNS; -use crate::cpu::kernel::assembler::BYTES_PER_OFFSET; -use crate::cpu::kernel::ast::{Item, PushTarget, StackPlaceholder, StackReplacement}; -use crate::cpu::kernel::stack::permutations::{get_stack_ops_for_perm, is_permutation}; -use crate::cpu::kernel::stack::stack_manipulation::StackOp::Pop; -use crate::cpu::kernel::utils::u256_to_trimmed_be_bytes; -use crate::memory; - -pub(crate) fn expand_stack_manipulation(body: Vec) -> Vec { - let mut expanded = vec![]; - for item in body { - if let Item::StackManipulation(names, replacements) = item { - expanded.extend(expand(names, replacements)); - } else { - expanded.push(item); - } - } - expanded -} - -fn expand(names: Vec, replacements: Vec) -> Vec { - let mut stack_blocks = HashMap::new(); - - let mut src = names - .iter() - .cloned() - .flat_map(|StackPlaceholder(name, n)| { - stack_blocks.insert(name.clone(), n); - (0..n) - .map(|i| { - let literal_name = format!("@{name}.{i}"); - StackItem::NamedItem(literal_name) - }) - .collect_vec() - }) - .collect_vec(); - - let mut dst = replacements - .into_iter() - .flat_map(|item| match item { - StackReplacement::Literal(n) => vec![StackItem::PushTarget(PushTarget::Literal(n))], - StackReplacement::Identifier(name) => { - // May be either a named item or a label. Named items have precedence. - if stack_blocks.contains_key(&name) { - let n = *stack_blocks.get(&name).unwrap(); - (0..n) - .map(|i| { - let literal_name = format!("@{name}.{i}"); - StackItem::NamedItem(literal_name) - }) - .collect_vec() - } else { - vec![StackItem::PushTarget(PushTarget::Label(name))] - } - } - StackReplacement::Label(name) => vec![StackItem::PushTarget(PushTarget::Label(name))], - StackReplacement::MacroLabel(_) - | StackReplacement::MacroVar(_) - | StackReplacement::Constant(_) => { - panic!("Should have been expanded already: {item:?}") - } - }) - .collect_vec(); - - // %stack uses our convention where the top item is written on the left side. - // `shortest_path` expects the opposite, so we reverse src and dst. - src.reverse(); - dst.reverse(); - - let unique_push_targets = dst - .iter() - .filter_map(|item| match item { - StackItem::PushTarget(target) => Some(target.clone()), - _ => None, - }) - .unique() - .collect_vec(); - - let path = shortest_path(src, dst, unique_push_targets); - path.into_iter().map(StackOp::into_item).collect() -} - -/// Finds the lowest-cost sequence of `StackOp`s that transforms `src` to `dst`. -/// Uses a variant of Dijkstra's algorithm. -fn shortest_path( - src: Vec, - dst: Vec, - unique_push_targets: Vec, -) -> Vec { - // Nodes to visit, starting with the lowest-cost node. - let mut queue = BinaryHeap::new(); - queue.push(Node { - stack: src.clone(), - cost: 0, - }); - - // For each node, stores `(best_cost, Option<(parent, op)>)`. - let mut node_info = HashMap::, (u32, Option<(Vec, StackOp)>)>::new(); - node_info.insert(src.clone(), (0, None)); - - while let Some(node) = queue.pop() { - if node.stack == dst { - // The destination is now the lowest-cost node, so we must have found the best path. - let mut path = vec![]; - let mut stack = &node.stack; - // Rewind back to src, recording a list of operations which will be backwards. - while let Some((parent, op)) = &node_info[stack].1 { - stack = parent; - path.push(op.clone()); - } - assert_eq!(stack, &src); - path.reverse(); - return path; - } - - let (best_cost, _) = node_info[&node.stack]; - if best_cost < node.cost { - // Since we can't efficiently remove nodes from the heap, it can contain duplicates. - // In this case, we've already visited this stack state with a lower cost. - continue; - } - - for op in next_ops(&node.stack, &dst, &unique_push_targets) { - let neighbor = match op.apply_to(node.stack.clone()) { - Some(n) => n, - None => continue, - }; - - let cost = node.cost + op.cost(); - let entry = node_info.entry(neighbor.clone()); - if let Occupied(e) = &entry - && e.get().0 <= cost - { - // We already found a better or equal path. - continue; - } - - let neighbor_info = (cost, Some((node.stack.clone(), op.clone()))); - match entry { - Occupied(mut e) => { - e.insert(neighbor_info); - } - Vacant(e) => { - e.insert(neighbor_info); - } - } - - queue.push(Node { - stack: neighbor, - cost, - }); - } - } - - panic!("No path found from {src:?} to {dst:?}") -} - -/// A node in the priority queue used by Dijkstra's algorithm. -#[derive(Eq, PartialEq)] -struct Node { - stack: Vec, - cost: u32, -} - -impl PartialOrd for Node { - fn partial_cmp(&self, other: &Self) -> Option { - Some(self.cmp(other)) - } -} - -impl Ord for Node { - fn cmp(&self, other: &Self) -> Ordering { - // We want a min-heap rather than the default max-heap, so this is the opposite of the - // natural ordering of costs. - other.cost.cmp(&self.cost) - } -} - -/// Like `StackReplacement`, but without constants or macro vars, since those were expanded already. -#[derive(Eq, PartialEq, Hash, Clone, Debug)] -pub(crate) enum StackItem { - NamedItem(String), - PushTarget(PushTarget), -} - -#[derive(Clone, Debug)] -pub(crate) enum StackOp { - Push(PushTarget), - Pop, - Dup(u8), - Swap(u8), -} - -/// A set of candidate operations to consider for the next step in the path from `src` to `dst`. -fn next_ops( - src: &[StackItem], - dst: &[StackItem], - unique_push_targets: &[PushTarget], -) -> Vec { - if let Some(top) = src.last() - && !dst.contains(top) - { - // If the top of src doesn't appear in dst, don't bother with anything other than a POP. - return vec![StackOp::Pop]; - } - - if is_permutation(src, dst) { - // The transpositions are right-associative, so the last one gets applied first, hence pop. - return vec![get_stack_ops_for_perm(src, dst).pop().unwrap()]; - } - - let mut ops = vec![StackOp::Pop]; - - ops.extend( - unique_push_targets - .iter() - // Only consider pushing this target if we need more occurrences of it, otherwise swaps - // will be a better way to rearrange the existing occurrences as needed. - .filter(|push_target| { - let item = StackItem::PushTarget((*push_target).clone()); - let src_count = src.iter().filter(|x| **x == item).count(); - let dst_count = dst.iter().filter(|x| **x == item).count(); - src_count < dst_count - }) - .cloned() - .map(StackOp::Push), - ); - - let src_len = src.len() as u8; - - ops.extend( - (1..=src_len) - // Only consider duplicating this item if we need more occurrences of it, otherwise swaps - // will be a better way to rearrange the existing occurrences as needed. - .filter(|i| { - let item = &src[src.len() - *i as usize]; - let src_count = src.iter().filter(|x| *x == item).count(); - let dst_count = dst.iter().filter(|x| *x == item).count(); - src_count < dst_count - }) - .map(StackOp::Dup), - ); - - ops.extend( - (1..src_len) - .filter(|i| should_try_swap(src, dst, *i)) - .map(StackOp::Swap), - ); - - ops -} - -/// Whether we should consider `SWAP_i` in the search. -fn should_try_swap(src: &[StackItem], dst: &[StackItem], i: u8) -> bool { - if src.is_empty() { - return false; - } - - let i = i as usize; - let i_from = src.len() - 1; - let i_to = i_from - i; - - // Only consider a swap if it places one of the two affected elements in the desired position. - let top_correct_pos = i_to < dst.len() && src[i_from] == dst[i_to]; - let other_correct_pos = i_from < dst.len() && src[i_to] == dst[i_from]; - top_correct_pos | other_correct_pos -} - -impl StackOp { - fn cost(&self) -> u32 { - let (cpu_rows, memory_rows) = match self { - StackOp::Push(target) => { - let bytes = match target { - PushTarget::Literal(n) => u256_to_trimmed_be_bytes(n).len() as u32, - PushTarget::Label(_) => BYTES_PER_OFFSET as u32, - PushTarget::MacroLabel(_) - | PushTarget::MacroVar(_) - | PushTarget::Constant(_) => { - panic!("Target should have been expanded already: {target:?}") - } - }; - // A PUSH takes one cycle, and 1 memory read per byte. - (1, bytes + 1) - } - // A POP takes one cycle, and most of the time a read to update the top of the stack. - Pop => (1, 1), - // A DUP takes one cycle, and a read and a write. - StackOp::Dup(_) => (1, 2), - // A SWAP takes one cycle with three memory ops, to read both values then write to them. - StackOp::Swap(_) => (1, 3), - }; - - let cpu_cost = cpu_rows * NUM_CPU_COLUMNS as u32; - let memory_cost = memory_rows * memory::columns::NUM_COLUMNS as u32; - cpu_cost + memory_cost - } - - /// Returns an updated stack after this operation is performed, or `None` if this operation - /// would not be valid on the given stack. - fn apply_to(&self, mut stack: Vec) -> Option> { - let len = stack.len(); - match self { - StackOp::Push(target) => { - stack.push(StackItem::PushTarget(target.clone())); - } - Pop => { - stack.pop()?; - } - StackOp::Dup(n) => { - let idx = len.checked_sub(*n as usize)?; - stack.push(stack[idx].clone()); - } - StackOp::Swap(n) => { - let from = len.checked_sub(1)?; - let to = len.checked_sub(*n as usize + 1)?; - stack.swap(from, to); - } - } - Some(stack) - } - - fn into_item(self) -> Item { - match self { - StackOp::Push(target) => Item::Push(target), - Pop => Item::StandardOp("POP".into()), - StackOp::Dup(n) => Item::StandardOp(format!("DUP{n}")), - StackOp::Swap(n) => Item::StandardOp(format!("SWAP{n}")), - } - } -} - -#[cfg(test)] -mod tests { - use env_logger::{try_init_from_env, Env, DEFAULT_FILTER_ENV}; - - use crate::cpu::kernel::stack::stack_manipulation::StackItem::NamedItem; - use crate::cpu::kernel::stack::stack_manipulation::{shortest_path, StackItem}; - - #[test] - fn test_shortest_path() { - init_logger(); - shortest_path( - vec![named("ret"), named("a"), named("b"), named("d")], - vec![named("ret"), named("b"), named("a")], - vec![], - ); - } - - #[test] - fn test_shortest_path_permutation() { - init_logger(); - shortest_path( - vec![named("a"), named("b"), named("c")], - vec![named("c"), named("a"), named("b")], - vec![], - ); - } - - fn named(name: &str) -> StackItem { - NamedItem(name.into()) - } - - fn init_logger() { - let _ = try_init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "debug")); - } -} diff --git a/evm/src/cpu/kernel/tests/account_code.rs b/evm/src/cpu/kernel/tests/account_code.rs deleted file mode 100644 index 5e2dddca9e..0000000000 --- a/evm/src/cpu/kernel/tests/account_code.rs +++ /dev/null @@ -1,469 +0,0 @@ -use std::collections::HashMap; - -use anyhow::Result; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{Address, BigEndianHash, H256, U256}; -use hex_literal::hex; -use keccak_hash::keccak; -use rand::{thread_rng, Rng}; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::context_metadata::ContextMetadata::{self, GasLimit}; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::cpu::kernel::tests::mpt::nibbles_64; -use crate::generation::mpt::{load_all_mpts, AccountRlp}; -use crate::generation::TrieInputs; -use crate::memory::segments::Segment; -use crate::witness::memory::MemoryAddress; -use crate::witness::operation::CONTEXT_SCALING_FACTOR; -use crate::Node; - -pub(crate) fn initialize_mpts(interpreter: &mut Interpreter, trie_inputs: &TrieInputs) { - // Load all MPTs. - let (trie_root_ptrs, trie_data) = - load_all_mpts(trie_inputs).expect("Invalid MPT data for preinitialization"); - - let state_addr = - MemoryAddress::new_bundle((GlobalMetadata::StateTrieRoot as usize).into()).unwrap(); - let txn_addr = - MemoryAddress::new_bundle((GlobalMetadata::TransactionTrieRoot as usize).into()).unwrap(); - let receipts_addr = - MemoryAddress::new_bundle((GlobalMetadata::ReceiptTrieRoot as usize).into()).unwrap(); - let len_addr = - MemoryAddress::new_bundle((GlobalMetadata::TrieDataSize as usize).into()).unwrap(); - - let to_set = [ - (state_addr, trie_root_ptrs.state_root_ptr.into()), - (txn_addr, trie_root_ptrs.txn_root_ptr.into()), - (receipts_addr, trie_root_ptrs.receipt_root_ptr.into()), - (len_addr, trie_data.len().into()), - ]; - - interpreter.set_memory_multi_addresses(&to_set); - - for (i, data) in trie_data.iter().enumerate() { - let trie_addr = MemoryAddress::new(0, Segment::TrieData, i); - interpreter - .generation_state - .memory - .set(trie_addr, data.into()); - } -} - -// Test account with a given code hash. -fn test_account(code: &[u8]) -> AccountRlp { - AccountRlp { - nonce: U256::from(1111), - balance: U256::from(2222), - storage_root: HashedPartialTrie::from(Node::Empty).hash(), - code_hash: keccak(code), - } -} - -fn random_code() -> Vec { - let mut rng = thread_rng(); - let num_bytes = rng.gen_range(0..1000); - (0..num_bytes).map(|_| rng.gen()).collect() -} - -// Stolen from `tests/mpt/insert.rs` -// Prepare the interpreter by inserting the account in the state trie. -fn prepare_interpreter( - interpreter: &mut Interpreter, - address: Address, - account: &AccountRlp, -) -> Result<()> { - let mpt_insert_state_trie = KERNEL.global_labels["mpt_insert_state_trie"]; - let mpt_hash_state_trie = KERNEL.global_labels["mpt_hash_state_trie"]; - let mut state_trie: HashedPartialTrie = Default::default(); - let trie_inputs = Default::default(); - - initialize_mpts(interpreter, &trie_inputs); - - let k = nibbles_64(U256::from_big_endian( - keccak(address.to_fixed_bytes()).as_bytes(), - )); - // Next, execute mpt_insert_state_trie. - interpreter.generation_state.registers.program_counter = mpt_insert_state_trie; - let trie_data = interpreter.get_trie_data_mut(); - if trie_data.is_empty() { - // In the assembly we skip over 0, knowing trie_data[0] = 0 by default. - // Since we don't explicitly set it to 0, we need to do so here. - trie_data.push(0.into()); - } - let value_ptr = trie_data.len(); - trie_data.push(account.nonce); - trie_data.push(account.balance); - // In memory, storage_root gets interpreted as a pointer to a storage trie, - // so we have to ensure the pointer is valid. It's easiest to set it to 0, - // which works as an empty node, since trie_data[0] = 0 = MPT_TYPE_EMPTY. - trie_data.push(H256::zero().into_uint()); - trie_data.push(account.code_hash.into_uint()); - let trie_data_len = trie_data.len().into(); - interpreter.set_global_metadata_field(GlobalMetadata::TrieDataSize, trie_data_len); - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(value_ptr.into()) - .expect("The stack should not overflow"); // value_ptr - interpreter - .push(k.try_into_u256().unwrap()) - .expect("The stack should not overflow"); // key - - interpreter.run()?; - assert_eq!( - interpreter.stack().len(), - 0, - "Expected empty stack after insert, found {:?}", - interpreter.stack() - ); - - // Now, execute mpt_hash_state_trie. - interpreter.generation_state.registers.program_counter = mpt_hash_state_trie; - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(1.into()) // Initial length of the trie data segment, unused. - .expect("The stack should not overflow"); - interpreter.run()?; - - assert_eq!( - interpreter.stack().len(), - 2, - "Expected 2 items on stack after hashing, found {:?}", - interpreter.stack() - ); - let hash = H256::from_uint(&interpreter.stack()[1]); - - state_trie.insert(k, rlp::encode(account).to_vec()); - let expected_state_trie_hash = state_trie.hash(); - assert_eq!(hash, expected_state_trie_hash); - - Ok(()) -} - -#[test] -fn test_extcodesize() -> Result<()> { - let code = random_code(); - let account = test_account(&code); - - let mut interpreter = Interpreter::new_with_kernel(0, vec![]); - let address: Address = thread_rng().gen(); - // Prepare the interpreter by inserting the account in the state trie. - prepare_interpreter(&mut interpreter, address, &account)?; - - let extcodesize = KERNEL.global_labels["extcodesize"]; - - // Test `extcodesize` - interpreter.generation_state.registers.program_counter = extcodesize; - interpreter.pop().expect("The stack should not be empty"); - interpreter.pop().expect("The stack should not be empty"); - assert!(interpreter.stack().is_empty()); - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(U256::from_big_endian(address.as_bytes())) - .expect("The stack should not overflow"); - interpreter.generation_state.inputs.contract_code = - HashMap::from([(keccak(&code), code.clone())]); - interpreter.run()?; - - assert_eq!(interpreter.stack(), vec![code.len().into()]); - - Ok(()) -} - -#[test] -fn test_extcodecopy() -> Result<()> { - let code = random_code(); - let account = test_account(&code); - - let mut interpreter = Interpreter::new_with_kernel(0, vec![]); - let address: Address = thread_rng().gen(); - // Prepare the interpreter by inserting the account in the state trie. - prepare_interpreter(&mut interpreter, address, &account)?; - - let context = interpreter.context(); - interpreter.generation_state.memory.contexts[context].segments - [Segment::ContextMetadata.unscale()] - .set(GasLimit.unscale(), U256::from(1000000000000u64)); - - let extcodecopy = KERNEL.global_labels["sys_extcodecopy"]; - - // Put random data in main memory and the `KernelAccountCode` segment for realism. - let mut rng = thread_rng(); - for i in 0..2000 { - interpreter.generation_state.memory.contexts[context].segments - [Segment::MainMemory.unscale()] - .set(i, U256::from(rng.gen::())); - interpreter.generation_state.memory.contexts[context].segments - [Segment::KernelAccountCode.unscale()] - .set(i, U256::from(rng.gen::())); - } - - // Random inputs - let dest_offset = rng.gen_range(0..3000); - let offset = rng.gen_range(0..1500); - let size = rng.gen_range(0..1500); - - // Test `extcodecopy` - interpreter.generation_state.registers.program_counter = extcodecopy; - interpreter.pop().expect("The stack should not be empty"); - interpreter.pop().expect("The stack should not be empty"); - assert!(interpreter.stack().is_empty()); - interpreter - .push(size.into()) - .expect("The stack should not overflow"); - interpreter - .push(offset.into()) - .expect("The stack should not overflow"); - interpreter - .push(dest_offset.into()) - .expect("The stack should not overflow"); - interpreter - .push(U256::from_big_endian(address.as_bytes())) - .expect("The stack should not overflow"); - interpreter - .push((0xDEADBEEFu64 + (1 << 32)).into()) - .expect("The stack should not overflow"); // kexit_info - interpreter.generation_state.inputs.contract_code = - HashMap::from([(keccak(&code), code.clone())]); - interpreter.run()?; - - assert!(interpreter.stack().is_empty()); - // Check that the code was correctly copied to memory. - for i in 0..size { - let memory = interpreter.generation_state.memory.contexts[context].segments - [Segment::MainMemory.unscale()] - .get(dest_offset + i); - assert_eq!( - memory, - code.get(offset + i).copied().unwrap_or_default().into() - ); - } - - Ok(()) -} - -/// Prepare the interpreter for storage tests by inserting all necessary accounts -/// in the state trie, adding the code we want to context 1 and switching the context. -fn prepare_interpreter_all_accounts( - interpreter: &mut Interpreter, - trie_inputs: TrieInputs, - addr: [u8; 20], - code: &[u8], -) -> Result<()> { - // Load all MPTs. - initialize_mpts(interpreter, &trie_inputs); - assert_eq!(interpreter.stack(), vec![]); - - // Switch context and initialize memory with the data we need for the tests. - interpreter.generation_state.registers.program_counter = 0; - interpreter.set_code(1, code.to_vec()); - interpreter.set_context_metadata_field( - 1, - ContextMetadata::Address, - U256::from_big_endian(&addr), - ); - interpreter.set_context_metadata_field(1, ContextMetadata::GasLimit, 100_000.into()); - interpreter.set_context(1); - interpreter.set_is_kernel(false); - interpreter.set_context_metadata_field( - 1, - ContextMetadata::ParentProgramCounter, - 0xdeadbeefu32.into(), - ); - interpreter.set_context_metadata_field( - 1, - ContextMetadata::ParentContext, - U256::one() << CONTEXT_SCALING_FACTOR, // ctx = 1 - ); - - Ok(()) -} - -/// Tests an SSTORE within a code similar to the contract code in add11_yml. -#[test] -fn sstore() -> Result<()> { - // We take the same `to` account as in add11_yml. - let addr = hex!("095e7baea6a6c7c4c2dfeb977efac326af552d87"); - - let addr_hashed = keccak(addr); - - let addr_nibbles = Nibbles::from_bytes_be(addr_hashed.as_bytes()).unwrap(); - - let code = [0x60, 0x01, 0x60, 0x01, 0x01, 0x60, 0x00, 0x55, 0x00]; - let code_hash = keccak(code); - - let account_before = AccountRlp { - balance: 0x0de0b6b3a7640000u64.into(), - code_hash, - ..AccountRlp::default() - }; - - let mut state_trie_before = HashedPartialTrie::from(Node::Empty); - - state_trie_before.insert(addr_nibbles, rlp::encode(&account_before).to_vec()); - - let trie_inputs = TrieInputs { - state_trie: state_trie_before.clone(), - transactions_trie: Node::Empty.into(), - receipts_trie: Node::Empty.into(), - storage_tries: vec![(addr_hashed, Node::Empty.into())], - }; - - let initial_stack = vec![]; - let mut interpreter = Interpreter::new_with_kernel(0, initial_stack); - - // Prepare the interpreter by inserting the account in the state trie. - prepare_interpreter_all_accounts(&mut interpreter, trie_inputs, addr, &code)?; - - interpreter.run()?; - - // The first two elements in the stack are `success` and `leftover_gas`, - // returned by the `sys_stop` opcode. - interpreter.pop().expect("Stack should not be empty"); - interpreter.pop().expect("Stack should not be empty"); - - // The code should have added an element to the storage of `to_account`. We run - // `mpt_hash_state_trie` to check that. - let account_after = AccountRlp { - balance: 0x0de0b6b3a7640000u64.into(), - code_hash, - storage_root: HashedPartialTrie::from(Node::Leaf { - nibbles: Nibbles::from_h256_be(keccak([0u8; 32])), - value: vec![2], - }) - .hash(), - ..AccountRlp::default() - }; - // Now, execute mpt_hash_state_trie. - let mpt_hash_state_trie = KERNEL.global_labels["mpt_hash_state_trie"]; - interpreter.generation_state.registers.program_counter = mpt_hash_state_trie; - interpreter.set_is_kernel(true); - interpreter.set_context(0); - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(1.into()) // Initial length of the trie data segment, unused. - .expect("The stack should not overflow"); - interpreter.run()?; - - assert_eq!( - interpreter.stack().len(), - 2, - "Expected 2 items on stack after hashing, found {:?}", - interpreter.stack() - ); - - let hash = H256::from_uint(&interpreter.stack()[1]); - - let mut expected_state_trie_after = HashedPartialTrie::from(Node::Empty); - expected_state_trie_after.insert(addr_nibbles, rlp::encode(&account_after).to_vec()); - - let expected_state_trie_hash = expected_state_trie_after.hash(); - assert_eq!(hash, expected_state_trie_hash); - Ok(()) -} - -/// Tests an SLOAD within a code similar to the contract code in add11_yml. -#[test] -fn sload() -> Result<()> { - // We take the same `to` account as in add11_yml. - let addr = hex!("095e7baea6a6c7c4c2dfeb977efac326af552d87"); - - let addr_hashed = keccak(addr); - - let addr_nibbles = Nibbles::from_bytes_be(addr_hashed.as_bytes()).unwrap(); - - // This code is similar to the one in add11_yml's contract, but we pop the added value - // and carry out an SLOAD instead of an SSTORE. We also add a PUSH at the end. - let code = [ - 0x60, 0x01, 0x60, 0x01, 0x01, 0x50, 0x60, 0x00, 0x54, 0x60, 0x03, 0x00, - ]; - let code_hash = keccak(code); - - let account_before = AccountRlp { - balance: 0x0de0b6b3a7640000u64.into(), - code_hash, - ..AccountRlp::default() - }; - - let mut state_trie_before = HashedPartialTrie::from(Node::Empty); - - state_trie_before.insert(addr_nibbles, rlp::encode(&account_before).to_vec()); - - let trie_inputs = TrieInputs { - state_trie: state_trie_before.clone(), - transactions_trie: Node::Empty.into(), - receipts_trie: Node::Empty.into(), - storage_tries: vec![(addr_hashed, Node::Empty.into())], - }; - - let initial_stack = vec![]; - let mut interpreter = Interpreter::new_with_kernel(0, initial_stack); - - // Prepare the interpreter by inserting the account in the state trie. - prepare_interpreter_all_accounts(&mut interpreter, trie_inputs, addr, &code)?; - interpreter.run()?; - - // The first two elements in the stack are `success` and `leftover_gas`, - // returned by the `sys_stop` opcode. - interpreter - .pop() - .expect("The stack length should not be empty."); - interpreter - .pop() - .expect("The stack length should not be empty."); - - // The SLOAD in the provided code should return 0, since - // the storage trie is empty. The last step in the code - // pushes the value 3. - assert_eq!(interpreter.stack(), vec![0x0.into(), 0x3.into()]); - interpreter - .pop() - .expect("The stack length should not be empty."); - interpreter - .pop() - .expect("The stack length should not be empty."); - // Now, execute mpt_hash_state_trie. We check that the state trie has not changed. - let mpt_hash_state_trie = KERNEL.global_labels["mpt_hash_state_trie"]; - interpreter.generation_state.registers.program_counter = mpt_hash_state_trie; - interpreter.set_is_kernel(true); - interpreter.set_context(0); - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow."); - interpreter - .push(1.into()) // Initial length of the trie data segment, unused. - .expect("The stack should not overflow."); - interpreter.run()?; - - assert_eq!( - interpreter.stack().len(), - 2, - "Expected 2 items on stack after hashing, found {:?}", - interpreter.stack() - ); - - let trie_data_segment_len = interpreter.stack()[0]; - assert_eq!( - trie_data_segment_len, - interpreter - .get_memory_segment(Segment::TrieData) - .len() - .into() - ); - - let hash = H256::from_uint(&interpreter.stack()[1]); - - let expected_state_trie_hash = state_trie_before.hash(); - assert_eq!(hash, expected_state_trie_hash); - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/add11.rs b/evm/src/cpu/kernel/tests/add11.rs deleted file mode 100644 index c5eb29397e..0000000000 --- a/evm/src/cpu/kernel/tests/add11.rs +++ /dev/null @@ -1,311 +0,0 @@ -use std::collections::HashMap; -use std::str::FromStr; - -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, Node, PartialTrie}; -use ethereum_types::{Address, BigEndianHash, H256}; -use hex_literal::hex; -use keccak_hash::keccak; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::context_metadata::ContextMetadata; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::generation::mpt::{AccountRlp, LegacyReceiptRlp}; -use crate::generation::TrieInputs; -use crate::proof::{BlockHashes, BlockMetadata, TrieRoots}; -use crate::GenerationInputs; - -#[test] -fn test_add11_yml() { - let beneficiary = hex!("2adc25665018aa1fe0e6bc666dac8fc2697ff9ba"); - let sender = hex!("a94f5374fce5edbc8e2a8697c15331677e6ebf0b"); - let to = hex!("095e7baea6a6c7c4c2dfeb977efac326af552d87"); - - let beneficiary_state_key = keccak(beneficiary); - let sender_state_key = keccak(sender); - let to_hashed = keccak(to); - - let beneficiary_nibbles = Nibbles::from_bytes_be(beneficiary_state_key.as_bytes()).unwrap(); - let sender_nibbles = Nibbles::from_bytes_be(sender_state_key.as_bytes()).unwrap(); - let to_nibbles = Nibbles::from_bytes_be(to_hashed.as_bytes()).unwrap(); - - let code = [0x60, 0x01, 0x60, 0x01, 0x01, 0x60, 0x00, 0x55, 0x00]; - let code_hash = keccak(code); - - let mut contract_code = HashMap::new(); - contract_code.insert(keccak(vec![]), vec![]); - contract_code.insert(code_hash, code.to_vec()); - - let beneficiary_account_before = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - let sender_account_before = AccountRlp { - balance: 0x0de0b6b3a7640000u64.into(), - ..AccountRlp::default() - }; - let to_account_before = AccountRlp { - balance: 0x0de0b6b3a7640000u64.into(), - code_hash, - ..AccountRlp::default() - }; - - let mut state_trie_before = HashedPartialTrie::from(Node::Empty); - state_trie_before.insert( - beneficiary_nibbles, - rlp::encode(&beneficiary_account_before).to_vec(), - ); - state_trie_before.insert(sender_nibbles, rlp::encode(&sender_account_before).to_vec()); - state_trie_before.insert(to_nibbles, rlp::encode(&to_account_before).to_vec()); - - let tries_before = TrieInputs { - state_trie: state_trie_before, - transactions_trie: Node::Empty.into(), - receipts_trie: Node::Empty.into(), - storage_tries: vec![(to_hashed, Node::Empty.into())], - }; - - let txn = hex!("f863800a83061a8094095e7baea6a6c7c4c2dfeb977efac326af552d87830186a0801ba0ffb600e63115a7362e7811894a91d8ba4330e526f22121c994c4692035dfdfd5a06198379fcac8de3dbfac48b165df4bf88e2088f294b61efb9a65fe2281c76e16"); - - let gas_used = 0xa868u64.into(); - - let expected_state_trie_after = { - let beneficiary_account_after = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - let sender_account_after = AccountRlp { - balance: 0xde0b6b3a75be550u64.into(), - nonce: 1.into(), - ..AccountRlp::default() - }; - let to_account_after = AccountRlp { - balance: 0xde0b6b3a76586a0u64.into(), - code_hash, - // Storage map: { 0 => 2 } - storage_root: HashedPartialTrie::from(Node::Leaf { - nibbles: Nibbles::from_h256_be(keccak([0u8; 32])), - value: vec![2], - }) - .hash(), - ..AccountRlp::default() - }; - - let mut expected_state_trie_after = HashedPartialTrie::from(Node::Empty); - expected_state_trie_after.insert( - beneficiary_nibbles, - rlp::encode(&beneficiary_account_after).to_vec(), - ); - expected_state_trie_after - .insert(sender_nibbles, rlp::encode(&sender_account_after).to_vec()); - expected_state_trie_after.insert(to_nibbles, rlp::encode(&to_account_after).to_vec()); - expected_state_trie_after - }; - let receipt_0 = LegacyReceiptRlp { - status: true, - cum_gas_used: gas_used, - bloom: vec![0; 256].into(), - logs: vec![], - }; - let mut receipts_trie = HashedPartialTrie::from(Node::Empty); - receipts_trie.insert( - Nibbles::from_str("0x80").unwrap(), - rlp::encode(&receipt_0).to_vec(), - ); - let transactions_trie: HashedPartialTrie = Node::Leaf { - nibbles: Nibbles::from_str("0x80").unwrap(), - value: txn.to_vec(), - } - .into(); - - let trie_roots_after = TrieRoots { - state_root: expected_state_trie_after.hash(), - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.hash(), - }; - - let block_metadata = BlockMetadata { - block_beneficiary: Address::from(beneficiary), - block_timestamp: 0x03e8.into(), - block_number: 1.into(), - block_difficulty: 0x020000.into(), - block_random: H256::from_uint(&0x020000.into()), - block_gaslimit: 0xff112233u32.into(), - block_chain_id: 1.into(), - block_base_fee: 0xa.into(), - block_gas_used: gas_used, - block_bloom: [0.into(); 8], - }; - - let tries_inputs = GenerationInputs { - signed_txn: Some(txn.to_vec()), - withdrawals: vec![], - tries: tries_before, - trie_roots_after, - contract_code: contract_code.clone(), - block_metadata, - checkpoint_state_trie_root: HashedPartialTrie::from(Node::Empty).hash(), - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: gas_used, - block_hashes: BlockHashes { - prev_hashes: vec![H256::default(); 256], - cur_hash: H256::default(), - }, - }; - - let initial_stack = vec![]; - let mut interpreter = - Interpreter::new_with_generation_inputs_and_kernel(0, initial_stack, tries_inputs); - - let route_txn_label = KERNEL.global_labels["main"]; - // Switch context and initialize memory with the data we need for the tests. - interpreter.generation_state.registers.program_counter = route_txn_label; - interpreter.set_context_metadata_field(0, ContextMetadata::GasLimit, 1_000_000.into()); - interpreter.set_is_kernel(true); - interpreter.run().expect("Proving add11 failed."); -} - -#[test] -fn test_add11_yml_with_exception() { - // In this test, we make sure that the user code throws a stack underflow exception. - let beneficiary = hex!("2adc25665018aa1fe0e6bc666dac8fc2697ff9ba"); - let sender = hex!("a94f5374fce5edbc8e2a8697c15331677e6ebf0b"); - let to = hex!("095e7baea6a6c7c4c2dfeb977efac326af552d87"); - - let beneficiary_state_key = keccak(beneficiary); - let sender_state_key = keccak(sender); - let to_hashed = keccak(to); - - let beneficiary_nibbles = Nibbles::from_bytes_be(beneficiary_state_key.as_bytes()).unwrap(); - let sender_nibbles = Nibbles::from_bytes_be(sender_state_key.as_bytes()).unwrap(); - let to_nibbles = Nibbles::from_bytes_be(to_hashed.as_bytes()).unwrap(); - - let code = [0x60, 0x01, 0x60, 0x01, 0x01, 0x8e, 0x00]; - let code_hash = keccak(code); - - let mut contract_code = HashMap::new(); - contract_code.insert(keccak(vec![]), vec![]); - contract_code.insert(code_hash, code.to_vec()); - - let beneficiary_account_before = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - let sender_account_before = AccountRlp { - balance: 0x0de0b6b3a7640000u64.into(), - ..AccountRlp::default() - }; - let to_account_before = AccountRlp { - balance: 0x0de0b6b3a7640000u64.into(), - code_hash, - ..AccountRlp::default() - }; - - let mut state_trie_before = HashedPartialTrie::from(Node::Empty); - state_trie_before.insert( - beneficiary_nibbles, - rlp::encode(&beneficiary_account_before).to_vec(), - ); - state_trie_before.insert(sender_nibbles, rlp::encode(&sender_account_before).to_vec()); - state_trie_before.insert(to_nibbles, rlp::encode(&to_account_before).to_vec()); - - let tries_before = TrieInputs { - state_trie: state_trie_before, - transactions_trie: Node::Empty.into(), - receipts_trie: Node::Empty.into(), - storage_tries: vec![(to_hashed, Node::Empty.into())], - }; - - let txn = hex!("f863800a83061a8094095e7baea6a6c7c4c2dfeb977efac326af552d87830186a0801ba0ffb600e63115a7362e7811894a91d8ba4330e526f22121c994c4692035dfdfd5a06198379fcac8de3dbfac48b165df4bf88e2088f294b61efb9a65fe2281c76e16"); - let txn_gas_limit = 400_000; - let gas_price = 10; - - // Here, since the transaction fails, it consumes its gas limit, and does nothing else. - let expected_state_trie_after = { - let beneficiary_account_after = beneficiary_account_before; - // This is the only account that changes: the nonce and the balance are updated. - let sender_account_after = AccountRlp { - balance: sender_account_before.balance - txn_gas_limit * gas_price, - nonce: 1.into(), - ..AccountRlp::default() - }; - let to_account_after = to_account_before; - - let mut expected_state_trie_after = HashedPartialTrie::from(Node::Empty); - expected_state_trie_after.insert( - beneficiary_nibbles, - rlp::encode(&beneficiary_account_after).to_vec(), - ); - expected_state_trie_after - .insert(sender_nibbles, rlp::encode(&sender_account_after).to_vec()); - expected_state_trie_after.insert(to_nibbles, rlp::encode(&to_account_after).to_vec()); - expected_state_trie_after - }; - - let receipt_0 = LegacyReceiptRlp { - status: false, - cum_gas_used: txn_gas_limit.into(), - bloom: vec![0; 256].into(), - logs: vec![], - }; - let mut receipts_trie = HashedPartialTrie::from(Node::Empty); - receipts_trie.insert( - Nibbles::from_str("0x80").unwrap(), - rlp::encode(&receipt_0).to_vec(), - ); - let transactions_trie: HashedPartialTrie = Node::Leaf { - nibbles: Nibbles::from_str("0x80").unwrap(), - value: txn.to_vec(), - } - .into(); - - let trie_roots_after = TrieRoots { - state_root: expected_state_trie_after.hash(), - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.hash(), - }; - - let block_metadata = BlockMetadata { - block_beneficiary: Address::from(beneficiary), - block_timestamp: 0x03e8.into(), - block_number: 1.into(), - block_difficulty: 0x020000.into(), - block_random: H256::from_uint(&0x020000.into()), - block_gaslimit: 0xff112233u32.into(), - block_chain_id: 1.into(), - block_base_fee: 0xa.into(), - block_gas_used: txn_gas_limit.into(), - block_bloom: [0.into(); 8], - }; - - let tries_inputs = GenerationInputs { - signed_txn: Some(txn.to_vec()), - withdrawals: vec![], - tries: tries_before, - trie_roots_after, - contract_code: contract_code.clone(), - block_metadata, - checkpoint_state_trie_root: HashedPartialTrie::from(Node::Empty).hash(), - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: txn_gas_limit.into(), - block_hashes: BlockHashes { - prev_hashes: vec![H256::default(); 256], - cur_hash: H256::default(), - }, - }; - - let initial_stack = vec![]; - let mut interpreter = - Interpreter::new_with_generation_inputs_and_kernel(0, initial_stack, tries_inputs); - - let route_txn_label = KERNEL.global_labels["main"]; - // Switch context and initialize memory with the data we need for the tests. - interpreter.generation_state.registers.program_counter = route_txn_label; - interpreter.set_context_metadata_field(0, ContextMetadata::GasLimit, 1_000_000.into()); - interpreter.set_is_kernel(true); - interpreter - .run() - .expect("Proving add11 with exception failed."); -} diff --git a/evm/src/cpu/kernel/tests/balance.rs b/evm/src/cpu/kernel/tests/balance.rs deleted file mode 100644 index b393c05cf5..0000000000 --- a/evm/src/cpu/kernel/tests/balance.rs +++ /dev/null @@ -1,131 +0,0 @@ -use anyhow::Result; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{Address, BigEndianHash, H256, U256}; -use keccak_hash::keccak; -use rand::{thread_rng, Rng}; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::cpu::kernel::tests::account_code::initialize_mpts; -use crate::cpu::kernel::tests::mpt::nibbles_64; -use crate::generation::mpt::AccountRlp; -use crate::Node; - -// Test account with a given code hash. -fn test_account(balance: U256) -> AccountRlp { - AccountRlp { - nonce: U256::from(1111), - balance, - storage_root: HashedPartialTrie::from(Node::Empty).hash(), - code_hash: H256::from_uint(&U256::from(8888)), - } -} - -// Stolen from `tests/mpt/insert.rs` -// Prepare the interpreter by inserting the account in the state trie. -fn prepare_interpreter( - interpreter: &mut Interpreter, - address: Address, - account: &AccountRlp, -) -> Result<()> { - let mpt_insert_state_trie = KERNEL.global_labels["mpt_insert_state_trie"]; - let mpt_hash_state_trie = KERNEL.global_labels["mpt_hash_state_trie"]; - let mut state_trie: HashedPartialTrie = Default::default(); - let trie_inputs = Default::default(); - - initialize_mpts(interpreter, &trie_inputs); - assert_eq!(interpreter.stack(), vec![]); - - let k = nibbles_64(U256::from_big_endian( - keccak(address.to_fixed_bytes()).as_bytes(), - )); - // Next, execute mpt_insert_state_trie. - interpreter.generation_state.registers.program_counter = mpt_insert_state_trie; - let trie_data = interpreter.get_trie_data_mut(); - if trie_data.is_empty() { - // In the assembly we skip over 0, knowing trie_data[0] = 0 by default. - // Since we don't explicitly set it to 0, we need to do so here. - trie_data.push(0.into()); - } - let value_ptr = trie_data.len(); - trie_data.push(account.nonce); - trie_data.push(account.balance); - // In memory, storage_root gets interpreted as a pointer to a storage trie, - // so we have to ensure the pointer is valid. It's easiest to set it to 0, - // which works as an empty node, since trie_data[0] = 0 = MPT_TYPE_EMPTY. - trie_data.push(H256::zero().into_uint()); - trie_data.push(account.code_hash.into_uint()); - let trie_data_len = trie_data.len().into(); - interpreter.set_global_metadata_field(GlobalMetadata::TrieDataSize, trie_data_len); - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(value_ptr.into()) - .expect("The stack should not overflow"); // value_ptr - interpreter - .push(k.try_into_u256().unwrap()) - .expect("The stack should not overflow"); // key - - interpreter.run()?; - assert_eq!( - interpreter.stack().len(), - 0, - "Expected empty stack after insert, found {:?}", - interpreter.stack() - ); - - // Now, execute mpt_hash_state_trie. - interpreter.generation_state.registers.program_counter = mpt_hash_state_trie; - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(1.into()) // Initial trie data segment size, unused. - .expect("The stack should not overflow"); - interpreter.run()?; - - assert_eq!( - interpreter.stack().len(), - 2, - "Expected 2 items on stack after hashing, found {:?}", - interpreter.stack() - ); - let hash = H256::from_uint(&interpreter.stack()[1]); - - state_trie.insert(k, rlp::encode(account).to_vec()); - let expected_state_trie_hash = state_trie.hash(); - assert_eq!(hash, expected_state_trie_hash); - - Ok(()) -} - -#[test] -fn test_balance() -> Result<()> { - let mut rng = thread_rng(); - let balance = U256(rng.gen()); - let account = test_account(balance); - - let mut interpreter = Interpreter::new_with_kernel(0, vec![]); - let address: Address = rng.gen(); - // Prepare the interpreter by inserting the account in the state trie. - prepare_interpreter(&mut interpreter, address, &account)?; - - // Test `balance` - interpreter.generation_state.registers.program_counter = KERNEL.global_labels["balance"]; - interpreter.pop().expect("The stack should not be empty"); - interpreter.pop().expect("The stack should not be empty"); - assert!(interpreter.stack().is_empty()); - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(U256::from_big_endian(address.as_bytes())) - .expect("The stack should not overflow"); - interpreter.run()?; - - assert_eq!(interpreter.stack(), vec![balance]); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/bignum/mod.rs b/evm/src/cpu/kernel/tests/bignum/mod.rs deleted file mode 100644 index 0cc6f0dc1b..0000000000 --- a/evm/src/cpu/kernel/tests/bignum/mod.rs +++ /dev/null @@ -1,592 +0,0 @@ -use core::cmp::Ordering; -use std::fs::File; -use std::io::{BufRead, BufReader}; -use std::path::PathBuf; - -use anyhow::Result; -use ethereum_types::U256; -use itertools::Itertools; -use num::{BigUint, One, Zero}; -use num_bigint::RandBigInt; -use plonky2_util::ceil_div_usize; -use rand::Rng; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::util::{biguint_to_mem_vec, mem_vec_to_biguint}; - -const BIGNUM_LIMB_BITS: usize = 128; -const MINUS_ONE: U256 = U256::MAX; - -const TEST_DATA_BIGNUM_INPUTS: &str = "bignum_inputs"; -const TEST_DATA_U128_INPUTS: &str = "u128_inputs"; - -const TEST_DATA_SHR_OUTPUTS: &str = "shr_outputs"; -const TEST_DATA_ISZERO_OUTPUTS: &str = "iszero_outputs"; -const TEST_DATA_CMP_OUTPUTS: &str = "cmp_outputs"; -const TEST_DATA_ADD_OUTPUTS: &str = "add_outputs"; -const TEST_DATA_ADDMUL_OUTPUTS: &str = "addmul_outputs"; -const TEST_DATA_MUL_OUTPUTS: &str = "mul_outputs"; -const TEST_DATA_MODMUL_OUTPUTS: &str = "modmul_outputs"; -const TEST_DATA_MODEXP_OUTPUTS: &str = "modexp_outputs"; -const TEST_DATA_MODEXP_OUTPUTS_FULL: &str = "modexp_outputs_full"; - -const BIT_SIZES_TO_TEST: [usize; 15] = [ - 0, 1, 2, 127, 128, 129, 255, 256, 257, 512, 1000, 1023, 1024, 1025, 31415, -]; - -fn full_path(filename: &str) -> PathBuf { - let mut path = PathBuf::from(env!("CARGO_MANIFEST_DIR")); - path.push("src/cpu/kernel/tests/bignum/test_data"); - path.push(filename); - path -} - -fn test_data_biguint(filename: &str) -> Vec { - let file = File::open(full_path(filename)).unwrap(); - let lines = BufReader::new(file).lines(); - lines - .map(|line| BigUint::parse_bytes(line.unwrap().as_bytes(), 10).unwrap()) - .collect() -} - -fn test_data_u128(filename: &str) -> Vec { - let file = File::open(full_path(filename)).unwrap(); - let lines = BufReader::new(file).lines(); - lines - .map(|line| line.unwrap().parse::().unwrap()) - .collect() -} - -fn test_data_u256(filename: &str) -> Vec { - let file = File::open(full_path(filename)).unwrap(); - let lines = BufReader::new(file).lines(); - lines - .map(|line| U256::from_dec_str(&line.unwrap()).unwrap()) - .collect() -} - -// Convert each biguint to a vector of bignum limbs, pad to the given length, and concatenate. -fn pad_bignums(biguints: &[BigUint], length: usize) -> Vec { - biguints - .iter() - .flat_map(|biguint| { - biguint_to_mem_vec(biguint.clone()) - .into_iter() - .pad_using(length, |_| U256::zero()) - }) - .collect() -} - -fn gen_bignum(bit_size: usize) -> BigUint { - let mut rng = rand::thread_rng(); - rng.gen_biguint(bit_size as u64) -} - -fn max_bignum(bit_size: usize) -> BigUint { - (BigUint::one() << bit_size) - BigUint::one() -} - -fn bignum_len(a: &BigUint) -> usize { - ceil_div_usize(a.bits() as usize, BIGNUM_LIMB_BITS) -} - -fn run_test(fn_label: &str, memory: Vec, stack: Vec) -> Result<(Vec, Vec)> { - let fn_label = KERNEL.global_labels[fn_label]; - let retdest = 0xDEADBEEFu32.into(); - - let mut initial_stack: Vec = stack; - initial_stack.push(retdest); - initial_stack.reverse(); - - let mut interpreter = Interpreter::new_with_kernel(fn_label, initial_stack); - interpreter.set_current_general_memory(memory); - interpreter.run()?; - - let new_memory = interpreter.get_current_general_memory(); - - Ok((new_memory, interpreter.stack().to_vec())) -} - -fn test_shr_bignum(input: BigUint, expected_output: BigUint) -> Result<()> { - let len = bignum_len(&input); - let memory = biguint_to_mem_vec(input); - - let input_start_loc = 0; - let (new_memory, _new_stack) = run_test( - "shr_bignum", - memory, - vec![len.into(), input_start_loc.into()], - )?; - - let output = mem_vec_to_biguint(&new_memory[input_start_loc..input_start_loc + len]); - assert_eq!(output, expected_output); - - Ok(()) -} - -fn test_iszero_bignum(input: BigUint, expected_output: U256) -> Result<()> { - let len = bignum_len(&input); - let memory = biguint_to_mem_vec(input); - - let input_start_loc = 0; - let (_new_memory, new_stack) = run_test( - "iszero_bignum", - memory, - vec![len.into(), input_start_loc.into()], - )?; - - let output = new_stack[0]; - assert_eq!(output, expected_output); - - Ok(()) -} - -fn test_cmp_bignum(a: BigUint, b: BigUint, expected_output: U256) -> Result<()> { - let len = bignum_len(&a).max(bignum_len(&b)); - let memory = pad_bignums(&[a, b], len); - - let a_start_loc = 0; - let b_start_loc = len; - let (_new_memory, new_stack) = run_test( - "cmp_bignum", - memory, - vec![len.into(), a_start_loc.into(), b_start_loc.into()], - )?; - - let output = new_stack[0]; - assert_eq!(output, expected_output); - - Ok(()) -} - -fn test_add_bignum(a: BigUint, b: BigUint, expected_output: BigUint) -> Result<()> { - let len = bignum_len(&a).max(bignum_len(&b)); - let memory = pad_bignums(&[a, b], len); - - let a_start_loc = 0; - let b_start_loc = len; - let (mut new_memory, new_stack) = run_test( - "add_bignum", - memory, - vec![len.into(), a_start_loc.into(), b_start_loc.into()], - )?; - - // Determine actual sum, appending the final carry if nonzero. - let carry_limb = new_stack[0]; - if carry_limb > 0.into() { - new_memory[len] = carry_limb; - } - - let expected_output = biguint_to_mem_vec(expected_output); - let output = &new_memory[a_start_loc..a_start_loc + expected_output.len()]; - assert_eq!(output, expected_output); - - Ok(()) -} - -fn test_addmul_bignum(a: BigUint, b: BigUint, c: u128, expected_output: BigUint) -> Result<()> { - let len = bignum_len(&a).max(bignum_len(&b)); - let mut memory = pad_bignums(&[a, b], len); - memory.splice(len..len, [0.into(); 2].iter().cloned()); - - let a_start_loc = 0; - let b_start_loc = len + 2; - let (mut new_memory, new_stack) = run_test( - "addmul_bignum", - memory, - vec![len.into(), a_start_loc.into(), b_start_loc.into(), c.into()], - )?; - - // Determine actual sum, appending the final carry if nonzero. - let carry_limb = new_stack[0]; - if carry_limb > 0.into() { - new_memory[len] = carry_limb; - } - - let expected_output = biguint_to_mem_vec(expected_output); - let output = &new_memory[a_start_loc..a_start_loc + expected_output.len()]; - assert_eq!(output, expected_output); - - Ok(()) -} - -fn test_mul_bignum(a: BigUint, b: BigUint, expected_output: BigUint) -> Result<()> { - let len = bignum_len(&a).max(bignum_len(&b)); - let output_len = len * 2; - let memory = pad_bignums(&[a, b], len); - - let a_start_loc = 0; - let b_start_loc = len; - let output_start_loc = 2 * len; - let (new_memory, _new_stack) = run_test( - "mul_bignum", - memory, - vec![ - len.into(), - a_start_loc.into(), - b_start_loc.into(), - output_start_loc.into(), - ], - )?; - - let output = mem_vec_to_biguint(&new_memory[output_start_loc..output_start_loc + output_len]); - assert_eq!(output, expected_output); - - Ok(()) -} - -fn test_modmul_bignum(a: BigUint, b: BigUint, m: BigUint, expected_output: BigUint) -> Result<()> { - let len = bignum_len(&a).max(bignum_len(&b)).max(bignum_len(&m)); - let output_len = len; - let memory = pad_bignums(&[a, b, m], len); - - let a_start_loc = 0; - let b_start_loc = len; - let m_start_loc = 2 * len; - let output_start_loc = 3 * len; - let scratch_1 = 4 * len; // size 2*len - let scratch_2 = 6 * len; // size 2*len - let scratch_3 = 8 * len; // size 2*len - let (new_memory, _new_stack) = run_test( - "modmul_bignum", - memory, - vec![ - len.into(), - a_start_loc.into(), - b_start_loc.into(), - m_start_loc.into(), - output_start_loc.into(), - scratch_1.into(), - scratch_2.into(), - scratch_3.into(), - ], - )?; - - let output = mem_vec_to_biguint(&new_memory[output_start_loc..output_start_loc + output_len]); - assert_eq!(output, expected_output); - - Ok(()) -} - -fn test_modexp_bignum(b: BigUint, e: BigUint, m: BigUint, expected_output: BigUint) -> Result<()> { - let len = bignum_len(&b).max(bignum_len(&e)).max(bignum_len(&m)); - let output_len = len; - let memory = pad_bignums(&[b, e, m], len); - - let b_start_loc = 0; - let e_start_loc = len; - let m_start_loc = 2 * len; - let output_start_loc = 3 * len; - let scratch_1 = 4 * len; - let scratch_2 = 5 * len; // size 2*len - let scratch_3 = 7 * len; // size 2*len - let scratch_4 = 9 * len; // size 2*len - let scratch_5 = 11 * len; // size 2*len - let (mut new_memory, _new_stack) = run_test( - "modexp_bignum", - memory, - vec![ - len.into(), - b_start_loc.into(), - e_start_loc.into(), - m_start_loc.into(), - output_start_loc.into(), - scratch_1.into(), - scratch_2.into(), - scratch_3.into(), - scratch_4.into(), - scratch_5.into(), - ], - )?; - new_memory.resize( - new_memory.len().max(output_start_loc + output_len), - 0.into(), - ); - - let output = mem_vec_to_biguint(&new_memory[output_start_loc..output_start_loc + output_len]); - assert_eq!(output, expected_output); - - Ok(()) -} - -#[test] -fn test_shr_bignum_all() -> Result<()> { - for bit_size in BIT_SIZES_TO_TEST { - let input = gen_bignum(bit_size); - let output = input.clone() >> 1; - test_shr_bignum(input, output)?; - - let input = max_bignum(bit_size); - let output = input.clone() >> 1; - test_shr_bignum(input, output)?; - } - - let inputs = test_data_biguint(TEST_DATA_BIGNUM_INPUTS); - let shr_outputs = test_data_biguint(TEST_DATA_SHR_OUTPUTS); - for (input, output) in inputs.iter().zip(shr_outputs.iter()) { - test_shr_bignum(input.clone(), output.clone())?; - } - - Ok(()) -} - -#[test] -fn test_iszero_bignum_all() -> Result<()> { - for bit_size in BIT_SIZES_TO_TEST { - let input = gen_bignum(bit_size); - let output = input.is_zero() as u8; - test_iszero_bignum(input, output.into())?; - - let input = max_bignum(bit_size); - let output = bit_size.is_zero() as u8; - test_iszero_bignum(input, output.into())?; - } - - let inputs = test_data_biguint(TEST_DATA_BIGNUM_INPUTS); - let iszero_outputs = test_data_u256(TEST_DATA_ISZERO_OUTPUTS); - let mut iszero_outputs_iter = iszero_outputs.iter(); - for input in inputs { - let output = iszero_outputs_iter.next().unwrap(); - test_iszero_bignum(input.clone(), *output)?; - } - - Ok(()) -} - -#[test] -fn test_cmp_bignum_all() -> Result<()> { - for bit_size in BIT_SIZES_TO_TEST { - let a = gen_bignum(bit_size); - let b = gen_bignum(bit_size); - let output = match a.cmp(&b) { - Ordering::Less => MINUS_ONE, - Ordering::Equal => 0.into(), - Ordering::Greater => 1.into(), - }; - test_cmp_bignum(a, b, output)?; - - let a = max_bignum(bit_size); - let b = max_bignum(bit_size); - let output = 0.into(); - test_cmp_bignum(a, b, output)?; - } - - let inputs = test_data_biguint(TEST_DATA_BIGNUM_INPUTS); - let cmp_outputs = test_data_u256(TEST_DATA_CMP_OUTPUTS); - let mut cmp_outputs_iter = cmp_outputs.iter(); - for a in &inputs { - for b in &inputs { - let output = cmp_outputs_iter.next().unwrap(); - test_cmp_bignum(a.clone(), b.clone(), *output)?; - } - } - - Ok(()) -} - -#[test] -fn test_add_bignum_all() -> Result<()> { - for bit_size in BIT_SIZES_TO_TEST { - let a = gen_bignum(bit_size); - let b = gen_bignum(bit_size); - let output = a.clone() + b.clone(); - test_add_bignum(a, b, output)?; - - let a = max_bignum(bit_size); - let b = max_bignum(bit_size); - let output = a.clone() + b.clone(); - test_add_bignum(a, b, output)?; - } - - let inputs = test_data_biguint(TEST_DATA_BIGNUM_INPUTS); - let add_outputs = test_data_biguint(TEST_DATA_ADD_OUTPUTS); - let mut add_outputs_iter = add_outputs.iter(); - for a in &inputs { - for b in &inputs { - let output = add_outputs_iter.next().unwrap(); - test_add_bignum(a.clone(), b.clone(), output.clone())?; - } - } - - Ok(()) -} - -#[test] -fn test_addmul_bignum_all() -> Result<()> { - let mut rng = rand::thread_rng(); - - for bit_size in BIT_SIZES_TO_TEST { - let a = gen_bignum(bit_size); - let b = gen_bignum(bit_size); - let c: u128 = rng.gen(); - let output = a.clone() + b.clone() * c; - test_addmul_bignum(a, b, c, output)?; - - let a = max_bignum(bit_size); - let b = max_bignum(bit_size); - let c: u128 = rng.gen(); - let output = a.clone() + b.clone() * c; - test_addmul_bignum(a, b, c, output)?; - } - - let inputs = test_data_biguint(TEST_DATA_BIGNUM_INPUTS); - let u128_inputs = test_data_u128(TEST_DATA_U128_INPUTS); - let addmul_outputs = test_data_biguint(TEST_DATA_ADDMUL_OUTPUTS); - let mut addmul_outputs_iter = addmul_outputs.iter(); - for a in &inputs { - for b in &inputs { - for c in &u128_inputs { - let output = addmul_outputs_iter.next().unwrap(); - test_addmul_bignum(a.clone(), b.clone(), *c, output.clone())?; - } - } - } - - Ok(()) -} - -#[test] -fn test_mul_bignum_all() -> Result<()> { - for bit_size in BIT_SIZES_TO_TEST { - let a = gen_bignum(bit_size); - let b = gen_bignum(bit_size); - let output = a.clone() * b.clone(); - test_mul_bignum(a, b, output)?; - - let a = max_bignum(bit_size); - let b = max_bignum(bit_size); - let output = a.clone() * b.clone(); - test_mul_bignum(a, b, output)?; - } - - let inputs = test_data_biguint(TEST_DATA_BIGNUM_INPUTS); - let mul_outputs = test_data_biguint(TEST_DATA_MUL_OUTPUTS); - let mut mul_outputs_iter = mul_outputs.iter(); - for a in &inputs { - for b in &inputs { - let output = mul_outputs_iter.next().unwrap(); - test_mul_bignum(a.clone(), b.clone(), output.clone())?; - } - } - - Ok(()) -} - -#[test] -fn test_modmul_bignum_all() -> Result<()> { - for bit_size in BIT_SIZES_TO_TEST { - let a = gen_bignum(bit_size); - let b = gen_bignum(bit_size); - let m = gen_bignum(bit_size); - if !m.is_zero() { - let output = &a * &b % &m; - test_modmul_bignum(a, b, m, output)?; - } - - let a = max_bignum(bit_size); - let b = max_bignum(bit_size); - let m = max_bignum(bit_size); - if !m.is_zero() { - let output = &a * &b % &m; - test_modmul_bignum(a, b, m, output)?; - } - } - - let inputs = test_data_biguint(TEST_DATA_BIGNUM_INPUTS); - let modmul_outputs = test_data_biguint(TEST_DATA_MODMUL_OUTPUTS); - let mut modmul_outputs_iter = modmul_outputs.into_iter(); - for a in &inputs { - for b in &inputs { - // For m, skip the first input, which is zero. - for m in &inputs[1..] { - let output = modmul_outputs_iter.next().unwrap(); - test_modmul_bignum(a.clone(), b.clone(), m.clone(), output)?; - } - } - } - - Ok(()) -} - -#[test] -fn test_modexp_bignum_all() -> Result<()> { - let exp_bit_sizes = vec![2, 9, 11, 16]; - - for bit_size in &BIT_SIZES_TO_TEST[3..7] { - for exp_bit_size in &exp_bit_sizes { - let b = gen_bignum(*bit_size); - let e = gen_bignum(*exp_bit_size); - let m = gen_bignum(*bit_size); - if !m.is_zero() { - let output = b.clone().modpow(&e, &m); - test_modexp_bignum(b, e, m, output)?; - } - - let b = max_bignum(*bit_size); - let e = max_bignum(*exp_bit_size); - let m = max_bignum(*bit_size); - if !m.is_zero() { - let output = b.modpow(&e, &m); - test_modexp_bignum(b, e, m, output)?; - } - } - } - - let inputs = test_data_biguint(TEST_DATA_BIGNUM_INPUTS); - let modexp_outputs = test_data_biguint(TEST_DATA_MODEXP_OUTPUTS); - let mut modexp_outputs_iter = modexp_outputs.into_iter(); - for b in &inputs[..9] { - // Include only smaller exponents, to keep tests from becoming too slow. - for e in &inputs[..6] { - for m in &inputs[..9] { - let output = modexp_outputs_iter.next().unwrap(); - test_modexp_bignum(b.clone(), e.clone(), m.clone(), output)?; - } - } - } - - Ok(()) -} - -#[test] -#[ignore] // Too slow to run on CI. -fn test_modexp_bignum_all_full() -> Result<()> { - // Only test smaller values for exponent. - let exp_bit_sizes = vec![2, 100, 127, 128, 129]; - - for bit_size in &BIT_SIZES_TO_TEST[3..14] { - for exp_bit_size in &exp_bit_sizes { - let b = gen_bignum(*bit_size); - let e = gen_bignum(*exp_bit_size); - let m = gen_bignum(*bit_size); - if !m.is_zero() { - let output = b.clone().modpow(&e, &m); - test_modexp_bignum(b, e, m, output)?; - } - - let b = max_bignum(*bit_size); - let e = max_bignum(*exp_bit_size); - let m = max_bignum(*bit_size); - if !m.is_zero() { - let output = b.modpow(&e, &m); - test_modexp_bignum(b, e, m, output)?; - } - } - } - - let inputs = test_data_biguint(TEST_DATA_BIGNUM_INPUTS); - let modexp_outputs = test_data_biguint(TEST_DATA_MODEXP_OUTPUTS_FULL); - let mut modexp_outputs_iter = modexp_outputs.into_iter(); - for b in &inputs { - // Include only smaller exponents, to keep tests from becoming too slow. - for e in &inputs[..7] { - for m in &inputs { - let output = modexp_outputs_iter.next().unwrap(); - test_modexp_bignum(b.clone(), e.clone(), m.clone(), output)?; - } - } - } - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/bignum/test_data/add_outputs b/evm/src/cpu/kernel/tests/bignum/test_data/add_outputs deleted file mode 100644 index 36ebe0497c..0000000000 --- a/evm/src/cpu/kernel/tests/bignum/test_data/add_outputs +++ /dev/null @@ -1,225 +0,0 @@ -0 -1 -21 -908 -1267650597867046177654064545792 -340282366920938463463374607431768211455 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -1 -2 -22 -909 -1267650597867046177654064545793 -340282366920938463463374607431768211456 -57896044618658097611351864738157061705262361561497619362091104892532012613633 -115792089237105570840234253759177109864155645142784332660520492325483608801281 -231583736816786089484927226016147767929578972263620494977377884571370600267776 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049793 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348288 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780160 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103233 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369217 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046272 -21 -22 -42 -929 -1267650597867046177654064545813 -340282366920938463463374607431768211476 -57896044618658097611351864738157061705262361561497619362091104892532012613653 -115792089237105570840234253759177109864155645142784332660520492325483608801301 -231583736816786089484927226016147767929578972263620494977377884571370600267796 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049813 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348308 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780180 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103253 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369237 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046292 -908 -909 -929 -1816 -1267650597867046177654064546700 -340282366920938463463374607431768212363 -57896044618658097611351864738157061705262361561497619362091104892532012614540 -115792089237105570840234253759177109864155645142784332660520492325483608802188 -231583736816786089484927226016147767929578972263620494977377884571370600268683 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998050700 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486349195 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690781067 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387104140 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375370124 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957047179 -1267650597867046177654064545792 -1267650597867046177654064545793 -1267650597867046177654064545813 -1267650597867046177654064546700 -2535301195734092355308129091584 -340282368188589061330420785085832757247 -57896044618658097611351864738157061705262361562765269959958151070186077159424 -115792089237105570840234253759177109864155645144051983258387538503137673347072 -231583736816786089484927226016147767929578972264888145575244930749024664813567 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725447442614227457227324739062595584 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851379715837692741036504647550894079 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756017613817472060411970538755325951 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459868939503685406252196573451649024 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059367521063656309566056683439915008 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571754105966758923615108084021592063 -340282366920938463463374607431768211455 -340282366920938463463374607431768211456 -340282366920938463463374607431768211476 -340282366920938463463374607431768212363 -340282368188589061330420785085832757247 -680564733841876926926749214863536422910 -57896044618658097611351864738157061705602643928418557825554479499963780825087 -115792089237105570840234253759177109864495927509705271123983866932915377012735 -231583736816786089484927226016147767929919254630541433440841259178802368479230 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656433007813095902093053555754516766261247 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352969133745369125558337364934425254559742 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107569038383267105337656740400316458991614 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244438742234592791551002580626351155314687 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359572341733174351521905894486461143580671 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998595854119759254624519943537861725257726 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613633 -57896044618658097611351864738157061705262361561497619362091104892532012613653 -57896044618658097611351864738157061705262361561497619362091104892532012614540 -57896044618658097611351864738157061705262361562765269959958151070186077159424 -57896044618658097611351864738157061705602643928418557825554479499963780825087 -115792089237316195222703729476314123410524723122995238724182209785064025227264 -173688133855763668451586118497334171569418006704281952022611597218015621414912 -289479781435444187096279090754304829634841333825118114339468989463902612881407 -3273390607896141870013189696827599152216642046043064789482248405676250539586401155309462588318799202567027652361355087007672582991681286039617010663424 -5027927973729236057982426364448826617555638513633071601633370220421967636306804394074875752581912318823441521134057891212939945806456965095219525498961919 -13407807929942597099574024997867385471458758537929012740010782671329620832395892888572752773084019014537559577489812491117577843786236284470685416703393791 -26815615859885194199148049995734770942917517075858043397979502765092926124329972428655111861232797616170839264946949360821429169472449630310911451399716864 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356940333001073316904952470628102164776064494420927751032420533624771561387982848 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463796730242309831072892700701204289449703517933314335935523147673822961969659903 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801281 -115792089237105570840234253759177109864155645142784332660520492325483608801301 -115792089237105570840234253759177109864155645142784332660520492325483608802188 -115792089237105570840234253759177109864155645144051983258387538503137673347072 -115792089237105570840234253759177109864495927509705271123983866932915377012735 -173688133855763668451586118497334171569418006704281952022611597218015621414912 -231584178474211141680468507518354219728311290285568665321040984650967217602560 -347375826053891660325161479775324877793734617406404827637898376896854209069055 -3273390607896141870013189696827599152216642046043064789482248405676250539644297199927910061547681591588047700520248370588959296290110673472568606851072 -5027927973729236057982426364448826617555638513633071601633370220421967636306862290119494200055141201212462541182216784496521232519755394482652477095149567 -13407807929942597099574024997867385471458758537929012740010782671329620832395950784617371220557247896926580597537971384401159130499534713858118368299581439 -26815615859885194199148049995734770942917517075858043397979502765092926124330030324699730308706026498559860284995108254105010456185748059698344402995904512 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356998229045691764378181353017123184824223387704509037745718963012204512984170496 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463854626286928278546121583090225309497862411216895622648821577061255913565847551 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267776 -231583736816786089484927226016147767929578972263620494977377884571370600267796 -231583736816786089484927226016147767929578972263620494977377884571370600268683 -231583736816786089484927226016147767929578972264888145575244930749024664813567 -231583736816786089484927226016147767929919254630541433440841259178802368479230 -289479781435444187096279090754304829634841333825118114339468989463902612881407 -347375826053891660325161479775324877793734617406404827637898376896854209069055 -463167473633572178969854452032295535859157944527240989954755769142741200535550 -3273390607896141870013189696827599152216642046043064789482248405676250539760088847507590580192374563845018358585671697709795458606968065718455598317567 -5027927973729236057982426364448826617555638513633071601633370220421967636306978081767073880573785894184719511840282207823642068682072251874898364086616062 -13407807929942597099574024997867385471458758537929012740010782671329620832396066576264950901075892589898837568196036807728279966661851571250364255291047934 -26815615859885194199148049995734770942917517075858043397979502765092926124330146116347309989224671191532117255653173677432131292348064917090590289987371007 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322357114020693271444896826045989380155482288811031629873908035820404450399975636991 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463970417934507959064766276062482280155927834544016458811138434453501800557314046 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049793 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049813 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998050700 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725447442614227457227324739062595584 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656433007813095902093053555754516766261247 -3273390607896141870013189696827599152216642046043064789482248405676250539586401155309462588318799202567027652361355087007672582991681286039617010663424 -3273390607896141870013189696827599152216642046043064789482248405676250539644297199927910061547681591588047700520248370588959296290110673472568606851072 -3273390607896141870013189696827599152216642046043064789482248405676250539760088847507590580192374563845018358585671697709795458606968065718455598317567 -6546781215792283740026379393655198304433284092086129578964496811352501079057010221381608981414894675657741181312185450892349927259180362294169996099584 -5031201364337132199852439554145654216707855155679114666422852468827643886846275003140947898975008414296532234663008721576824623150724464171474078484398079 -13411081320550493241444038187564213070610975179975055804800264919735297082935363497638824919477115110010650291018763321481462521130503783546939969688829951 -26818889250493090341018063185431598542069733717904086462768985013498602374869443037721184007625893711643929978475900191185313846816717129387166004385153024 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094859873731529946340457125253265606438475403785866280608383688705623749572896410942067145463298048566101192878305015324784812428376688032701026114373419008 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988312365191525626829590504228669795829923743060941349315981180118158171906003267339308381977465988796174295002978654348297199013279790646750077514955096063 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348288 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348308 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486349195 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851379715837692741036504647550894079 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352969133745369125558337364934425254559742 -5027927973729236057982426364448826617555638513633071601633370220421967636306804394074875752581912318823441521134057891212939945806456965095219525498961919 -5027927973729236057982426364448826617555638513633071601633370220421967636306862290119494200055141201212462541182216784496521232519755394482652477095149567 -5027927973729236057982426364448826617555638513633071601633370220421967636306978081767073880573785894184719511840282207823642068682072251874898364086616062 -5031201364337132199852439554145654216707855155679114666422852468827643886846275003140947898975008414296532234663008721576824623150724464171474078484398079 -10055855947458472115964852728897653235111277027266143203266740440843935272613492996060514188968601933917406728144705257702756896374189747980653986972696574 -18435735903671833157556451362316212089014397051562084341644152891751588468702581490558391209470708629631524784500459857607394794353969067356119878177128446 -31843543833614430257130476360183597560473155589491114999612872985514893760636661030640750297619487231264804471957596727311246120040182413196345912873451519 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604099884528314651286256569538428017605456878825657453309145227576677640040958663628934986711753291642085722067371786711860910744701600153316510206022861717503 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060993337019774646966745702917403421794848327164932528377852825068090174463291770485332227948267459582315795169496460350884423131286503255930559257423443394558 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780160 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780180 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690781067 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756017613817472060411970538755325951 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107569038383267105337656740400316458991614 -13407807929942597099574024997867385471458758537929012740010782671329620832395892888572752773084019014537559577489812491117577843786236284470685416703393791 -13407807929942597099574024997867385471458758537929012740010782671329620832395950784617371220557247896926580597537971384401159130499534713858118368299581439 -13407807929942597099574024997867385471458758537929012740010782671329620832396066576264950901075892589898837568196036807728279966661851571250364255291047934 -13411081320550493241444038187564213070610975179975055804800264919735297082935363497638824919477115110010650291018763321481462521130503783546939969688829951 -18435735903671833157556451362316212089014397051562084341644152891751588468702581490558391209470708629631524784500459857607394794353969067356119878177128446 -26815615859885194199148049995734770942917517075858025480021565342659241664791669985056268229972815325345642840856214457512032692333748386731585769381560318 -40223423789827791298722074993602156414376275613787056137990285436422546956725749525138627318121593926978922528313351327215884018019961732571811804077883391 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604108264408270864647298161137061436164310781945681749250283604989128547694154752717429484588773793748781436185428142466460815382599579932635885671914066149375 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581061001716899730860327787294516036840353702230284956824318991202480541082116487859573826725825287961689011509287552816105484327769184483035249934723314647826430 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103233 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103253 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387104140 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459868939503685406252196573451649024 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244438742234592791551002580626351155314687 -26815615859885194199148049995734770942917517075858043397979502765092926124329972428655111861232797616170839264946949360821429169472449630310911451399716864 -26815615859885194199148049995734770942917517075858043397979502765092926124330030324699730308706026498559860284995108254105010456185748059698344402995904512 -26815615859885194199148049995734770942917517075858043397979502765092926124330146116347309989224671191532117255653173677432131292348064917090590289987371007 -26818889250493090341018063185431598542069733717904086462768985013498602374869443037721184007625893711643929978475900191185313846816717129387166004385153024 -31843543833614430257130476360183597560473155589491114999612872985514893760636661030640750297619487231264804471957596727311246120040182413196345912873451519 -40223423789827791298722074993602156414376275613787056137990285436422546956725749525138627318121593926978922528313351327215884018019961732571811804077883391 -53631231719770388398296099991469541885835034151716086795959005530185852248659829065220986406270372528612202215770488196919735343706175078412037838774206464 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604121672216200807244397735162059303549782240704219678280941573709222310999446686796969566947861942527383069465115599603330519233925266145981725897948762472448 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581061015124707660802924886868541034707739173689043494753349649171200634845421779793653366808184376110467613142567240273242354031620510169248595774949349344149503 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369217 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369237 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375370124 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059367521063656309566056683439915008 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359572341733174351521905894486461143580671 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356940333001073316904952470628102164776064494420927751032420533624771561387982848 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356998229045691764378181353017123184824223387704509037745718963012204512984170496 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322357114020693271444896826045989380155482288811031629873908035820404450399975636991 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094859873731529946340457125253265606438475403785866280608383688705623749572896410942067145463298048566101192878305015324784812428376688032701026114373419008 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604099884528314651286256569538428017605456878825657453309145227576677640040958663628934986711753291642085722067371786711860910744701600153316510206022861717503 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604108264408270864647298161137061436164310781945681749250283604989128547694154752717429484588773793748781436185428142466460815382599579932635885671914066149375 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604121672216200807244397735162059303549782240704219678280941573709222310999446686796969566947861942527383069465115599603330519233925266145981725897948762472448 -21430172143725344039741447416747135734328099194269775938858685112579378184657786065906763159178676625205218492566825428477050725853377832065983208189713200681844100397174224127137557678646374287640475087188412914436146644713764873912909317614682237526728015428718464118732506826116885039758058750738432 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824629198276151174244463087285660418287344529756165187857520911105123842660034918703411836307538943107430287596439419222071804002615797677806638572665083165692141839780886307603102541747070094713562715543794785904326970568977820621271154145831782622467599830140102357487631119091729219499088809459332415487 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046272 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046292 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957047179 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571754105966758923615108084021592063 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998595854119759254624519943537861725257726 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463796730242309831072892700701204289449703517933314335935523147673822961969659903 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463854626286928278546121583090225309497862411216895622648821577061255913565847551 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463970417934507959064766276062482280155927834544016458811138434453501800557314046 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988312365191525626829590504228669795829923743060941349315981180118158171906003267339308381977465988796174295002978654348297199013279790646750077514955096063 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060993337019774646966745702917403421794848327164932528377852825068090174463291770485332227948267459582315795169496460350884423131286503255930559257423443394558 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581061001716899730860327787294516036840353702230284956824318991202480541082116487859573826725825287961689011509287552816105484327769184483035249934723314647826430 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581061015124707660802924886868541034707739173689043494753349649171200634845421779793653366808184376110467613142567240273242354031620510169248595774949349344149503 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824629198276151174244463087285660418287344529756165187857520911105123842660034918703411836307538943107430287596439419222071804002615797677806638572665083165692141839780886307603102541747070094713562715543794785904326970568977820621271154145831782622467599830140102357487631119091729219499088809459332415487 -70149324220868077495255175920561715987048031760661657648151596049581927701126644407314161773169938523306300574636470765864723972756401953860971729649236966380158623144886433123904089438954731413136105939102963525135105941885179620757765851918707538235369974386271618715130954505741977781211162121976618183601835461375440982077945936461543052837790612502383395739504991310927477668395382345950562697672932264775996511143505676632322113137860859914092542 diff --git a/evm/src/cpu/kernel/tests/bignum/test_data/addmul_outputs b/evm/src/cpu/kernel/tests/bignum/test_data/addmul_outputs deleted file mode 100644 index 397c745168..0000000000 --- a/evm/src/cpu/kernel/tests/bignum/test_data/addmul_outputs +++ /dev/null @@ -1,1350 +0,0 @@ -0 -0 -0 -0 -0 -0 -0 -1 -21 -908 -1267650597867046177654064545792 -340282366920938463463374607431768211455 -0 -21 -441 -19068 -26620662555207969730735355461632 -7145929705339707732730866756067132440555 -0 -908 -19068 -824464 -1151026742863277929309890607579136 -308976389164212124824744143548045536001140 -0 -1267650597867046177654064545792 -26620662555207969730735355461632 -1151026742863277929309890607579136 -1606938038272679619211255036084048932956190504430095264907264 -431359145870941220571487096504865044588697904564591140391738786447360 -0 -340282366920938463463374607431768211455 -7145929705339707732730866756067132440555 -308976389164212124824744143548045536001140 -431359145870941220571487096504865044588697904564591140391738786447360 -115792089237316195423570985008687907852589419931798687112530834793049593217025 -0 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -1215816936991820049838389159501298295810509592791450006603913202743172264886272 -52569608513741552631107493182246612028378224297839838380778723242419067453177856 -73391955574979118963811141843059488536193514605218060347731553038824318137413435829926783487818828867436544 -19701003098197239571963727475337245584161626291901231402719522479678259504890677218990119895590117915143388591554560 -0 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -2431633873979216987644919328942719307147268547998470985870930338835155784826880 -105139217027291858322932702413332815756653325789648174055752607031539116791562240 -146783911149691239803259475393272332038744581223672095908357420057841712239442615794649035123910216788213760 -39402006196322807380529480735708200350692396090822410401547663254352517428719749608020233606624972587007562114662400 -0 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -4863258473152507879183471746339103126521158417536030394524935575998782605623275 -210278033029641769252313921222662173280057706815367409439459119190804505043139700 -293567262432083559770702660509494961636846893913475830448684457955877331972488384611363806317219648949452800 -78803862104411649792976274791681038936454943300723566886694079153850261012036590002656572187311458765011955822362625 -0 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -68741202765818979270276983633379582196549482966904360579127216519201261330098607324506894304856394094406282403777947234369674236221393804088784959045632 -2972238671969696817971976244719460030212710977807102828849881552354035489891882640507250477562362182748614496315732194705126866975667884481553178229211136 -4149515561151917970063980879655710938513649460124350952720371065270297197065154634382680097543307069927884450339928718724097725668943949230978441358030208342019760039438410280075264 -1113877103911668754551067286547922686738237475419584309931192581897577662915063323503306740447008536028968181678028580322422866333819711284625174374608617279642589745120484326564854874767360 -0 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -105586487448313957217630953653425358968668408786294503634300774628861320362441676458635398984170320306132770645519405205878947411928992353796866863213314027 -4565358600146146340648043138919534568740519770378829014283100160143146613766525820211473441791745277998502654577696186997051630953882145583216910085604244596 -6373655901930312136397229380018411440828683949391920950832693445711366448193584697763678864931677968612065262908033170282412527802037703004824976134384286640214222530054133889372258304 -1710915231608582551713494414139930175751260546116444122900349352360496966554854730076753484481830650675467827629295222707109502155201699203484369755223655341193278275893163301956243837193027585 -0 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -281563966528794539091054524955215094900633929296509267540226436097922037480312534843090816414714560916129249828990251803876343269504358060681650578506383339 -12174289600387878166413214698063586008084552752439543567929790665567295715815418173215545776407658157706921849748721363710462842319521767576139939299228384372 -16996415738478256005382065682640742151192912704409604594012987116129634408058546371285779101609491343355313613863898166638327059654603396304113335697353121717251389843622698066460540928 -4562440617622195218641171605585119131739514871918667547682857357314343535508689562160604455918497575074715174882382908134196095677901105600185199282794955018371204524886410100925712980030521345 -0 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -563127933057589078182109049910430189801267858593018911357569558066951448610928205184820357265838911550428123265590126067657221108914838323326397307129167872 -24348579200775756332826429396127172016169105504879103405365388510704376920891562395610327828446749127989939805959801641401559846042603485599065178803489734656 -33992831476956512010764131365281484302385825408819231901736066162392911122587750794642859557837487570646738733764326406607430768230396539092082721200286809873288301231428402460695199744 -9124881235244390437282343211170238263479029743837341192530852050551013988199468564099149809149237792502394782872367659707645708326849200364829008985690446628655225628506036591091211274089922560 -0 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823685991988607159363054170329353334944355625786930020224988415478335601579539769494531176085547834954163494030644162001543873246691321674227292917459616882753536 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518129793109557221580317097753720451186105453926588775689583539463154010576700049252756460830197065735837134519004638182709904558099057065808050158672835248128 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028934363876033198780003232825417916826555570603003610443324900765322801514628836373961563717819815659178099324514051673737887522648522145975473923735339139072 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744913649306569979494349478121435366144715292958165239232610420731738086890347478323006048396719686780691510330825043607290550999833104265740262684222585569280 -0 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280754490927819272344442130311818432332846202054796801431275025655264802408764738515518151514632480908325565788780147963367006809604639382187947539029097971691 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377384655355233299464450205863387455153540545988356938076082061665735266055161074861451503585061555464743511248208302416059151577191074239364588830400998014068 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269862152855527112109603873427804287879276629501582896265202691196110634325565999430887153483257613158570830305101308846059434951620873330091758706311542341632 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428758998783243913325146240393321801800775493463196094645471464263521615496507631433158100292031999009575957202146963989209941350094442798986370318517904347234305 -1 -1 -1 -1 -1 -1 -1 -2 -22 -909 -1267650597867046177654064545793 -340282366920938463463374607431768211456 -1 -22 -442 -19069 -26620662555207969730735355461633 -7145929705339707732730866756067132440556 -1 -909 -19069 -824465 -1151026742863277929309890607579137 -308976389164212124824744143548045536001141 -1 -1267650597867046177654064545793 -26620662555207969730735355461633 -1151026742863277929309890607579137 -1606938038272679619211255036084048932956190504430095264907265 -431359145870941220571487096504865044588697904564591140391738786447361 -1 -340282366920938463463374607431768211456 -7145929705339707732730866756067132440556 -308976389164212124824744143548045536001141 -431359145870941220571487096504865044588697904564591140391738786447361 -115792089237316195423570985008687907852589419931798687112530834793049593217026 -1 -57896044618658097611351864738157061705262361561497619362091104892532012613633 -1215816936991820049838389159501298295810509592791450006603913202743172264886273 -52569608513741552631107493182246612028378224297839838380778723242419067453177857 -73391955574979118963811141843059488536193514605218060347731553038824318137413435829926783487818828867436545 -19701003098197239571963727475337245584161626291901231402719522479678259504890677218990119895590117915143388591554561 -1 -115792089237105570840234253759177109864155645142784332660520492325483608801281 -2431633873979216987644919328942719307147268547998470985870930338835155784826881 -105139217027291858322932702413332815756653325789648174055752607031539116791562241 -146783911149691239803259475393272332038744581223672095908357420057841712239442615794649035123910216788213761 -39402006196322807380529480735708200350692396090822410401547663254352517428719749608020233606624972587007562114662401 -1 -231583736816786089484927226016147767929578972263620494977377884571370600267776 -4863258473152507879183471746339103126521158417536030394524935575998782605623276 -210278033029641769252313921222662173280057706815367409439459119190804505043139701 -293567262432083559770702660509494961636846893913475830448684457955877331972488384611363806317219648949452801 -78803862104411649792976274791681038936454943300723566886694079153850261012036590002656572187311458765011955822362626 -1 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049793 -68741202765818979270276983633379582196549482966904360579127216519201261330098607324506894304856394094406282403777947234369674236221393804088784959045633 -2972238671969696817971976244719460030212710977807102828849881552354035489891882640507250477562362182748614496315732194705126866975667884481553178229211137 -4149515561151917970063980879655710938513649460124350952720371065270297197065154634382680097543307069927884450339928718724097725668943949230978441358030208342019760039438410280075265 -1113877103911668754551067286547922686738237475419584309931192581897577662915063323503306740447008536028968181678028580322422866333819711284625174374608617279642589745120484326564854874767361 -1 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348288 -105586487448313957217630953653425358968668408786294503634300774628861320362441676458635398984170320306132770645519405205878947411928992353796866863213314028 -4565358600146146340648043138919534568740519770378829014283100160143146613766525820211473441791745277998502654577696186997051630953882145583216910085604244597 -6373655901930312136397229380018411440828683949391920950832693445711366448193584697763678864931677968612065262908033170282412527802037703004824976134384286640214222530054133889372258305 -1710915231608582551713494414139930175751260546116444122900349352360496966554854730076753484481830650675467827629295222707109502155201699203484369755223655341193278275893163301956243837193027586 -1 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780160 -281563966528794539091054524955215094900633929296509267540226436097922037480312534843090816414714560916129249828990251803876343269504358060681650578506383340 -12174289600387878166413214698063586008084552752439543567929790665567295715815418173215545776407658157706921849748721363710462842319521767576139939299228384373 -16996415738478256005382065682640742151192912704409604594012987116129634408058546371285779101609491343355313613863898166638327059654603396304113335697353121717251389843622698066460540929 -4562440617622195218641171605585119131739514871918667547682857357314343535508689562160604455918497575074715174882382908134196095677901105600185199282794955018371204524886410100925712980030521346 -1 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103233 -563127933057589078182109049910430189801267858593018911357569558066951448610928205184820357265838911550428123265590126067657221108914838323326397307129167873 -24348579200775756332826429396127172016169105504879103405365388510704376920891562395610327828446749127989939805959801641401559846042603485599065178803489734657 -33992831476956512010764131365281484302385825408819231901736066162392911122587750794642859557837487570646738733764326406607430768230396539092082721200286809873288301231428402460695199745 -9124881235244390437282343211170238263479029743837341192530852050551013988199468564099149809149237792502394782872367659707645708326849200364829008985690446628655225628506036591091211274089922561 -1 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369217 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823685991988607159363054170329353334944355625786930020224988415478335601579539769494531176085547834954163494030644162001543873246691321674227292917459616882753537 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518129793109557221580317097753720451186105453926588775689583539463154010576700049252756460830197065735837134519004638182709904558099057065808050158672835248129 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028934363876033198780003232825417916826555570603003610443324900765322801514628836373961563717819815659178099324514051673737887522648522145975473923735339139073 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744913649306569979494349478121435366144715292958165239232610420731738086890347478323006048396719686780691510330825043607290550999833104265740262684222585569281 -1 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046272 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280754490927819272344442130311818432332846202054796801431275025655264802408764738515518151514632480908325565788780147963367006809604639382187947539029097971692 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377384655355233299464450205863387455153540545988356938076082061665735266055161074861451503585061555464743511248208302416059151577191074239364588830400998014069 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269862152855527112109603873427804287879276629501582896265202691196110634325565999430887153483257613158570830305101308846059434951620873330091758706311542341633 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428758998783243913325146240393321801800775493463196094645471464263521615496507631433158100292031999009575957202146963989209941350094442798986370318517904347234306 -21 -21 -21 -21 -21 -21 -21 -22 -42 -929 -1267650597867046177654064545813 -340282366920938463463374607431768211476 -21 -42 -462 -19089 -26620662555207969730735355461653 -7145929705339707732730866756067132440576 -21 -929 -19089 -824485 -1151026742863277929309890607579157 -308976389164212124824744143548045536001161 -21 -1267650597867046177654064545813 -26620662555207969730735355461653 -1151026742863277929309890607579157 -1606938038272679619211255036084048932956190504430095264907285 -431359145870941220571487096504865044588697904564591140391738786447381 -21 -340282366920938463463374607431768211476 -7145929705339707732730866756067132440576 -308976389164212124824744143548045536001161 -431359145870941220571487096504865044588697904564591140391738786447381 -115792089237316195423570985008687907852589419931798687112530834793049593217046 -21 -57896044618658097611351864738157061705262361561497619362091104892532012613653 -1215816936991820049838389159501298295810509592791450006603913202743172264886293 -52569608513741552631107493182246612028378224297839838380778723242419067453177877 -73391955574979118963811141843059488536193514605218060347731553038824318137413435829926783487818828867436565 -19701003098197239571963727475337245584161626291901231402719522479678259504890677218990119895590117915143388591554581 -21 -115792089237105570840234253759177109864155645142784332660520492325483608801301 -2431633873979216987644919328942719307147268547998470985870930338835155784826901 -105139217027291858322932702413332815756653325789648174055752607031539116791562261 -146783911149691239803259475393272332038744581223672095908357420057841712239442615794649035123910216788213781 -39402006196322807380529480735708200350692396090822410401547663254352517428719749608020233606624972587007562114662421 -21 -231583736816786089484927226016147767929578972263620494977377884571370600267796 -4863258473152507879183471746339103126521158417536030394524935575998782605623296 -210278033029641769252313921222662173280057706815367409439459119190804505043139721 -293567262432083559770702660509494961636846893913475830448684457955877331972488384611363806317219648949452821 -78803862104411649792976274791681038936454943300723566886694079153850261012036590002656572187311458765011955822362646 -21 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049813 -68741202765818979270276983633379582196549482966904360579127216519201261330098607324506894304856394094406282403777947234369674236221393804088784959045653 -2972238671969696817971976244719460030212710977807102828849881552354035489891882640507250477562362182748614496315732194705126866975667884481553178229211157 -4149515561151917970063980879655710938513649460124350952720371065270297197065154634382680097543307069927884450339928718724097725668943949230978441358030208342019760039438410280075285 -1113877103911668754551067286547922686738237475419584309931192581897577662915063323503306740447008536028968181678028580322422866333819711284625174374608617279642589745120484326564854874767381 -21 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348308 -105586487448313957217630953653425358968668408786294503634300774628861320362441676458635398984170320306132770645519405205878947411928992353796866863213314048 -4565358600146146340648043138919534568740519770378829014283100160143146613766525820211473441791745277998502654577696186997051630953882145583216910085604244617 -6373655901930312136397229380018411440828683949391920950832693445711366448193584697763678864931677968612065262908033170282412527802037703004824976134384286640214222530054133889372258325 -1710915231608582551713494414139930175751260546116444122900349352360496966554854730076753484481830650675467827629295222707109502155201699203484369755223655341193278275893163301956243837193027606 -21 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780180 -281563966528794539091054524955215094900633929296509267540226436097922037480312534843090816414714560916129249828990251803876343269504358060681650578506383360 -12174289600387878166413214698063586008084552752439543567929790665567295715815418173215545776407658157706921849748721363710462842319521767576139939299228384393 -16996415738478256005382065682640742151192912704409604594012987116129634408058546371285779101609491343355313613863898166638327059654603396304113335697353121717251389843622698066460540949 -4562440617622195218641171605585119131739514871918667547682857357314343535508689562160604455918497575074715174882382908134196095677901105600185199282794955018371204524886410100925712980030521366 -21 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103253 -563127933057589078182109049910430189801267858593018911357569558066951448610928205184820357265838911550428123265590126067657221108914838323326397307129167893 -24348579200775756332826429396127172016169105504879103405365388510704376920891562395610327828446749127989939805959801641401559846042603485599065178803489734677 -33992831476956512010764131365281484302385825408819231901736066162392911122587750794642859557837487570646738733764326406607430768230396539092082721200286809873288301231428402460695199765 -9124881235244390437282343211170238263479029743837341192530852050551013988199468564099149809149237792502394782872367659707645708326849200364829008985690446628655225628506036591091211274089922581 -21 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369237 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823685991988607159363054170329353334944355625786930020224988415478335601579539769494531176085547834954163494030644162001543873246691321674227292917459616882753557 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518129793109557221580317097753720451186105453926588775689583539463154010576700049252756460830197065735837134519004638182709904558099057065808050158672835248149 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028934363876033198780003232825417916826555570603003610443324900765322801514628836373961563717819815659178099324514051673737887522648522145975473923735339139093 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744913649306569979494349478121435366144715292958165239232610420731738086890347478323006048396719686780691510330825043607290550999833104265740262684222585569301 -21 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046292 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280754490927819272344442130311818432332846202054796801431275025655264802408764738515518151514632480908325565788780147963367006809604639382187947539029097971712 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377384655355233299464450205863387455153540545988356938076082061665735266055161074861451503585061555464743511248208302416059151577191074239364588830400998014089 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269862152855527112109603873427804287879276629501582896265202691196110634325565999430887153483257613158570830305101308846059434951620873330091758706311542341653 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428758998783243913325146240393321801800775493463196094645471464263521615496507631433158100292031999009575957202146963989209941350094442798986370318517904347234326 -908 -908 -908 -908 -908 -908 -908 -909 -929 -1816 -1267650597867046177654064546700 -340282366920938463463374607431768212363 -908 -929 -1349 -19976 -26620662555207969730735355462540 -7145929705339707732730866756067132441463 -908 -1816 -19976 -825372 -1151026742863277929309890607580044 -308976389164212124824744143548045536002048 -908 -1267650597867046177654064546700 -26620662555207969730735355462540 -1151026742863277929309890607580044 -1606938038272679619211255036084048932956190504430095264908172 -431359145870941220571487096504865044588697904564591140391738786448268 -908 -340282366920938463463374607431768212363 -7145929705339707732730866756067132441463 -308976389164212124824744143548045536002048 -431359145870941220571487096504865044588697904564591140391738786448268 -115792089237316195423570985008687907852589419931798687112530834793049593217933 -908 -57896044618658097611351864738157061705262361561497619362091104892532012614540 -1215816936991820049838389159501298295810509592791450006603913202743172264887180 -52569608513741552631107493182246612028378224297839838380778723242419067453178764 -73391955574979118963811141843059488536193514605218060347731553038824318137413435829926783487818828867437452 -19701003098197239571963727475337245584161626291901231402719522479678259504890677218990119895590117915143388591555468 -908 -115792089237105570840234253759177109864155645142784332660520492325483608802188 -2431633873979216987644919328942719307147268547998470985870930338835155784827788 -105139217027291858322932702413332815756653325789648174055752607031539116791563148 -146783911149691239803259475393272332038744581223672095908357420057841712239442615794649035123910216788214668 -39402006196322807380529480735708200350692396090822410401547663254352517428719749608020233606624972587007562114663308 -908 -231583736816786089484927226016147767929578972263620494977377884571370600268683 -4863258473152507879183471746339103126521158417536030394524935575998782605624183 -210278033029641769252313921222662173280057706815367409439459119190804505043140608 -293567262432083559770702660509494961636846893913475830448684457955877331972488384611363806317219648949453708 -78803862104411649792976274791681038936454943300723566886694079153850261012036590002656572187311458765011955822363533 -908 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998050700 -68741202765818979270276983633379582196549482966904360579127216519201261330098607324506894304856394094406282403777947234369674236221393804088784959046540 -2972238671969696817971976244719460030212710977807102828849881552354035489891882640507250477562362182748614496315732194705126866975667884481553178229212044 -4149515561151917970063980879655710938513649460124350952720371065270297197065154634382680097543307069927884450339928718724097725668943949230978441358030208342019760039438410280076172 -1113877103911668754551067286547922686738237475419584309931192581897577662915063323503306740447008536028968181678028580322422866333819711284625174374608617279642589745120484326564854874768268 -908 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486349195 -105586487448313957217630953653425358968668408786294503634300774628861320362441676458635398984170320306132770645519405205878947411928992353796866863213314935 -4565358600146146340648043138919534568740519770378829014283100160143146613766525820211473441791745277998502654577696186997051630953882145583216910085604245504 -6373655901930312136397229380018411440828683949391920950832693445711366448193584697763678864931677968612065262908033170282412527802037703004824976134384286640214222530054133889372259212 -1710915231608582551713494414139930175751260546116444122900349352360496966554854730076753484481830650675467827629295222707109502155201699203484369755223655341193278275893163301956243837193028493 -908 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690781067 -281563966528794539091054524955215094900633929296509267540226436097922037480312534843090816414714560916129249828990251803876343269504358060681650578506384247 -12174289600387878166413214698063586008084552752439543567929790665567295715815418173215545776407658157706921849748721363710462842319521767576139939299228385280 -16996415738478256005382065682640742151192912704409604594012987116129634408058546371285779101609491343355313613863898166638327059654603396304113335697353121717251389843622698066460541836 -4562440617622195218641171605585119131739514871918667547682857357314343535508689562160604455918497575074715174882382908134196095677901105600185199282794955018371204524886410100925712980030522253 -908 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387104140 -563127933057589078182109049910430189801267858593018911357569558066951448610928205184820357265838911550428123265590126067657221108914838323326397307129168780 -24348579200775756332826429396127172016169105504879103405365388510704376920891562395610327828446749127989939805959801641401559846042603485599065178803489735564 -33992831476956512010764131365281484302385825408819231901736066162392911122587750794642859557837487570646738733764326406607430768230396539092082721200286809873288301231428402460695200652 -9124881235244390437282343211170238263479029743837341192530852050551013988199468564099149809149237792502394782872367659707645708326849200364829008985690446628655225628506036591091211274089923468 -908 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375370124 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823685991988607159363054170329353334944355625786930020224988415478335601579539769494531176085547834954163494030644162001543873246691321674227292917459616882754444 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518129793109557221580317097753720451186105453926588775689583539463154010576700049252756460830197065735837134519004638182709904558099057065808050158672835249036 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028934363876033198780003232825417916826555570603003610443324900765322801514628836373961563717819815659178099324514051673737887522648522145975473923735339139980 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744913649306569979494349478121435366144715292958165239232610420731738086890347478323006048396719686780691510330825043607290550999833104265740262684222585570188 -908 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957047179 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280754490927819272344442130311818432332846202054796801431275025655264802408764738515518151514632480908325565788780147963367006809604639382187947539029097972599 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377384655355233299464450205863387455153540545988356938076082061665735266055161074861451503585061555464743511248208302416059151577191074239364588830400998014976 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269862152855527112109603873427804287879276629501582896265202691196110634325565999430887153483257613158570830305101308846059434951620873330091758706311542342540 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428758998783243913325146240393321801800775493463196094645471464263521615496507631433158100292031999009575957202146963989209941350094442798986370318517904347235213 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545793 -1267650597867046177654064545813 -1267650597867046177654064546700 -2535301195734092355308129091584 -340282368188589061330420785085832757247 -1267650597867046177654064545792 -1267650597867046177654064545813 -1267650597867046177654064546233 -1267650597867046177654064564860 -27888313153075015908389420007424 -7145929706607358330597912933721196986347 -1267650597867046177654064545792 -1267650597867046177654064546700 -1267650597867046177654064564860 -1267650597867046177654065370256 -1152294393461144975487544672124928 -308976389165479775422611189725699600546932 -1267650597867046177654064545792 -2535301195734092355308129091584 -27888313153075015908389420007424 -1152294393461144975487544672124928 -1606938038272679619211255036085316583554057550607749329453056 -431359145870941220571487096504865044589965555162458186569392850993152 -1267650597867046177654064545792 -340282368188589061330420785085832757247 -7145929706607358330597912933721196986347 -308976389165479775422611189725699600546932 -431359145870941220571487096504865044589965555162458186569392850993152 -115792089237316195423570985008687907852589419933066337710397880970703657762817 -1267650597867046177654064545792 -57896044618658097611351864738157061705262361562765269959958151070186077159424 -1215816936991820049838389159501298295810509592792717657201780248920826329432064 -52569608513741552631107493182246612028378224297841106031376590288596721517723648 -73391955574979118963811141843059488536193514605218060347731553038824318137414703480524650533996482931982336 -19701003098197239571963727475337245584161626291901231402719522479678259504890677218991387546187984961321042656100352 -1267650597867046177654064545792 -115792089237105570840234253759177109864155645144051983258387538503137673347072 -2431633873979216987644919328942719307147268547999738636468797385012809849372672 -105139217027291858322932702413332815756653325789649441706350474077716770856108032 -146783911149691239803259475393272332038744581223672095908357420057841712239443883445246902170087870852759552 -39402006196322807380529480735708200350692396090822410401547663254352517428719749608021501257222839633185216179208192 -1267650597867046177654064545792 -231583736816786089484927226016147767929578972264888145575244930749024664813567 -4863258473152507879183471746339103126521158417537298045122802622176436670169067 -210278033029641769252313921222662173280057706815368677090056986236982159107685492 -293567262432083559770702660509494961636846893913475830448684457955877331972489652261961673363397303013998592 -78803862104411649792976274791681038936454943300723566886694079153850261012036590002657839837909325811189609886908417 -1267650597867046177654064545792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725447442614227457227324739062595584 -68741202765818979270276983633379582196549482966904360579127216519201261330098607324506894304856394094406282403777947234370941886819260850266439023591424 -2972238671969696817971976244719460030212710977807102828849881552354035489891882640507250477562362182748614496315732194705128134626265751527730832293756928 -4149515561151917970063980879655710938513649460124350952720371065270297197065154634382680097543307069927884450339928718724097725668943949230978441358031475992617627085616064344621056 -1113877103911668754551067286547922686738237475419584309931192581897577662915063323503306740447008536028968181678028580322422866333819711284625174374608617279643857395718351372742508939313152 -1267650597867046177654064545792 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851379715837692741036504647550894079 -105586487448313957217630953653425358968668408786294503634300774628861320362441676458635398984170320306132770645519405205878948679579590220843044517277859819 -4565358600146146340648043138919534568740519770378829014283100160143146613766525820211473441791745277998502654577696186997051632221532743450263087739668790388 -6373655901930312136397229380018411440828683949391920950832693445711366448193584697763678864931677968612065262908033170282412527802037703004824976134384287907864820397100311543436804096 -1710915231608582551713494414139930175751260546116444122900349352360496966554854730076753484481830650675467827629295222707109502155201699203484369755223655341193279543543761169002421491257573377 -1267650597867046177654064545792 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756017613817472060411970538755325951 -281563966528794539091054524955215094900633929296509267540226436097922037480312534843090816414714560916129249828990251803876344537154955927727828232570929131 -12174289600387878166413214698063586008084552752439543567929790665567295715815418173215545776407658157706921849748721363710462843587172365443186116953292930164 -16996415738478256005382065682640742151192912704409604594012987116129634408058546371285779101609491343355313613863898166638327059654603396304113335697353122984901987710668875720525086720 -4562440617622195218641171605585119131739514871918667547682857357314343535508689562160604455918497575074715174882382908134196095677901105600185199282794955018371205792537007967971890634095067137 -1267650597867046177654064545792 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459868939503685406252196573451649024 -563127933057589078182109049910430189801267858593018911357569558066951448610928205184820357265838911550428123265590126067657222376565436190372574961193713664 -24348579200775756332826429396127172016169105504879103405365388510704376920891562395610327828446749127989939805959801641401559847310254083466111356457554280448 -33992831476956512010764131365281484302385825408819231901736066162392911122587750794642859557837487570646738733764326406607430768230396539092082721200286811140938899098474580114759745536 -9124881235244390437282343211170238263479029743837341192530852050551013988199468564099149809149237792502394782872367659707645708326849200364829008985690446628655226896156634458137388928154468352 -1267650597867046177654064545792 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059367521063656309566056683439915008 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823685991988607159363054170329353334944355625786930020224988415478335601579539769494531176085547834954163494030644162001543873246692589324825159963637270947299328 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518129793109557221580317097753720451186105453926588775689583539463154010576700049252756460830197065735837134519004638182709904559366707663675096336326899793920 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028934363876033198780003232825417916826555570603003610443324900765322801514628836373961563717819815659178099324514051673737887523916172743842520101389403684864 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744913649306569979494349478121435366144715292958165239232610420731738086890347478323006048396719686780691510330825043607290551001100754863607308861876650115072 -1267650597867046177654064545792 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571754105966758923615108084021592063 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280754490927819272344442130311818432332846202054796801431275025655264802408764738515518151514632480908325565788780147963367006810872289980054993716683162517483 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377384655355233299464450205863387455153540545988356938076082061665735266055161074861451503585061555464743511248208302416059151578458724837231635008055062559860 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269862152855527112109603873427804287879276629501582896265202691196110634325565999430887153483257613158570830305101308846059434952888523927958804883965606887424 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428758998783243913325146240393321801800775493463196094645471464263521615496507631433158100292031999009575957202146963989209941350095710449584237364695558411780097 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211456 -340282366920938463463374607431768211476 -340282366920938463463374607431768212363 -340282368188589061330420785085832757247 -680564733841876926926749214863536422910 -340282366920938463463374607431768211455 -340282366920938463463374607431768211476 -340282366920938463463374607431768211896 -340282366920938463463374607431768230523 -340282393541601018671344338167123673087 -7486212072260646196194241363498900652010 -340282366920938463463374607431768211455 -340282366920938463463374607431768212363 -340282366920938463463374607431768230523 -340282366920938463463374607431769035919 -340283517947681326741303917322375790591 -309316671531133063288207518155477304212595 -340282366920938463463374607431768211455 -340282368188589061330420785085832757247 -340282393541601018671344338167123673087 -340283517947681326741303917322375790591 -1606938038272679619211595318450969871419653879037527033118719 -431359145870941220571487096505205326955618843028054514999170554658815 -340282366920938463463374607431768211455 -680564733841876926926749214863536422910 -7486212072260646196194241363498900652010 -309316671531133063288207518155477304212595 -431359145870941220571487096505205326955618843028054514999170554658815 -115792089237316195423570985008687907852929702298719625575994209400481361428480 -340282366920938463463374607431768211455 -57896044618658097611351864738157061705602643928418557825554479499963780825087 -1215816936991820049838389159501298295810849875158370945067376577350604033097727 -52569608513741552631107493182246612028378564580206759319242186617026499221389311 -73391955574979118963811141843059488536193514605218060347731553038824658419780356768390246862426260635647999 -19701003098197239571963727475337245584161626291901231402719522479678259504891017501357040834053581289750820359766015 -340282366920938463463374607431768211455 -115792089237105570840234253759177109864495927509705271123983866932915377012735 -2431633873979216987644919328942719307147608830365391924334393713442587553038335 -105139217027291858322932702413332815756653666072015094994216070406146548559773695 -146783911149691239803259475393272332038744581223672095908357420057842052521809536733112498498517648556425215 -39402006196322807380529480735708200350692396090822410401547663254352517428720089890387154545088435961614993882873855 -340282366920938463463374607431768211455 -231583736816786089484927226016147767929919254630541433440841259178802368479230 -4863258473152507879183471746339103126521498699902951332988398950606214373834730 -210278033029641769252313921222662173280058047097734330377922582565411936811351155 -293567262432083559770702660509494961636846893913475830448684457955877672254855305549827269691827080717664255 -78803862104411649792976274791681038936454943300723566886694079153850261012036930285023493125774922139619387590574080 -340282366920938463463374607431768211455 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656433007813095902093053555754516766261247 -68741202765818979270276983633379582196549482966904360579127216519201261330098607324506894304856394094406282403778287516736595174684857178696216727257087 -2972238671969696817971976244719460030212710977807102828849881552354035489891882640507250477562362182748614496315732534987493787914131347856160609997422591 -4149515561151917970063980879655710938513649460124350952720371065270297197065154634382680097543307069927884450339928718724097725668943949230978781640397129280483223414045842048286719 -1113877103911668754551067286547922686738237475419584309931192581897577662915063323503306740447008536028968181678028580322422866333819711284625174374608957562009510683583947701172286642978815 -340282366920938463463374607431768211455 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352969133745369125558337364934425254559742 -105586487448313957217630953653425358968668408786294503634300774628861320362441676458635398984170320306132770645519405546161314332867455817171474294981525482 -4565358600146146340648043138919534568740519770378829014283100160143146613766525820211473441791745277998502654577696187337333997874820609046591517517372456051 -6373655901930312136397229380018411440828683949391920950832693445711366448193584697763678864931677968612065262908033170282412527802037703004824976474666653561152685993428741321140469759 -1710915231608582551713494414139930175751260546116444122900349352360496966554854730076753484481830650675467827629295222707109502155201699203484369755223655681475645196831626765330851268961239040 -340282366920938463463374607431768211455 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107569038383267105337656740400316458991614 -281563966528794539091054524955215094900633929296509267540226436097922037480312534843090816414714560916129249828990252144158710190442821524056258010274594794 -12174289600387878166413214698063586008084552752439543567929790665567295715815418173215545776407658157706921849748721364050745209240460231039514546730996595827 -16996415738478256005382065682640742151192912704409604594012987116129634408058546371285779101609491343355313613863898166638327059654603396304113336037635488638189853306997305498228752383 -4562440617622195218641171605585119131739514871918667547682857357314343535508689562160604455918497575074715174882382908134196095677901105600185199282794955358653571445824873564300320411798732800 -340282366920938463463374607431768211455 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244438742234592791551002580626351155314687 -563127933057589078182109049910430189801267858593018911357569558066951448610928205184820357265838911550428123265590126407939588029853301786701004738897379327 -24348579200775756332826429396127172016169105504879103405365388510704376920891562395610327828446749127989939805959801641741842212963541949062439786235257946111 -33992831476956512010764131365281484302385825408819231901736066162392911122587750794642859557837487570646738733764326406607430768230396539092082721540569176794226764694803009892463411199 -9124881235244390437282343211170238263479029743837341192530852050551013988199468564099149809149237792502394782872367659707645708326849200364829008985690446968937592549444500054465818705858134015 -340282366920938463463374607431768211455 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359572341733174351521905894486461143580671 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823685991988607159363054170329353334944355625786930020224988415478335601579539769494531176085547834954163494030644162001544213529058242612690756292067048650964991 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518129793109557221580317097753720451186105453926588775689583539463154010576700049252756460830197065735837134519004638183050186925019995529271424766104603459583 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028934363876033198780003232825417916826555570603003610443324900765322801514628836373961563717819815659178099324514051674078169889569460609438848531167107350527 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744913649306569979494349478121435366144715292958165239232610420731738086890347478323006048396719686780691510330825043607630833366754042729203637291654353780735 -340282366920938463463374607431768211455 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998595854119759254624519943537861725257726 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280754490927819272344442130311818432332846202054796801431275025655264802408764738515518151514632480908325565788780147963707289176525577845651322146460866183146 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377384655355233299464450205863387455153540545988356938076082061665735266055161074861451503585061555464743511248208302416399433944112012702827963437832766225523 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269862152855527112109603873427804287879276629501582896265202691196110634325565999430887153483257613158570830305101308846399717318541811793555133313743310553087 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428758998783243913325146240393321801800775493463196094645471464263521615496507631433158100292031999009575957202146963989210281632461363737449833693125336115445760 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613633 -57896044618658097611351864738157061705262361561497619362091104892532012613653 -57896044618658097611351864738157061705262361561497619362091104892532012614540 -57896044618658097611351864738157061705262361562765269959958151070186077159424 -57896044618658097611351864738157061705602643928418557825554479499963780825087 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613653 -57896044618658097611351864738157061705262361561497619362091104892532012614073 -57896044618658097611351864738157061705262361561497619362091104892532012632700 -57896044618658097611351864738157061705262361588118281917299074623267368075264 -57896044618658097611351864738157061712408291266837327094821971648599145054187 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012614540 -57896044618658097611351864738157061705262361561497619362091104892532012632700 -57896044618658097611351864738157061705262361561497619362091104892532013438096 -57896044618658097611351864738157061705262362712524362225369034202422620192768 -57896044618658097611351864738157062014238750725709744186835248440577548614772 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361562765269959958151070186077159424 -57896044618658097611351864738157061705262361588118281917299074623267368075264 -57896044618658097611351864738157061705262362712524362225369034202422620192768 -57896044618658099218289903010836680916517397645546552318281609322627277520896 -57896045050017243482293085309644158210127406150195523926682245284270799060992 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705602643928418557825554479499963780825087 -57896044618658097611351864738157061712408291266837327094821971648599145054187 -57896044618658097611351864738157062014238750725709744186835248440577548614772 -57896045050017243482293085309644158210127406150195523926682245284270799060992 -173688133855974293034922849746844969557851781493296306474621939685581605830657 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -115792089237316195222703729476314123410524723122995238724182209785064025227264 -1273712981610478147449741024239455357515771954352947625966004307635704277499904 -52627504558360210728718845046984769090083486659401336000140814347311599465791488 -73391955574979118963811141843117384580812172702829412212469710100529580498974933449288874592711360880050176 -19701003098197239571963727475337245584219522336519889500330874344416416566595939580551617514952209020035920604168192 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -173688133855763668451586118497334171569418006704281952022611597218015621414912 -2489529918597875085256271193680876368852530909559968605233021443727687797440512 -105197113071910516420544054278070972818358588151209671675114698136431648804175872 -146783911149691239803259475393330228083363239321283447773095577119546974601004113414011126228802748800827392 -39402006196322807380529480735708200350750292135441068499159015119090674490425011969581731225987063691900094127276032 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -289479781435444187096279090754304829634841333825118114339468989463902612881407 -4921154517771165976794823611077260188226420779097528013887026680891314618236907 -210335929074260427349925273087400330341762969176928907058821210295697037055753332 -293567262432083559770702660509552857681465552011087182313422615017582594334049882230725897422112180962066432 -78803862104411649792976274791681038936512839345342224984305431018588418073741852364218069806673549869904487834976257 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -3273390607896141870013189696827599152216642046043064789482248405676250539586401155309462588318799202567027652361355087007672582991681286039617010663424 -68741202765818979270276983633379582196549482966904360579127216519201261330156503369125552402467745959144439465483209595931171855583484908981316971659264 -2972238671969696817971976244719460030212710977807102828849881552354035489891940536551869135659973534613352653377437457066688364595029975586445710241824768 -4149515561151917970063980879655710938513649460124350952720371065270297197065154634382680097543307069927942346384547376821709077533682106292683703719591705961381851144330942292688896 -1113877103911668754551067286547922686738237475419584309931192581897577662915063323503306740447008536028968181678086476367041524431431063149363331436313879641204087364482575431457386887380992 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -5027927973729236057982426364448826617555638513633071601633370220421967636306804394074875752581912318823441521134057891212939945806456965095219525498961919 -105586487448313957217630953653425358968668408786294503634300774628861320362441734354680017642267931657997508802581110468240508909548354444901759395225927659 -4565358600146146340648043138919534568740519770378829014283100160143146613766525878107518060449842889350367392734757892259413192451501507674321802617616858228 -6373655901930312136397229380018411440828683949391920950832693445711366448193584697763678864931677968612065320804077788940510139153902441161886681396745848137833584621159026421384871936 -1710915231608582551713494414139930175751260546116444122900349352360496966554854730076753484481830650675467827629295280603154120813299310555349107912285360603554839773512525393061136369205641217 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -13407807929942597099574024997867385471458758537929012740010782671329620832395892888572752773084019014537559577489812491117577843786236284470685416703393791 -281563966528794539091054524955215094900633929296509267540226436097922037480312592739135435072812172267993987986051957066237904767123720151786543110518996971 -12174289600387878166413214698063586008084552752439543567929790665567295715815418231111590395065755769058786587905783068972824403817141129667244831831240998004 -16996415738478256005382065682640742151192912704409604594012987116129634408058546371285779101609491343355313671759942785296424671006468134461175040959714683214870751934727590598473154560 -4562440617622195218641171605585119131739514871918667547682857357314343535508689562160604455918497575074715174882382966030240714335998716952049937439856660280732766022505772192030605512043134977 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -26815615859885194199148049995734770942917517075858043397979502765092926124329972428655111861232797616170839264946949360821429169472449630310911451399716864 -563127933057589078182109049910430189801267858593018911357569558066951448610928263080864975923936522902292861422651831330018782606534200414431289839141781504 -24348579200775756332826429396127172016169105504879103405365388510704376920891562453506372447104846739341804544116863346663921407540222847690170071335502348288 -33992831476956512010764131365281484302385825408819231901736066162392911122587750794642859557837487570646738791660371025265528379582261277249144426462648371370907663322533294992707813376 -9124881235244390437282343211170238263479029743837341192530852050551013988199468564099149809149237792502394782872367717603690326984946811716693747142752151891016787126125398682196103806102536192 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356940333001073316904952470628102164776064494420927751032420533624771561387982848 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823685991988607159363054170329353334944355625786930020224988415478335601579539769494589072130166493051774845895382319063249135608252819293589384022352148895367168 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518129793109557221580317097753720451186105453926588775689583539463154010576700049310652505448855163347188999257161699887972266119596676427899155051204847861760 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028934363876033198780003232825417916826555570603003610443324900765322801514628836431857608336477913270529964062671113379000249084146141508066578816267351752704 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744913649306569979494349478121435366144715292958165239232610420731738086890347478380902093015377784392043375068982105312552912561330723627831367576754598182912 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463796730242309831072892700701204289449703517933314335935523147673822961969659903 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280754490927819272344442130311818432332846202054796801431275025655264802408764738573414196133290578519677430526937209668629368371102258744279052431561110585323 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377384655355233299464450205863387455153540545988356938076082061665735266055161074919347548203719653076095375986365364121321513138688693601455693722933010627700 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269862152855527112109603873427804287879276629501582896265202691196110634325565999488783198101915710769922695043258370551321796513118492692182863598843554955264 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428758998783243913325146240393321801800775493463196094645471464263521615496507631433215996336650657107187309066885121050915203711655940418348461423410436359847937 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801281 -115792089237105570840234253759177109864155645142784332660520492325483608801301 -115792089237105570840234253759177109864155645142784332660520492325483608802188 -115792089237105570840234253759177109864155645144051983258387538503137673347072 -115792089237105570840234253759177109864495927509705271123983866932915377012735 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801301 -115792089237105570840234253759177109864155645142784332660520492325483608801721 -115792089237105570840234253759177109864155645142784332660520492325483608820348 -115792089237105570840234253759177109864155645169404995215728462056218964262912 -115792089237105570840234253759177109871301574848124040393251359081550741241835 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608802188 -115792089237105570840234253759177109864155645142784332660520492325483608820348 -115792089237105570840234253759177109864155645142784332660520492325483609625744 -115792089237105570840234253759177109864155646293811075523798421635374216380416 -115792089237105570840234253759177110173132034306996457485264635873529144802420 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645144051983258387538503137673347072 -115792089237105570840234253759177109864155645169404995215728462056218964262912 -115792089237105570840234253759177109864155646293811075523798421635374216380416 -115792089237105572447172292031856729075410681226833265616710996755578873708544 -115792089668464716711175474330664206369020689731482237225111632717222395248640 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864495927509705271123983866932915377012735 -115792089237105570840234253759177109871301574848124040393251359081550741241835 -115792089237105570840234253759177110173132034306996457485264635873529144802420 -115792089668464716711175474330664206369020689731482237225111632717222395248640 -231584178474421766263805238767865017716745065074583019773051327118533202018305 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -173688133855763668451586118497334171569418006704281952022611597218015621414912 -1331609026228925620678623413260475405674665237934234339264433695068655873687552 -52685400602978658201947727436005789138242379942982622713439243734744551061979136 -73391955574979118963811141843175280625430620176058294601490730148688473782556220162587303980144312476237824 -19701003098197239571963727475337245584277418381138336973559756733437436614754832864132904228250638407468872200355840 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -231584178474211141680468507518354219728311290285568665321040984650967217602560 -2547425963216322558485153582701896417011424193141255318531450831160639393628160 -105255009116528963893772936667091992866517481434790958388413127523864600400363520 -146783911149691239803259475393388124127981686794512330162116597167705867884585400127309555616235700397015040 -39402006196322807380529480735708200350808188180059515972387897508111694538583905253163017939285493079333045723463680 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -347375826053891660325161479775324877793734617406404827637898376896854209069055 -4979050562389613450023706000098280236385314062678814727185456068324266214424555 -210393825118878874823154155476421350389921862460510193772119639683129988651940980 -293567262432083559770702660509610753726083999484316064702443635065741487617631168944024326809545132558254080 -78803862104411649792976274791681038936570735389960672457534313407609438121900745647799356519971979257337439431163905 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -3273390607896141870013189696827599152216642046043064789482248405676250539644297199927910061547681591588047700520248370588959296290110673472568606851072 -68741202765818979270276983633379582196549482966904360579127216519201261330214399413743999875696628348165459513642102879512458568881914296414268567846912 -2972238671969696817971976244719460030212710977807102828849881552354035489891998432596487583133202417002373673425596350350269651308328404973878661838012416 -4149515561151917970063980879655710938513649460124350952720371065270297197065154634382680097543307069928000242429165824294937959922703126340842597003172992674680280531763893888876544 -1113877103911668754551067286547922686738237475419584309931192581897577662915063323503306740447008536028968181678144372411659971904659945538384351484472772924785374077781004818890338483568640 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -5027927973729236057982426364448826617555638513633071601633370220421967636306862290119494200055141201212462541182216784496521232519755394482652477095149567 -105586487448313957217630953653425358968668408786294503634300774628861320362441792250724636089741160540386529822629269361524090196261652874289192346822115307 -4565358600146146340648043138919534568740519770378829014283100160143146613766525936003562678897316118232756413754806051152696773738214806103709235569213045876 -6373655901930312136397229380018411440828683949391920950832693445711366448193584697763678864931677968612065378700122407387983368036291462181934840290029429424546883050546459372981059584 -1710915231608582551713494414139930175751260546116444122900349352360496966554854730076753484481830650675467827629295338499198739260772539437738128932333519496838421060225823822448569320801828865 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -13407807929942597099574024997867385471458758537929012740010782671329620832395950784617371220557247896926580597537971384401159130499534713858118368299581439 -281563966528794539091054524955215094900633929296509267540226436097922037480312650635180053520285401150383009006100115959521486053837018581173976062115184619 -12174289600387878166413214698063586008084552752439543567929790665567295715815418289007635013513228997941175608925831227866107985103854428096632264782837185652 -16996415738478256005382065682640742151192912704409604594012987116129634408058546371285779101609491343355313729655987403743897899888857155481223199852998264501584050364115023550069342208 -4562440617622195218641171605585119131739514871918667547682857357314343535508689562160604455918497575074715174882383023926285332783471945834438958459904819174016347309219070621418038463639322625 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -26815615859885194199148049995734770942917517075858043397979502765092926124330030324699730308706026498559860284995108254105010456185748059698344402995904512 -563127933057589078182109049910430189801267858593018911357569558066951448610928320976909594371409751784681882442699990223302363893247498843818722790737969152 -24348579200775756332826429396127172016169105504879103405365388510704376920891562511402417065552319968224193565136911505557204988826936146119557504287098535936 -33992831476956512010764131365281484302385825408819231901736066162392911122587750794642859557837487570646738849556415643713001608464650298269192585355931952657620961751920727944304001024 -9124881235244390437282343211170238263479029743837341192530852050551013988199468564099149809149237792502394782872367775499734945432420040599082768162800310784300368412838697111583536757698723840 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356998229045691764378181353017123184824223387704509037745718963012204512984170496 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823685991988607159363054170329353334944355625786930020224988415478335601579539769494646968174784940525003728284403339111408028891834106006887813409785100491554816 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518129793109557221580317097753720451186105453926588775689583539463154010576700049368548550067302636576071388278181748046865549700883389726328542484156444049408 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028934363876033198780003232825417916826555570603003610443324900765322801514628836489753652954925386499412353083691161537893532665432854806495966249218947940352 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744913649306569979494349478121435366144715292958165239232610420731738086890347478438798137633825257620925764090002153471446196142617436926260755009706194370560 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463854626286928278546121583090225309497862411216895622648821577061255913565847551 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280754490927819272344442130311818432332846202054796801431275025655264802408764738631310240751738051748559819547957257827522651952388972042708439864512706772971 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377384655355233299464450205863387455153540545988356938076082061665735266055161074977243592822167126304977765007385412280214796719975406899885081155884606815348 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269862152855527112109603873427804287879276629501582896265202691196110634325565999546679242720363183998805084064278418710215080094405205990612251031795151142912 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428758998783243913325146240393321801800775493463196094645471464263521615496507631433273892381269104580416191455906141099074096995237227131646890810843387956035585 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267776 -231583736816786089484927226016147767929578972263620494977377884571370600267796 -231583736816786089484927226016147767929578972263620494977377884571370600268683 -231583736816786089484927226016147767929578972264888145575244930749024664813567 -231583736816786089484927226016147767929919254630541433440841259178802368479230 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267796 -231583736816786089484927226016147767929578972263620494977377884571370600268216 -231583736816786089484927226016147767929578972263620494977377884571370600286843 -231583736816786089484927226016147767929578972290241157532585854302105955729407 -231583736816786089484927226016147767936724901968960202710108751327437732708330 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600268683 -231583736816786089484927226016147767929578972263620494977377884571370600286843 -231583736816786089484927226016147767929578972263620494977377884571370601092239 -231583736816786089484927226016147767929578973414647237840655813881261207846911 -231583736816786089484927226016147768238555361427832619802122028119416136268915 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972264888145575244930749024664813567 -231583736816786089484927226016147767929578972290241157532585854302105955729407 -231583736816786089484927226016147767929578973414647237840655813881261207846911 -231583736816786091091865264288827387140834008347669427933568389001465865175039 -231583737248145235355868446587634864434444016852318399541969024963109386715135 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929919254630541433440841259178802368479230 -231583736816786089484927226016147767936724901968960202710108751327437732708330 -231583736816786089484927226016147768238555361427832619802122028119416136268915 -231583737248145235355868446587634864434444016852318399541969024963109386715135 -347375826054102284908498211024835675782168392195419182089908719364420193484800 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -289479781435444187096279090754304829634841333825118114339468989463902612881407 -1447400673808606139323316385517446063740088565055070501581291087314542865154047 -52801192250558338720592420408262759796307803270103458875756101126990438053445631 -73391955574979118963811141843291072273010300694702987573747700806753897109677056324904161372390199467704319 -19701003098197239571963727475337245584393210028718017492204449705694407272820256191253740390567495799714759191822335 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -347375826053891660325161479775324877793734617406404827637898376896854209069055 -2663217610796003077129846554958867075076847520262091480848308223406526385094655 -105370800764108644412417629639348963524582904761911794550729984916110487391830015 -146783911149691239803259475393503915775561367313157023134373567825771291211706236289626413008481587388481535 -39402006196322807380529480735708200350923979827639196491032590480368665196649328580283854101602350471578932714930175 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -463167473633572178969854452032295535859157944527240989954755769142741200535550 -5094842209969293968668398972355250894450737389799650889502313460570153205891050 -210509616766458555341798848448678321047987285787631029934436497075375875643407475 -293567262432083559770702660509726545373663680002960757674700605723806910944752005106341184201791019549720575 -78803862104411649792976274791681038936686527037540352976179006379866408779966168974920192682288836649583326422630400 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -3273390607896141870013189696827599152216642046043064789482248405676250539760088847507590580192374563845018358585671697709795458606968065718455598317567 -68741202765818979270276983633379582196549482966904360579127216519201261330330191061323680394341321320422430171707526206633294731198771688660155559313407 -2972238671969696817971976244719460030212710977807102828849881552354035489892114224244067263651847109974630644083661773677390487470645262366124548829478911 -4149515561151917970063980879655710938513649460124350952720371065270297197065154634382680097543307069928116034076745504813582652894960096998908020330293828836997137924009780880343039 -1113877103911668754551067286547922686738237475419584309931192581897577662915063323503306740447008536028968181678260164059239652423304638510641322142538196251906210240097862211136225475035135 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -5027927973729236057982426364448826617555638513633071601633370220421967636306978081767073880573785894184719511840282207823642068682072251874898364086616062 -105586487448313957217630953653425358968668408786294503634300774628861320362441908042372215770259805233358786793287334784851211032423969731681438233813581802 -4565358600146146340648043138919534568740519770378829014283100160143146613766526051795210258577834762925728670725464116576023894574377122961101481456204512371 -6373655901930312136397229380018411440828683949391920950832693445711366448193584697763678864931677968612065494491769987068502012729263719152592905713356550260709199907938705259972526079 -1710915231608582551713494414139930175751260546116444122900349352360496966554854730076753484481830650675467827629295454290846318941291184130710385902991584920165541896388140679840815207793295360 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -13407807929942597099574024997867385471458758537929012740010782671329620832396066576264950901075892589898837568196036807728279966661851571250364255291047934 -281563966528794539091054524955215094900633929296509267540226436097922037480312766426827633200804045843355265976758181382848606889999335438566221949106651114 -12174289600387878166413214698063586008084552752439543567929790665567295715815418404799282593193747642634147865896489293289435105940016744954024510669828652147 -16996415738478256005382065682640742151192912704409604594012987116129634408058546371285779101609491343355313845447634983424416544581829412451881265276325385337746367221507269437060808703 -4562440617622195218641171605585119131739514871918667547682857357314343535508689562160604455918497575074715174882383139717932912463990590527411215430562884597343468145381387478810284350630789120 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -26815615859885194199148049995734770942917517075858043397979502765092926124330146116347309989224671191532117255653173677432131292348064917090590289987371007 -563127933057589078182109049910430189801267858593018911357569558066951448610928436768557174051928396477654139413358055646629484729409815701210968677729435647 -24348579200775756332826429396127172016169105504879103405365388510704376920891562627194064645232838612917165822107569570980532109663098462976949750174090002431 -33992831476956512010764131365281484302385825408819231901736066162392911122587750794642859557837487570646738965348063223393520253157622555239850650779259073493783278609312973831295467519 -9124881235244390437282343211170238263479029743837341192530852050551013988199468564099149809149237792502394782872367891291382525112938685292055025133458376207627489249001013968975782644690190335 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322357114020693271444896826045989380155482288811031629873908035820404450399975636991 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823685991988607159363054170329353334944355625786930020224988415478335601579539769494762759822364621043648421256660309769473452218954942169204670802030987483021311 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518129793109557221580317097753720451186105453926588775689583539463154010576700049484340197646983155220764360535152406112288876821719552043185934730043435515903 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028934363876033198780003232825417916826555570603003610443324900765322801514628836605545300534605905144105325340661819603316859786269017123353358495105939406847 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744913649306569979494349478121435366144715292958165239232610420731738086890347478554589785213505776265618736346972811536869523263453599243118147255593185837055 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463970417934507959064766276062482280155927834544016458811138434453501800557314046 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280754490927819272344442130311818432332846202054796801431275025655264802408764738747101888331418570393252791804927915892945979073225134359565832110399698239466 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377384655355233299464450205863387455153540545988356938076082061665735266055161075093035240401847644949670737264356070345638123840811569216742473401771598281843 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269862152855527112109603873427804287879276629501582896265202691196110634325565999662470890300043702643498056321249076775638407215241368307469643277682142609407 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428758998783243913325146240393321801800775493463196094645471464263521615496507631433389684028848785099060884428163111757139520322358063293963748203089274947502080 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049793 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049813 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998050700 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725447442614227457227324739062595584 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656433007813095902093053555754516766261247 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049813 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998050233 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998068860 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725472795626184798150877820353511424 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590663238655151514671362321047903152130490347 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998050700 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998068860 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998874256 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092726597201706492868110456975605628928 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590965069114610387088454334324695130534050932 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725447442614227457227324739062595584 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725472795626184798150877820353511424 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092726597201706492868110456975605628928 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804492314385376101550209867347761530223896585780685577180262957056 -3273390607896141870013189696827599152216642046043064789482248405676250539528505111122163636578388558400357687160957770034872868194181321538823784497152 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656433007813095902093053555754516766261247 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590663238655151514671362321047903152130490347 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590965069114610387088454334324695130534050932 -3273390607896141870013189696827599152216642046043064789482248405676250539528505111122163636578388558400357687160957770034872868194181321538823784497152 -3273390607896141870013189696827599152216642046043064789482248405676250539644297199928120686131018322837558498508682145377973650742121015940134591266817 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539586401155309462588318799202567027652361355087007672582991681286039617010663424 -3273390607896141870013189696827599152216642046043064789482248405676250540744322047682624540545836497330168886466602318237624970233503383890257262936064 -3273390607896141870013189696827599152216642046043064789482248405676250592098113624432357121814940520075482619034317023286013344408313423566152451227648 -3273390607896141870013189696827599152216642119435020364461367369487392382587993646884319095925507685560423629480410862859610793556373668965913865486336 -3273390607896141870013189696827599171917645144240304361445975881013496123690131402592035893426969817507130095546769944436294859219708096290473589604352 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539644297199927910061547681591588047700520248370588959296290110673472568606851072 -3273390607896141870013189696827599152216642046043064789482248405676250541960138984670021478352366666771589897803361273444645949500520519982240782876672 -3273390607896141870013189696827599152216642046043064789482248405676250644667722137982662813640149751161686347309418515094349019382197212686201789612032 -3273390607896141870013189696827599152216642192826975939173488208935725932800837149435385714379543246186290648497804964888790758278625305057301786263552 -3273390607896141870013189696827599191618648242365872170011729141384450890220901201513214892255110592181388019375842333466408570254562768154647112712192 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539760088847507590580192374563845018358585671697709795458606968065718455598317567 -3273390607896141870013189696827599152216642046043064789482248405676250544391763583843312369890919084167973717177251142982205358154525757145867603673067 -3273390607896141870013189696827599152216642046043064789482248405676250749806538140332573743021368560491043870713799540813584403088709371951590041189492 -3273390607896141870013189696827599152216642339610327221565808176378911049023466747537698404183277786513328546533424697934559574993396498366733947502592 -3273390607896141870013189696827599231020504150454714582458523197357289475983448411414371377401526491679131602692682728102747150941048946159040820412417 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -6546781215792283740026379393655198304433284092086129578964496811352501079057010221381608981414894675657741181312185450892349927259180362294169996099584 -72014593373715121140290173330207181348766125012947425368609464924877511869627112435197698795563841432235152994434039959815849199850983985235869957095424 -2975512062577592959841989434416287629364927619853145893639363800759711740431411145617941282053069630086443366906388287430573041939297474662700263227260928 -4149515561151917970063980879658984329121545601994364142417198664422513839111197699172162345948983320467412955450619523214805173006772819821634534083476383305649350220585495278125056 -1113877103911668754551067286547922686741510866027480451801205771594405262067279965549349805236490784434644432217557085433113670824527158622454044965264710005088764708750074507711939872817152 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -5031201364337132199852439554145654216707855155679114666422852468827643886846275003140947898975008414296532234663008721576824623150724464171474078484398079 -105589760838921853359500966843122186567820625428340546699090256877266996612981204963746089788661027753470599516110061298604393586892621943978013948211363819 -4565361873536754236789913152109231396339671987020875057347889642391552290017065348716584132596235985445840483448286843089777077128845775173398057170602294388 -6373655901930312136397229380018414714219291845533790964022390273310518664835630740828468347180083644862604791413143861086903235249375531875415632227109732815177852120235280974370308096 -1710915231608582551713494414139930175751263819507052019042219365550193794154006946718799527546620132923873503879834751212220192959692406650822198625814311433918724450856792892137390922191077377 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -13411081320550493241444038187564213070610975179975055804800264919735297082935363497638824919477115110010650291018763321481462521130503783546939969688829951 -281567239919402435232924538144911922499786145938555310605015918346327713730852063348201507219205268363467078699580907896601789444467987650862797663504433131 -12174292873778486062555084711253282835683704969081589610994580147815701392065957701720656467212148865154259678619312019803188288494485397166321086384226434164 -16996415738478256005382065682640745424583520600551474607202683943728786624700592414350568583857897019605853142369008857442817767101941225174703991790078567892215019433803845151458590720 -4562440617622195218641171605585119131739518145309275443824727370504040363107841778802650498983287057323120851132922436639306786482391813047523028153385611111096650699850039691106860065028571137 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -26818889250493090341018063185431598542069733717904086462768985013498602374869443037721184007625893711643929978475900191185313846816717129387166004385153024 -563131206448196974323979063100127017400420075235064954422359040315357124861467733689931048070329618997765952136180782160382667283878467913507544392127217664 -24348582474166364228968299409316868843768257721521149448430177992952782597142101924115438519251239835437277634830392297494285292217567115189246325888487784448 -33992831476956512010764131365281487575776433304961101914925762989992063339229796837707649040085893246897278262269437097411921475677734367962673377293012256048251930821609549545693249536 -9124881235244390437282343211170238263479033017227949088672722063740710815798620780741195852214027274750800459122907188212756399131339907812166837856281102721380671803469666181272358359087972352 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094859873731529946340457125253265606438475403785866280608383688705623749572896410942067145463298048566101192878305015324784812428376688032701026114373419008 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823685991991880549970950312199366524641183224939146662271031480267817849985216020034059681196238639444870941368473032592199965972137496637856883098606701880803328 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518129796382947829476458967766910148013704606143230821732648328945402416252950588781261571521001556443284472347875228838802630004274020695398231305757833297920 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028934367149423806676145102838607613654154722819645656486389690247571207190879375902466674408624306366625437153384642329830612968823485775565655070820337188864 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744913652579960587390491348134625062972314445174807285275675210213986492566598017851511159087524177488138848159695634263383276446008067895330443831307583619072 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988312365191525626829590504228669795829923743060941349315981180118158171906003267339308381977465988796174295002978654348297199013279790646750077514955096063 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280754494201209880240584000325008129160445354271438847474339815137513208085015278044023262205436971615772903617650738619459732255779603011778128686114096021483 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377384658628623907360592075876577151981139698204998984119146851147983671731411614389956614275866046172190849077078893072151877023366037868954769977485996063860 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269862156128917720005745743440993984706875781718224942308267480678359040001816538959392264174062103866018168133971899502152160397795836959681939853396540391424 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428758998786517303933042382263334991497603092615412736691514529053003863902183881972686605402722803500283404539975834579866034075540617762615960499664989345284097 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348288 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348308 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486349195 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851379715837692741036504647550894079 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352969133745369125558337364934425254559742 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348308 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348728 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486367355 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851405068849650081960057728841809919 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072359774781083787894827604857083060618788842 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486349195 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486367355 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993487172751 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628852529474929958151919636884093927423 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072661605240542660311919618133875039022349427 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851379715837692741036504647550894079 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851405068849650081960057728841809919 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628852529474929958151919636884093927423 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094485907904996976043691563883887462497120051064494757088751255551 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030688453630171908179274851168857493895967146091659465130718732272795647 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352969133745369125558337364934425254559742 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072359774781083787894827604857083060618788842 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072661605240542660311919618133875039022349427 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030688453630171908179274851168857493895967146091659465130718732272795647 -5027927973729236057982426364448826617555638513633071601633370220421967636306862290119494410679724537943712051980205218271310246874207404825120043079565312 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306804394074875752581912318823441521134057891212939945806456965095219525498961919 -5027927973729236057982426364448826617555638513633071601633370220421967636307962314967248914534139356118204662368163138444169898193698787193070165751234559 -5027927973729236057982426364448826617555638513633071601633370220421967636359316106543998647115408460140949976100730853149218286567873597232746060939526143 -5027927973729236057982426364448826617555638513706463557208349339385778778149805986566450609089519027306434917111176946988791884017021657478145822353784831 -5027927973729236057982426364448826617575339516731268841205333947897304881890908124322158325887020489438381623577243306070368568082684991905470382077902847 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306862290119494200055141201212462541182216784496521232519755394482652477095149567 -5027927973729236057982426364448826617555638513633071601633370220421967636309178131904236311471945886287646083379499897399376919172965804329162149271175167 -5027927973729236057982426364448826617555638513633071601633370220421967636411885715057548952807233669372036179829005954641026622242847481021866110277910527 -5027927973729236057982426364448826617555638513779855512783061460225227111700018830069001675707973062867060784130194341090821063981743909114237210274562047 -5027927973729236057982426364448826617595040519829394409013899701157675836657438894121079504885848630213055881501072378459398681793719846577334555601010687 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306978081767073880573785894184719511840282207823642068682072251874898364086616062 -5027927973729236057982426364448826617555638513633071601633370220421967636311609756503409602363484438705042467198873787268914478581619809566325776091971562 -5027927973729236057982426364448826617555638513633071601633370220421967636517024531059898863736614888181365537352410335666745857626553993181131498529487987 -5027927973729236057982426364448826617555638513926638864065453780192670296816241459667103988397776797407387822028229960823866832798458680307546642435801087 -5027927973729236057982426364448826617634442375737483251426346495213648675243201441330980661370995046112553625084389218854035020374406332755338949308710912 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5031201364337132199852439554145654216707855155679114666422852468827643886846275003140947898975008414296532234663008721576824623150724464171474078484398079 -5096669176495055037252703348082206199752187996599975962212497436941168897636845105354763988789157361053109646476130576085748122423316267794415778445393919 -8000166645698932875954402609168286647768349491440174430483251772776003126198629138537507572046663149707317860388084823556505315162762758471880171715559423 -4149515561151917970063980884683638912242885518106777317169197682825935710698226236016050317965274706234630948370185813208398692627647313303331070209408656529114634029765403766423551 -1113877103911668754551067286547922691766165449148820367913618946346404280470701837136378342080378756450935817984775078352679960818120678243328538446961246131021037932215358316891848361115647 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -10055855947458472115964852728897653235111277027266143203266740440843935272613492996060514188968601933917406728144705257702756896374189747980653986972696574 -110614415422043193275613380017874185586224047299927575235934144849283287998748422956665656078654621273091474009591757834730325860116087227787193856699662314 -4570386528119875576706025565283983395358075408892462085884733530363568581402832566709503698886229578965461357941768539625903009402069240457207237079090592883 -6373655901930312136397229380023439368802413185449903377197142272328922086707217769365312235152099936248372009406063427376896828768996406368897328763235665088401317404044460882858606591 -1710915231608582551713494414139930175756288474090173358958331778724945793172410368590386556083464020895889795265601969205139759249686000170443073119296007970044656724080258175946570830679375872 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -18435735903671833157556451362316212089014397051562084341644152891751588468702581490558391209470708629631524784500459857607394794353969067356119878177128446 -286591894502523775149036951319663921518189567810142339141859806318344005116619281341121073509198861883087953193062604432727721717691452934671977571992731626 -12179317528361607402471197124428034834702108390953176639531424035787717683451724919713576033502142458673880553112793716339314220767708862450130266292714732659 -16996415738478256005382065682645770079166641940467587020377435942747190046572179442887412471829913310991620360361928423732811360621562099668185688326204500165438484717613025059946889215 -4562440617622195218641171605585119131744542799892396783740839783678792362126245200674237527520130945295137142518689654632226352772385406567143902646867307647222582973073504974916039973516869632 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -31843543833614430257130476360183597560473155589491114999612872985514893760636661030640750297619487231264804471957596727311246120040182413196345912873451519 -568155861031318314240091476274879016418823497106651982959202928287373416247234951682850614360323212517386826629662478696508599557101933197316724300615516159 -24353607128749485568884411822491620842786661143392736476967021880924798888527869142108358085541233428956898509323873994030411224490790580473055505796976082943 -33992831476956512010764131365286512230359554644877214328100514989010466761101383866244492928057909538283045480262356663701915069197355242456155073829138188321475396105418729454181548031 -9124881235244390437282343211170238263484057671811070428588834476915462814817024202612782880750871162722816750508674406205675965421333501331787712349762799257506604076693131465081538267576270847 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604099884528314651286256569538428017605456878825657453309145227576677640040958663628934986711753291642085722067371786711860910744701600153316510206022861717503 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823685997016535133092290228311779699393182243342568533858060017111705822001507405801277674115804929438464460989347526073896502098069769861322166907786610369101823 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518134821037530950816375080180084900012723009565102408761185172833374432544336355999254491087291550036804093222368710535338755936547244160682040485666321596415 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028939391804006928016061215251782365653173126241517243514926534135543223482265143120459593974914299960145058027878124026366738901096709240849464250728825487359 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744918677234543708730407460547799814971332848596678872304212054101958508857983785069504078653814171081658469034189115959919402378281291360614253011216071917567 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060993337019774646966745702917403421794848327164932528377852825068090174463291770485332227948267459582315795169496460350884423131286503255930559257423443394558 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280759518855793001580500112738182881159463757693310434502876659025485224376401045262016181771726965209292524492144220315995858188052826477061937866022584319978 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377389683283207028700508188289751903980158101626870571147683695035955688022797381607949533842156039765710469951572374768688002955639261334238579157394484362355 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269867180783500841345661855854168736705894185140096529336804324566331056293202306177385183740352097459537789008465381198688286330069060424965749033305028689919 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428759003811171887054382298375748166249602111018834608278543065896891835918475267739904598322289093493876924160850328061562570201472890986081244308844897833582592 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780160 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780180 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690781067 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756017613817472060411970538755325951 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107569038383267105337656740400316458991614 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780180 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780600 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690799227 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756042966829429401335523620046241791 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428114374685721685874606924232548951823220714 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690781067 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690799227 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884691604623 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228757167372909737471295102775298359295 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428416205145180558291698937509340930226781299 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756017613817472060411970538755325951 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756042966829429401335523620046241791 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228757167372909737471295102775298359295 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114988014600711094100047318483792100395099830383870222979955687423 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528565474132278603893392907524612093800605044071438784506184623477227519 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107569038383267105337656740400316458991614 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428114374685721685874606924232548951823220714 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428416205145180558291698937509340930226781299 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528565474132278603893392907524612093800605044071438784506184623477227519 -13407807929942597099574024997867385471458758537929012740010782671329620832395950784617371431181831233657830108335959818175948144853986724200585934283997184 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395892888572752773084019014537559577489812491117577843786236284470685416703393791 -13407807929942597099574024997867385471458758537929012740010782671329620832397050809465125935036246051832322718723917738348807796173478106568536056955666431 -13407807929942597099574024997867385471458758537929012740010782671329620832448404601041875667617515155855068032456485453053856184547652916608211952143958015 -13407807929942597099574024997867385471458758538002404695585761790293431974238894481064327629591625723020552973466931546893429781996800976853611713558216703 -13407807929942597099574024997867385471478459541027209979582746398804958077979996618820035346389127185152499679932997905975006466062464311280936273282334719 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395950784617371220557247896926580597537971384401159130499534713858118368299581439 -13407807929942597099574024997867385471458758537929012740010782671329620832398266626402113331974052582001764139735254497304014817152745123704628040475607039 -13407807929942597099574024997867385471458758537929012740010782671329620832500974209555425973309340365086154236184760554545664520222626800397332001482342399 -13407807929942597099574024997867385471458758538075796651160473911132880307789107324566878696210079758581178840485948940995458961961523228489703101478993919 -13407807929942597099574024997867385471498160544125335547391312152065329032746527388618956525387955325927173937856826978364036579773499165952800446805442559 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832396066576264950901075892589898837568196036807728279966661851571250364255291047934 -13407807929942597099574024997867385471458758537929012740010782671329620832400698251001286622865591134419160523554628387173552376561399128941791667296403434 -13407807929942597099574024997867385471458758537929012740010782671329620832606113025557775884238721583895483593708164935571383755606333312556597389733919859 -13407807929942597099574024997867385471458758538222580002442866231100323492905329954164981008899883493121505878383984560728504730778237999683012533640232959 -13407807929942597099574024997867385471537562400033424389803758946121301871332289935828857681873101741826671681440143818758672918354185652130804840513142784 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13411081320550493241444038187564213070610975179975055804800264919735297082935363497638824919477115110010650291018763321481462521130503783546939969688829951 -13476549132708416078844301981500765053655308020895917100589909887848822093725933599852641009291264056767227702831885175990386020403095587169881669649825791 -16380046601912293917546001242586845501671469515736115568860664223683656322287717633035384592548769845421435916743839423461143213142542077847346062919991295 -4149515561151917970063980893063518868456246559698375950587756536729055734994167374393462768872927902323719442868062833710505388341765369659085670114046554508893953405231294970855423 -1113877103911668754551067286547922700146045405362181409505217579764963134373821861432319480457791207358589014073863572850556981320227373957446594802715846035658935911994677692357739565547519 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -18435735903671833157556451362316212089014397051562084341644152891751588468702581490558391209470708629631524784500459857607394794353969067356119878177128446 -118994295378256554317204978651292744440127167324223516374311557300190941194837511451163533099156727968805592065947512434634963758095866547162659747904094186 -4578766408076088937747617163917401954211978528916758027023110942814476234598921655204001575906731685661175475998124294225807647300049019776582702970295024755 -6373655901930312136397229380031819248758626546491494975830560831182825206731513710503689647603007589444461097900561304397398935464710524425253083363140302986381096723419926774063038463 -1710915231608582551713494414139930175764668354046386719999923377358364352026313488614682497221841433346797448461691057699637636270188106866157191175651762569949294622060037495322036721883807744 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -26815615859885194199148049995734770942917517075858025480021565342659241664791669985056268229972815325345642840856214457512032692333748386731585769381560318 -294971774458737136190628549953082480372092687834438280280237218769251658312708369835618950529700968578802071249418359032632359615671232254047443463197163498 -12187697408317820763512788723061453393556011510977472580669801448238625336647814008208073910522644565369594671169149470939218858665688641769505732183919164531 -16996415738478256005382065682654149959122855301509178619010854501601093166596475384025789884280820964187709448856426300753313467317276217724541442926109138063418264036988490951151321087 -4562440617622195218641171605585119131752922679848610144782431382312210920980148320698533468658508357746044795714778743126724229792887513262858020703223062247127220871053284294291505864721301504 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -40223423789827791298722074993602156414376275613787056137990285436422546956725749525138627318121593926978922528313351327215884018019961732571811804077883391 -576535740987531675281683074908297575272726617130947924097580340738281069443324040177348491380825319213100944686018233296413237455081712516692190191819948031 -24361987008705698929926003421125039401640564263417032418105399293375706541723958230602855962561735535652612627380229748630315862388770359792430971688180514815 -33992831476956512010764131365294892110315768005918805926733933547864369881125679807382870340508817191479134568756854540722417175893069360512510828429042826219455175424794195345385979903 -9124881235244390437282343211170238263492437551767283789630426075548881373670927322637078821889248575173724403704763494700173842441835608027501830406118553857411241974672910784457004158780702719 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604108264408270864647298161137061436164310781945681749250283604989128547694154752717429484588773793748781436185428142466460815382599579932635885671914066149375 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823686005396415089305651269903378332811741097245688558154001155489118272909160601890366168613681949940571156703465582429651102002707667841101486283252501573533695 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518143200917487164177416671778718318571576912685126704702323550245825340197532445087748988964312052143499807340425066289938660574445223940001415951557526028287 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028947771683963141377102806850415784212027029361541539456064911547994131135461232208954091851934802066840772145934479780966643538994689020168839716620029919231 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744927057114499922091449052146433233530186751716703168245350431514409416511179874157998576530834673188354183152245471714519307016179271139933628477107276349439 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581061001716899730860327787294516036840353702230284956824318991202480541082116487859573826725825287961689011509287552816105484327769184483035249934723314647826430 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280767898735749214941541704336816299718317660813334730444015036437936132029597134350510679648747467315988238610200576070595762825950806256381313331913788751850 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377398063163163242061549779888385322539012004746894867088822072448406595675993470696444031719176541872406184069628730523287907593537241113557954623285688794227 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269875560663457054706703447452802155264748088260120825277942701978781963946398395265879681617372599566233503126521736953288190967967040204285124499196233121791 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428759012191051843267743339967346799668160964921954632574484204274304286826128463828993092820166113995983619874968384417317170106110788965860563684310789038014464 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103233 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103253 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387104140 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459868939503685406252196573451649024 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244438742234592791551002580626351155314687 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103253 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103673 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387122300 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459894292515642747175749654742564864 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885251244389573011560820270072774986519543787 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387104140 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387122300 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387927696 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098461018698595950817135328809994682368 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885553074849031883977912283349566964923104372 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459868939503685406252196573451649024 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459894292515642747175749654742564864 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098461018698595950817135328809994682368 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203136793202344373787504455353495951720786043729710449014652010496 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610924562281057205526672594981748963504456369757652130346410658173550592 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244438742234592791551002580626351155314687 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885251244389573011560820270072774986519543787 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885553074849031883977912283349566964923104372 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610924562281057205526672594981748963504456369757652130346410658173550592 -26815615859885194199148049995734770942917517075858043397979502765092926124330030324699730519330609835291109795793096687879799470540200070040811968980320257 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329972428655111861232797616170839264946949360821429169472449630310911451399716864 -26815615859885194199148049995734770942917517075858043397979502765092926124331130349547485023185024653465602406181054608052659121859691452408762091651989504 -26815615859885194199148049995734770942917517075858043397979502765092926124382484141124234755766293757488347719913622322757707510233866262448437986840281088 -26815615859885194199148049995734770942917517075931435353554481884056737266172974021146686717740404324653832660924068416597281107683014322693837748254539776 -26815615859885194199148049995734770942937218078956240637551466492568263369914076158902394434537905786785779367390134775678857791748677657121162307978657792 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124330030324699730308706026498559860284995108254105010456185748059698344402995904512 -26815615859885194199148049995734770942917517075858043397979502765092926124332346166484472420122831183635043827192391367007866142838958469544854075171930112 -26815615859885194199148049995734770942917517075858043397979502765092926124435053749637785061458118966719433923641897424249515845908840146237558036178665472 -26815615859885194199148049995734770942917517076004827309129194004896185599723186864649237784358858360214458527943085810699310287647736574329929136175316992 -26815615859885194199148049995734770942956919082054366205360032245828634324680606928701315613536733927560453625313963848067887905459712511793026481501765632 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124330146116347309989224671191532117255653173677432131292348064917090590289987371007 -26815615859885194199148049995734770942917517075858043397979502765092926124334777791083645711014369736052440211011765256877403702247612474782017701992726507 -26815615859885194199148049995734770942917517075858043397979502765092926124540192565640134972387500185528763281165301805275235081292546658396823424430242932 -26815615859885194199148049995734770942917517076151610660411586324863628784839409494247340097048662094754785565841121430432356056464451345523238568336556032 -26815615859885194199148049995734770942996320937962455047772479039884607163266369475911216770021880343459951368897280688462524244040398997971030875209465857 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26818889250493090341018063185431598542069733717904086462768985013498602374869443037721184007625893711643929978475900191185313846816717129387166004385153024 -26884357062651013178418326979368150525114066558824947758558629981612127385660013139935000097440042658400507390289022045694237346089308933010107704346148864 -29787854531854891017120026240454230973130228053665146226829384317446961614221797173117743680697548447054715604200976293164994538828755423687572097616314368 -4149515561151917970063980906471326798398843659272400948455142008187814272923198032362182862636233194257798982950421921859283989975045057116222539817897880195107299245457329667178496 -1113877103911668754551067286547922713553853335304778509079242577632348605832580399361350138426511301121894306007943112932916069469005975590726282259852715739510261598208023532583774261870592 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -31843543833614430257130476360183597560473155589491114999612872985514893760636661030640750297619487231264804471957596727311246120040182413196345912873451519 -132402103308199151416779003649160129911585925862152547032280277393954246486771590991245892187305506570438871753404649304338815083782079893002885782600417259 -4592174216006031534847191188915269339683437287454687057681079662908239539890855734744083934994880464262808755685581431095511498625735233122422929004991347828 -6373655901930312136397229380045227056688569143591069000828428216654283965269442741161658367696770894736395177440643663485547714066343804112710220232844154312067310069260152808759361536 -1710915231608582551713494414139930175778076161976329317099497402356231737497772247152611527879810153440560753753625137239719995358336885467790470863108899439653145947746250841162262756580130817 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -40223423789827791298722074993602156414376275613787056137990285436422546956725749525138627318121593926978922528313351327215884018019961732571811804077883391 -308379582388679733290202574950949865843551446372367310938205938863014963604642449375701309617849747180435350936875495902336210941357445599887669497893486571 -12201105216247763360612362748059320779027470269515401611327770168332388641939748087748156269610793343971227950856606607808922709991374855115345958218615487604 -16996415738478256005382065682667557767052797898608752644008721887072551925134404414683758604374584269479643528396508659841462245918909497411998579795812989389104477382828716985847644160 -4562440617622195218641171605585119131766330487778552741882005407310078306451607079236462499316477077839808101006712822666806588881036291864491300390680199116831072196739497640131731899417624577 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -53631231719770388398296099991469541885835034151716086795959005530185852248659829065220986406270372528612202215770488196919735343706175078412037838774206464 -589943548917474272381257099906164960744185375668876954755549060832044374735258119717430850468974097814734224373475370166117088780767925862532416226516271104 -24375394816635641527025577446122906787112023021954961448763368013469469847015892310142938321649884314254245907067686885500019713714456573138271197722876837888 -33992831476956512010764131365308299918245710603018379951731800933335828639663608838040839060602580496771068648296936899810565954494702640199967965298746677545141388770634421380082302976 -9124881235244390437282343211170238263505845359697226386730000100546748759142386081175007852547217295267487708996697574240256201529984386629135110093575690727115093300359124130297230193477025792 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604121672216200807244397735162059303549782240704219678280941573709222310999446686796969566947861942527383069465115599603330519233925266145981725897948762472448 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823686018804223019248248369477403330679126568704447096083031813457838366672465893824445708696041038089349758336745269886787971706558993527314832123478536269856768 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518156608725417106774516245803716185957048371443664633732981518965919103502824379167289071323400200922101440620112523426808364425770910153347256177592222351360 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028961179491893083974202380875413651597498488120079468486722880268087894440753166288494174211022950845442405425621936917836347390320375233514679942654726242304 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744940464922429864688548626171431100915658210475241097276008400234503179816471808237538658889922821966955816431932928851389010867504957353279468703141972672512 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581061015124707660802924886868541034707739173689043494753349649171200634845421779793653366808184376110467613142567240273242354031620510169248595774949349344149503 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280781306543679157538641278361814167103789119571872659474673005158029895334889068430050762007835616094589871889888033207465466677276492469727153557948485074923 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377411470971093184658649353913383189924483463505432796119480041168500358981285404775984114078264690651007817349316187660157611444862927326903794849320385117300 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269888968471386997303803021477800022650219547018658754308600670698875727251690329345419763976460748344835136406209194090157894819292726417630964725230929444864 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428759025598859773210340439541371797535546436380713170503514862243024380589433755763072632902525202144762221508248071874454039809962114652073909524536823734337537 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369217 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369237 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375370124 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059367521063656309566056683439915008 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359572341733174351521905894486461143580671 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369237 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369657 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375388284 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059392874075613650489609764730830848 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714366377989071593120791173386635096507809771 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375370124 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375388284 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029376193680 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232060517280155921720449188919982948352 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714668208448530465537883186663427074911370356 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059367521063656309566056683439915008 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059392874075613650489609764730830848 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232060517280155921720449188919982948352 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658808948056801636687333570487095450302346014633024309124640276480 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956886017953212059983935494810864097103954951317623033660270768161816576 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359572341733174351521905894486461143580671 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714366377989071593120791173386635096507809771 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714668208448530465537883186663427074911370356 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956886017953212059983935494810864097103954951317623033660270768161816576 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356998229045691975002764689748372695622211821479298052100170973354672078968586241 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356940333001073316904952470628102164776064494420927751032420533624771561387982848 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322358098253893446478857179507922865306010169741652157703419662355722622201640255488 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322409452045470196211438448611945610619742737456357206091793837165762298096828547072 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143893629499169185576181884464199941925492648173412559179111095560753183550196779689242985226007697858242805760 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839342888146918434783166170184693410567941044063248355890210060641243042267219249909278356373308648560435022417966923776 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356998229045691764378181353017123184824223387704509037745718963012204512984170496 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322359314070830433875794986038092306727021506500607364724398929372858714185160196096 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322462021653983746517130273821176696823471012557849014427468811049551418146166931456 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143967021454743897697021332797750154768995199240031013214671721427772200944298808869207707477643789246163582976 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839362589150016560350974735937953781522707574833047277069208888782017716525143078981667386487019683415106886591490031616 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322357114020693271444896826045989380155482288811031629873908035820404450399975636991 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322361745695429607166686524590509703110840880390476902283807583378095877811980992491 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322567160469986096428059655039986026180994416938874733662852517561710683534418508916 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187144113804806026290016988775982866377398593301552720816949212048465670236564031854638024422248837098678324822016 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839401991005924649193387182732009754361293337380257178225694035197917214268726395822062022825600369901284890985197731841 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094859873731529946340457125253265606438475403785866280608383688705623749572896410942067145463298048566101192878305015324784812428376688032701026114373419008 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094925341543687869177857389047202158421519736626787141904173333673737274583686981044280961553112197512857770290118137179293735927649279836323967814334414848 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604097828839012891747016559088308288238869535898121627340372444088009572108812248765077463705136369703301511978504030091426764493120388726327001432207604580352 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714242674878487840834003055584974512311279435699658711463016289149904593484340885392177976886554761380392284766887296383377531438844432307956945337673417396461755078202559317439655444480 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246284526591342437031681239983319539526781594837816341634508518304645466356502238250467323544284041214993247041504034911017278877525141160830047989182088967849339008843158178926846443884250136576 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604099884528314651286256569538428017605456878825657453309145227576677640040958663628934986711753291642085722067371786711860910744701600153316510206022861717503 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604200443087789236007416218065716994137807991595930114741177894981086079393684798558895591853642977661424896134653233764437938313665342050796316745892588683243 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991608660215200487068390846630250983103347579842957522649251826694366600364687088882702648429896450552619117266018585410546229110997207295204025736789114979613812 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412720612181264857001052430220984113268041169605999590508062896262224550689635337404935307273071388896041934422145344989624941219868920801067012539335366443652893627280972574012918747627520 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609247994327945847107914640183330172921779846117146457366173098936464424065745394177917220573722025424857132685900951652105144065956814009040322247733762938014573252644529306221744476122866568396801 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604108264408270864647298161137061436164310781945681749250283604989128547694154752717429484588773793748781436185428142466460815382599579932635885671914066149375 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604376420566869716589289641637018783873739957116440329505083820642555140110802669417280047271073521902034892613836704611035935709522917416503201529607881752555 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991616269146200728800216611801810127154786923875939583363805473384872024513789137775055652502231066465498825685213756435722942522208572934826018659818328603753588 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412731234941101404944921415057286735598751533834754608191706076555894968957595202366608829373308066709416677670496300854621297134400773366760311827694929412487970664448286142577095835910144 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609250845853331860720581567860521618110735834371472259589597881444469377912314348012749304424693462091781531933248204739790571152550336708446718948563290509314250430570778299468543445592009405890561 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604121672216200807244397735162059303549782240704219678280941573709222310999446686796969566947861942527383069465115599603330519233925266145981725897948762472448 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604657984533398511128380696161973998968640591045736839148901163764524169521933285087621776811924646252669191487273304485299716587362327896765846276336504537088 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991628443435801116678383025016508190740795008428692022923642908982717161594994213919278047284283105556469108703169967516000633619212296016544041585057832865103872 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412748231356839883200926797122969376340902726747459017819013799634941232234309731571032186453764294705643969095616201282861266238109349159903099797080432346176126701359673948281490070568960 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609255408293949482915800209032127203229867573886344178263242729439162614582767038791751242970046692831998959612856194724542144602162985656541483592372993404805860714591881919095033611090303465291776 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -21430172143725344039741447416747135734328099194269775938858685112579378184657786065906763159178676625205218492566825428477050725853377832065983208189713200681844100397174224127137557678646374287640475087188412914436146644713764873912909317614682237526728015428718464118732506826116885039758058750738432 -235731893580978784437155921584218493077609091136967535327445536238373160031235646724974394750965442877257403418235079713247557984387156152725815290086845207500285104368916465398513134465110117164045225959072542058797613091851413613042002493761504612794008169715903105306057575087285735437338646258122752 -9740013239323168866062487850911573191252121083795613164211272383667327384926963766954623855846708526155771804871622157242819554900360224673989368122224649709898143630515684865784019964944777113732595927127133669611228650022406135193417284855873076955897883012352541941963924352470124250570037702210617344 -13582985265193575509847153720301345363547163848715837516812932466783689951768234614081082594902676106779962952908124868514580193484388163974010229906267257277629370088801142633029220476374120830201819937481485605394893790147430680868494971780019587951193256398520172478623000296862688521766032969946888901935204417993802764714508288 -3646154850295010964902624396817474390410105702108556391759286100433934630952342968680077393668206518645350322207926570056063791163256347839621106322437804761540352091937936756225487349008505906910901544548065233498934923554616145309059470154014938195304963669835205443004851378494121810273694832757966522610366086517324182782563251960938496 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824629198276151174244463087285660418287344529756165187857520911105123842660034918703411836307538943107430287596439419222071804002615797677806638572665083165692141839780886307603102541747070094713562715543794785904326970568977820621271154145831782622467599830140102357487631119091729219499088809459332415487 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316998862077737405693327418524701312676891843887526247248550546356474902078886714910989494826726018489783987340302135409223113547673217455618750193884849347528160194394640717423882001111685525241940621668818619861722020482087095397955107969291288249444329152787862322599066175858052440630467418058473340907 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753593451678086770450460508976164978853315225613389231240714869753894387304963876717058650152672811697170570980613598309383691870969784601585900594981479511955574221514648792975451023932379869175500758313625655872192484128483431743888460039720362805862274612216016775291210943444487297807108709430373383284 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444769282811977804250882370944636426195458324080999993435959869852668433762589077466327036503679884932798114847311436326315773506106222447586090692873957009455868034159802460539867856658115952688726716502746285402567852398888356313324109937916420499689593669109023205291494317874286388534278585340917710848 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448790006268973158495533882062541204142975446526119117611259327045262915006773486865554835011098276863061710309734987275751369401000805245194174420363093639844254247196438980433865369554332786383238465709007857728072714580953790040537248486657816917075965510971703569173409460696212044812838396933722603521 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046272 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046292 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957047179 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571754105966758923615108084021592063 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998595854119759254624519943537861725257726 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046292 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046712 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957065339 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571779458978716264538661165312507903 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132388005401501458178023893787435686497089486826 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957047179 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957065339 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957870735 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255572903865059024334498240320564625407 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132388307231960917050440985800712478475493047411 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571754105966758923615108084021592063 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571779458978716264538661165312507903 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255572903865059024334498240320564625407 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172976888286874738812007209510607836887249117247073360525221953535 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834198122532121152290057037619484503120616341536220725647709322168743493631 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998595854119759254624519943537861725257726 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132388005401501458178023893787435686497089486826 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132388307231960917050440985800712478475493047411 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834198122532121152290057037619484503120616341536220725647709322168743493631 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463854626286928489170704919821474820295850844991684637003273587403723479550263296 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463796730242309831072892700701204289449703517933314335935523147673822961969659903 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655464954651134682993025119737995967430683808765164544288322764969771673602221932543 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655516308442711432725606388842018712744416376479869592676696939779811349497410224127 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418968698206766676988716306797306798322733884687580499409184197685426822573709166274146087840056749258824482815 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230791227421993503490763661597227832901047900460489592404378000871316144391892888932790742958211751174484073818548600831 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463854626286928278546121583090225309497862411216895622648821577061255913565847551 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655466170468071670389962926268165408851695145524119751309302031986907765585741873151 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655568878051224983031298214051249798948144651581361401012371913663600469546748608511 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526419042090162341389109555755130857011166236435754198953444744823552445839967811195454110810091692840646745260031 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230810928425091629058572227350488203855814431230288513583376829012090818649816718005179773071922786029155937992071708671 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463970417934507959064766276062482280155927834544016458811138434453501800557314046 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655468602092670843680854464820582805235514519413989288868710685992144929212562669546 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655674016867227332942227595270059128305668055962387120247755620175759734935000185971 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526419188873513623781429523198315973233795834538066888757179285150590343875587544241222927524862886150078906499071 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230850330280999717900984674144544176694400193777498414739861975427990316393400034845574409410503472515333942385779408896 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988312365191525626829590504228669795829923743060941349315981180118158171906003267339308381977465988796174295002978654348297199013279790646750077514955096063 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988377833003683549666990768022606347812968075901862210611770825086271696916793837441522198067280137742930872414791776202806122512552382450373019214916091903 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060991281330472887427505692467283692428260984237396702409080041579422106531145355621474704941650537643531585080628703730450276879705291828941050483608186257407 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357569626768432140808575645041867964802739431380147844841991693339296041823615960460885574377967295802725391623284537619891699379074505410081618976696929783046658180816608368840237121535 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193136923234669388921625539957892128983675047329276337314997651683620870545893686589742398612991638706405781463837141767414520114039309101060121091306762606872851395428061281540895495284831813631 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060993337019774646966745702917403421794848327164932528377852825068090174463291770485332227948267459582315795169496460350884423131286503255930559257423443394558 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581061093895579249231687905351444692398327199439935205189809885492472498613816017905415292833090157145601654969236777907403461450700250245153410365797293170360298 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581065553667691947064071335763629958507536971291296797724320534291858012899109421989559045671132964720559347339120710084185252623383792198306639785840515561290867 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809363939133154801301027002810441006720532629601680079641441871666413942137974612480004014870562801430464267529001742230861455387809150874169137212974389956039478530383586623064319329304575 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987194846724589174059804584483304745511236739569637917361853588069843399469934785626256495648790733022348545220323284758961541307193328176980552320835887611653596765031114209324358525174267150073856 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581061001716899730860327787294516036840353702230284956824318991202480541082116487859573826725825287961689011509287552816105484327769184483035249934723314647826430 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581061269873058329712269778775015994188063131405455715404573791418133967674533135776273677288507587689842264965715961378250059448096107820519117250581008463429610 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581073162598692188795897100935189102558976315324278858438874180982363437048211470881912049743467580633439055758315881109361966034595157837928632708869729185430643 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809374561892991349244895987646743629051242993830435097325085051960084360405934477441677536970799479243839010777352698095857811302341003439862436501333952924874555567550900191628496417587199 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987197698249975187672471512160496190700192727823963719585278370577848353316503739461088579499762169689272944467670537846646968393786850876386949021665415182953273942957363202571157494643409987567616 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581061015124707660802924886868541034707739173689043494753349649171200634845421779793653366808184376110467613142567240273242354031620510169248595774949349344149503 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581061551437024858506808869829540949403158032039385011914217608761255936703944266391944019018048438814192899264589397978124323228973947230999379895327737086214143 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581085336888292576674063514149887166144984399877031297998711616580208574129416547026134444525519619724409338776272092189639657131598880919646655634109233446780927 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809391558308729827500901369712426269793394186743139506952392775039130623682649006646100894051255707240066302202472598524097780406049579233005224470719455858562711604462287997332890652246015 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987202260690592809867690153332101775819324467338835638258923218572541589986956430240090518045115400429490372147278527831398541843399499824481713665475118078444884226978466822197647660141704046968831 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824629198276151174244463087285660418287344529756165187857520911105123842660034918703411836307538943107430287596439419222071804002615797677806638572665083165692141839780886307603102541747070094713562715543794785904326970568977820621271154145831782622467599830140102357487631119091729219499088809459332415487 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824843499997588427684860501759827889644687810748107885616909497956249636441881496564070903939130729873682339781365087476356574509874331456127298404746980297698960280784858049844373917323856558456439120294666670033471332035424958270010283239007929444842867110294389542128818444159990388349486390046839799807 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864834347781343330617766485833689155244342862322740766531245793324803678590666777224684300553400226472956960854182818474553886146506790304524648561957579118102201358139311004818244759424154336225453007670995834731161023763072355512991590658521370041017185970985137026180965476310937373226864619089102792294399 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382945944971643394552440333018544909113467554612749139183355056603618393891608739152695663135014913939388630223870254054412894344624289470541920862626549594209167573670063373732089922672967834116510690953316456889794786342129422505749576092463192554010284300112795761408992790940526935790646439671993459275486838307032042854165296185343 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287321881537782656997343103601327303339215017873806116005292182631938677605782562544625650995475250258938656613604058187487401993335543020778644703484269290201404867303981882236730798076805901958398370897225037198612474339112946064484584134538861612429607839386002942061840246087892662062040346796957431605546122752671420426796831614652542615551 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -70149324220868077495255175920561715987048031760661657648151596049581927701126644407314161773169938523306300574636470765864723972756401953860971729649236966380158623144886433123904089438954731413136105939102963525135105941885179620757765851918707538235369974386271618715130954505741977781211162121976618183601835461375440982077945936461543052837790612502383395739504991310927477668395382345950562697672932264775996511143505676632322113137860859914092542 -771642566429548852447806935126178875857528349367278234129667556545401204712393088480455779504869323756369306321001178424511963700320421492470689026141606630181744854593750764362944983828502045544497165330132598776486165360736975828335424371105782920589069718248987805866440499563161755593322783341742800019620190075129850802857405301076973581215696737526217353134554904420202254352349205805456189674402254912535961622578562442955543244516469459055017962 -31882867858384541221593477455895299916113330435220723401084900404534986140162059883124286525905737058842713611172275963085517045617784688029811651125578201219782094219350883854814408650004925427270360149322296922173905650586814137634404579697052576127975653358560450706027018822859728901560473184438372964447034217195137926354426428121771317514775833382333253363605018550816538600285701276234530746092347714340690414314723330029390400421157760830955060339 -44462416394276340862910922260424396243409287509660999151319246748739914958385539746634290306946194641774613806241018935810494168792436919845175634291349159454369843636974567461269377050915985253151305716782880097347068525737970911517541922272679697044439338383672966048059649363603197225258288722959100457996166747560663282330850461947328029840291593918843260847507401028001791571453882893980386821221463169721351174430588439919666771233696844315006704459189491148327636741499387903 -11935289041890653422458560211344367566035064229836658432562760370881500666512962196005301087896114215912896266386318096236327886697921869831329245013996897234320551268335648449529409274273397774372980607395957227900784875294585648183090035692841379465274178288623747782900764555478041293866792687681839672394696352890749545168747009819987092335714242876928113812840773743724234722513540777715455219485249003286896896934489723171984857306038613096377208196921847281115147426887448334304280576 diff --git a/evm/src/cpu/kernel/tests/bignum/test_data/bignum_inputs b/evm/src/cpu/kernel/tests/bignum/test_data/bignum_inputs deleted file mode 100644 index bd45bdf96a..0000000000 --- a/evm/src/cpu/kernel/tests/bignum/test_data/bignum_inputs +++ /dev/null @@ -1,15 +0,0 @@ -0 -1 -21 -908 -1267650597867046177654064545792 -340282366920938463463374607431768211455 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 diff --git a/evm/src/cpu/kernel/tests/bignum/test_data/cmp_outputs b/evm/src/cpu/kernel/tests/bignum/test_data/cmp_outputs deleted file mode 100644 index e4e4112402..0000000000 --- a/evm/src/cpu/kernel/tests/bignum/test_data/cmp_outputs +++ /dev/null @@ -1,225 +0,0 @@ -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -1 -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -1 -1 -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -1 -1 -1 -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -1 -1 -1 -1 -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -1 -1 -1 -1 -1 -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -1 -1 -1 -1 -1 -1 -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -1 -1 -1 -1 -1 -1 -1 -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -115792089237316195423570985008687907853269984665640564039457584007913129639935 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 diff --git a/evm/src/cpu/kernel/tests/bignum/test_data/iszero_outputs b/evm/src/cpu/kernel/tests/bignum/test_data/iszero_outputs deleted file mode 100644 index e32c9c6c6c..0000000000 --- a/evm/src/cpu/kernel/tests/bignum/test_data/iszero_outputs +++ /dev/null @@ -1,15 +0,0 @@ -1 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 diff --git a/evm/src/cpu/kernel/tests/bignum/test_data/modexp_outputs b/evm/src/cpu/kernel/tests/bignum/test_data/modexp_outputs deleted file mode 100644 index e744abfedf..0000000000 --- a/evm/src/cpu/kernel/tests/bignum/test_data/modexp_outputs +++ /dev/null @@ -1,486 +0,0 @@ -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -0 -21 -21 -21 -21 -21 -21 -0 -0 -0 -309 -5842587018385982521381124421 -5842587018385982521381124421 -5842587018385982521381124421 -5842587018385982521381124421 -5842587018385982521381124421 -0 -0 -0 -169 -1232997389102826268860991065105 -18618193491623480687965778108529490131 -56424335153278151789523409664996995581162067431087086213061556134977632914449 -28522822713801268588036943398667804191745915805046109428618723188679866502161 -31706899640538131462557950751123123992423743151283050819612655945089903928361 -0 -0 -0 -501 -163832143645086957897416441857 -130403518609156362105805396406315208861 -1950081577919450936472563652220396332042682835950151822696779432336405037057 -89705076639198166424843052158202309145112564081865083245095301525986942648321 -161580799869287829122678259656507339171378764462605635944908315838074450225541 -0 -0 -0 -361 -349605011617414033395053481789 -245857331472368514819046594566028058751 -16196520401421423385786338368215415982698439852342927927980513551465948892989 -25448670785549471741073803593965176921136178751681542787519830340854942519101 -208746275861806526568796522022506082930013066308764940459575687169043802837726 -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -5 -0 -908 -908 -908 -908 -908 -0 -0 -20 -0 -444539926163396060618371891200 -265738677898336061407141787570363252093 -131765835135960660552807451524089028158233849469678584969822208 -131765835135960660552807451524089028158233849469678584969822208 -131765835135960660552807451524089028158233849469678584969822208 -0 -0 -4 -0 -458477653689271929750159360000 -25471671292789986475502298488957923576 -39622934661811821553763744630506213929196932096668444518123439737845028225024 -11662422067291787594026815204283885427659195788081136348012846295902003920896 -196850617542733211416217278410575369737876420896781853126317893743949824168141 -0 -0 -16 -0 -491348889049443876707510517760 -26309649457780133338343455840727251651 -12836249910756408599207651670402691470189457253048470571408310293697570799616 -89957821137359056393801843026144645477720961240687064113356371611922523488256 -186628143002875342454100646575613221588500043779267673627434610024013060416436 -0 -0 -20 -0 -995158961158262555374402928640 -134121906180378853498930390838142450437 -6919681730812989105961680682293875199438003339556752544938537021004054528000 -111415284413375575279069783743044849713138799010818236990829948938800785784832 -2671371225382503991550810752302543668307773911036096851249073522360117594907 -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -160 -0 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -0 -0 -1 -312 -0 -305764342221524799935332959201681860527 -43179616752915754651548109831528453372307533305539601542967080491130306953216 -17577324162381258630474635337405333643146914114762554675606397827067886436352 -24302243256145833886805174285503224697924343810958724170274784478667392432942 -0 -0 -1 -104 -0 -308509185836607975341692036936651238716 -55518020932873470218319288289245721296726991639699521321270937184899723952128 -112628490590563884833405386435939751658584809004247538619207709896844158959616 -5922841801814876533914360761483372163277450765372489528717658348886181069591 -0 -0 -1 -820 -0 -92377192736350021881806334564236622586 -30966933304654384056562480896427815565136977421206545694335698204395214733312 -82119970857858981914834549178898483174623261423734314091990446749364630061056 -17335345295685259772267515166522970642719156121663286480022840319361908909536 -0 -0 -1 -556 -0 -132190390248470898896680912765144782208 -26118405364148793884093212339004353321168506206731428575114534916913543249920 -57371932048380839143645765917598495087491748880125189544237269309841806983168 -21907868082798520198592834325003250611892002016702940923441999346792832444518 -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -3 -827 -633825295391748780828659810303 -0 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -0 -0 -6 -883 -1151402479073526177054249189375 -0 -46236487016914252810359942606653565611806735985113905556189104784313205915647 -10141063897320778511376522974043618320650062159021091584566880470490557710335 -78190442020038551706136595408815344419350554279639655464038299447602848702950 -0 -0 -9 -257 -148913685258606776538030407681 -0 -15737081446634197346448238543290111090647984834849920547563580853437339795457 -17796349368611048392083206935955698801625485975991150886750776582747396767745 -87042183171820405426823900509602437553981065786933287231059322442248803404950 -0 -0 -18 -33 -501502021891302937219905355777 -0 -3229040287801688211109538153528907359157521678782897421936034456493449281537 -43674379635609232592374808570316762057057239464140599073454048485319171375105 -206574116687852983759940670284339037133974987477578735810964428283965343595925 -0 -0 -6 -515 -140262897948655524553823354879 -0 -51292049059523452610506083592610024599583816874803914322375719502751486443519 -27936184963965071766976378876421641742859886164075202272073313001233759338495 -13449010363647692703508349667378797433516756740069562881064298383864033242575 -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -13 -120 -145483342680740634262446800896 -170141183460469231436539398536531279872 -0 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -0 -0 -13 -588 -242981830122332196998498746368 -141543884952374228579411301124356217882 -0 -110892457497452005403581430237946183767136503117162566153549053970000476372992 -189155222634588421211288058609537932434095476696578287565656039885444474631257 -0 -0 -1 -40 -447233008701926529533965500416 -293158325512187360695470417449441151016 -0 -80370191198978495857548168233658974342470488197481929432131097469881528877056 -57378722967569161858531872288267370459698099854972954033385237027489681458401 -0 -0 -1 -412 -442771250107780063583096799232 -154158747942568048877474815599350831266 -0 -83509925808939041219467836468971382374645162274742749382395185649452566183936 -130737775035935455315064283330339683168756409303633081183629254780389959201676 -0 -0 -13 -172 -791101013288846030830655504384 -153476591093627709272587559525863637788 -0 -16620630689278877851873420518904814002737213549417357007588250730268341567488 -135713742926877628027400301750580746786742856540376082400065882631878268256343 -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -296 -920477174324206192629261533184 -9284550294641477953059815425 -57896044618447473228882389021020048158893283581286713298429387432951596187648 -0 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -0 -0 -1 -576 -394649121464702711197113253888 -330655358119337089933926862882373999920 -19171508671161797156614710182257630792593514679646789380628699765537557708800 -0 -83428280595193522049620352001877162940388365577102322638744416599597810157500 -0 -0 -1 -36 -459149829216013907374855159808 -212514946886893049623689635030161573600 -30121405346709427309695531890582421791203074728165296179965859962342252478464 -0 -42435402933391614285072618340065308663204835805291910450325661435301593697950 -0 -0 -1 -440 -111480890522555005842506121216 -169821875159927040016519827500463371995 -2219279707535425826019993588723715376924609733291444929791090369095624818688 -0 -125210688265252194710996471277583934881834379414003707914695928587186801398100 -0 -0 -1 -192 -973066898438133470773494415360 -61333559381831070683658258698802878545 -53535005721204496876936515275724889845817409334527168350061458281042045566976 -0 -35340054082346922390131417025011886439703502295343037882213639103251549897900 -0 -0 -1 -1 -1 -1 -1 -1 -1 -0 -0 -4 -771 -891784777631246170114448424959 -1327929446201306785262743695648620545 -57895602960811796650871631801676582813791887579127636891104569893774562426879 -115791647579680518644692972256970658065423327120836162316857392245886991466495 -0 -0 -0 -1 -43 -597446603600272666897934188543 -335986975837048587653674597853034419125 -4960875119562861993119998040929006214931859756877807299872704131313015193599 -83869314384839239184918994159181415456293389193220202757469792852202756243455 -0 -0 -0 -16 -417 -51915870197464503363519381505 -252258564697022016064972069604476995730 -49219110417420231511113764378238860427237875311237523872333835875498405658625 -102059959947892163134217117691190804610012473033509494849327043219849901768705 -0 -0 -0 -4 -857 -1131685075580794109740493832193 -5591051640426086522729162377581522820 -49306867245429292665712135123169680084542437782148851479415184718925278478337 -25169675183049498057756995668265957449819867477380947926503567596715595792385 -0 -0 -0 -1 -339 -813911142051622544908469927935 -4998080979218566999874015281917916555 -36694329931173559945696159169023191810080707655034316545018050435414281420799 -28634157081599137704071405870600522487246030369305940433755254306653996056575 -0 diff --git a/evm/src/cpu/kernel/tests/bignum/test_data/modexp_outputs_full b/evm/src/cpu/kernel/tests/bignum/test_data/modexp_outputs_full deleted file mode 100644 index c1626f99c5..0000000000 --- a/evm/src/cpu/kernel/tests/bignum/test_data/modexp_outputs_full +++ /dev/null @@ -1,1575 +0,0 @@ -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -0 -21 -21 -21 -21 -21 -21 -21 -21 -21 -21 -21 -21 -0 -0 -0 -309 -5842587018385982521381124421 -5842587018385982521381124421 -5842587018385982521381124421 -5842587018385982521381124421 -5842587018385982521381124421 -5842587018385982521381124421 -5842587018385982521381124421 -5842587018385982521381124421 -5842587018385982521381124421 -5842587018385982521381124421 -5842587018385982521381124421 -0 -0 -0 -169 -1232997389102826268860991065105 -18618193491623480687965778108529490131 -56424335153278151789523409664996995581162067431087086213061556134977632914449 -28522822713801268588036943398667804191745915805046109428618723188679866502161 -31706899640538131462557950751123123992423743151283050819612655945089903928361 -1626949887851522216050918195251855667936019233629512014857416262882459162506846482867598420124655122796334698879679058256496280388512107842122550266897 -3456644180256483296524124683106942480722843461305992677766332070622386105650335816178720659995652203171430416751945868032819203139048842456194585731900908 -6658621772694490037410881754126282754619191463278934006643576166056374826395321115677201742806056121601730868428249390651828408651815409287407418905560894 -2188719266686453452930405899199235044753192686954839466176162624683199938127424638750308949204554559166758220326224401920489333667474175603924673521175569 -6123795749220870070888957688126499811687439102580957107200324670516588221814874336490966980509479995815372272026912905873172415251713982723428918913460049360806724424126068570078686852874442462644585471618684175096178614463856372447395923736155404199722474001519774161213336837801565210105511353961489 -21733503076822274238215696841643994124465086209245797663103653662160183433375325239843496825811576935617701675430794656070743382504699894663869396198800858049123949931636855462200807567378261808374350727356914491895652225869425999023896449493174464626623879583913773127532285149008185808669981457659175411110681467646497612200879789944122607924142423967190374513947785974855081897919456043288039161362376188824242511311222201467365944959686354630547972 -0 -0 -0 -501 -163832143645086957897416441857 -130403518609156362105805396406315208861 -1950081577919450936472563652220396332042682835950151822696779432336405037057 -89705076639198166424843052158202309145112564081865083245095301525986942648321 -161580799869287829122678259656507339171378764462605635944908315838074450225541 -119111099232869461943255917709559971029471489246820147748389884283220680875449970114508127905572794881898139347855563980545398801715283004632963481601 -2340550614088062323035521333507933205420749928049240408457893198554975629380160875595843975025528241912895931129450956293623201875314056184463318790281141 -9658263392514739927662836103088426769134800307082054844647958520598804818351406352355729785509682250873421347556031006118797390529574721358615425274369903 -4647428455414528310735419222346137778331384012634538551014412602117023622880652353771726881116679285768237724443091476402706202263926819772616832419102721 -4105943439683327149496995432917731734349623330617416765444758819531334403459555965005600275959433826680513222328275949889828341311187920607090355380046540579908947040106371789193081113409035077098486792404385747715667974409598976733840748313362165044117491316370103556122704636978835764926194391187457 -28645769207390246795138025157012310806200949947458739337397211179141156343070918052774971042600619689369921890873698767518883214265612034430865062720501567943382208222029969252942575712244757709457154177152894494535042763023966349374143513752560929258976200745379909865727692592552226677876935892285307870731885285227994511501363645824725317338462104668462291125838004650196777287385052153407326433125418796527586257544647700218132360787318720777100831 -0 -0 -0 -361 -349605011617414033395053481789 -245857331472368514819046594566028058751 -16196520401421423385786338368215415982698439852342927927980513551465948892989 -25448670785549471741073803593965176921136178751681542787519830340854942519101 -208746275861806526568796522022506082930013066308764940459575687169043802837726 -1405046333573254154362728566205440659065789596162373947677922992002779706150301916091557545001891022758808422492046510466274149060187173986171371114301 -4109950494713993893142341968876859588899697995149574488387185284937507905151071268229544837244462536429462991654059099118254521939414590134998340719446475 -844468128021093833521017258842640197099986073495355910940365822372902152436005754957689228609364360833723273104884193579513808541852965164830299937335266 -4841490524461293458775865719630252706317774131797304941603107709106391551373400827563106022147424343461775948749633172375219539070706909069136692738510653 -7273173343143062730116325603650929579289657910222550340667872300408581237430197382410051906687144077202863842569199267502562443871512075909613158282763060439777587356925584672588460920490499485650537891223823337073005846524449165906099576249848470870580763810627114753982636643198831102678792829914941 -28046651509673296558629424584063249731669578718145238261130675472681779110268140721442904856558473621167727640615713345067811595168883183810857635560068796253449136272338112002671317203041266904678503071806393932350113469015095445921306266450082664767442783548486830460889239098543969021176454257806145698621983814164824010062639366791567674987083305882183188142795298379711201433370817683665471805353684719806585009665707704695044458674998071553291930 -0 -0 -0 -625 -268138222663085878899055263745 -24352877979184920020466043837322220276 -34834821705580047870320807590104282154881192418891909778995311440625022271489 -107743694625338367548278288079708411290661245510293131426406157730911501680641 -118236082284243482508848267847953427609046466568857110070954823921881387042791 -314573941438267599881423465112523804707482828315168316649965301003974020258305280672271797781262619454377248842022918324247905069090181693176119558145 -1855138457669725370795603609175257635850787505475418783821961151316324964106211402480574231460442281436102848418947738954752184731638654925034081955953702 -540244355168038810439245856412365092477075663815074675095751794574495975677637107674742162091364766891790053303512224504116561928038681836474597949011431 -22981118609480295020302390537085998300920429526471726567398293023445956296114258286587907654003543675558782486527003079440548040281611791112262372611325953 -6951084942072485004602792642768728173731086340286788608361716458550264564967198485402397629024961093884371645054422216571333979237852755889053521204926773487912585360977600077358240969038752377614031729154197921202596341838056184283438478913472604440906205314054471964590715571751484579200485577195521 -33110177016061425855873050546700017053104395816945007989361323145125706671247445069352845357430211170094709814842881235921295997550815440918489134011703431383697905373158706778267396782608658244538288231998579363509402374934461434235027334113339168112113235815389810790459912467851237692233387577938141749136860402850772218835907235676691685574301095898691939348359786379380091090548413315980192736618829302554133559996331787700989395178469522588716520 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -5 -0 -908 -908 -908 -908 -908 -908 -908 -908 -908 -908 -908 -0 -0 -20 -0 -444539926163396060618371891200 -265738677898336061407141787570363252093 -131765835135960660552807451524089028158233849469678584969822208 -131765835135960660552807451524089028158233849469678584969822208 -131765835135960660552807451524089028158233849469678584969822208 -131765835135960660552807451524089028158233849469678584969822208 -131765835135960660552807451524089028158233849469678584969822208 -131765835135960660552807451524089028158233849469678584969822208 -131765835135960660552807451524089028158233849469678584969822208 -131765835135960660552807451524089028158233849469678584969822208 -131765835135960660552807451524089028158233849469678584969822208 -0 -0 -4 -0 -458477653689271929750159360000 -25471671292789986475502298488957923576 -39622934661811821553763744630506213929196932096668444518123439737845028225024 -11662422067291787594026815204283885427659195788081136348012846295902003920896 -196850617542733211416217278410575369737876420896781853126317893743949824168141 -2683172422101341871005722746258376340307644953044191751444605309114182348157085796971409744620711498580309302182985308212586435414886374286350975238144 -3484767657771443762420853002633790658478025026595023030399445962591501743459655114168018705061836715787328457528577115561192630399480939905028160741471812 -826369288885297875981086985856579353870084500166446900173411432842694716669231467968748002518734902939451616083284004742033317955616293179658208664891021 -22202087655311450647135419149250531087927146350676835345655785380157598138557194753184373294689489916297473124960377821312544654416163136210039001929744384 -5867290145612847972373997073309915340902862989135230389100858222930181445218524888102172986857355110271349287326639814908840476463002707271202642441777343076399506363351555575169003649515921567023847735339868023560115487675698958077623452675911334000167018425794800395206246266829715066932889888227328 -6613183629137681279087117062720950270493246965665653353814545527865422606963860172688377962562995370224937823909402574900579151120138866568996446233013596125260317722731462888479963743727090415264356847381807593700110142796538796057208396283278444005900325957636550564820775653606338375016287872257899328947954420594292130424139307631549548532332505581708062755002798299585128036685598543159971540741219646857517061331622628267531564244017650020495747 -0 -0 -16 -0 -491348889049443876707510517760 -26309649457780133338343455840727251651 -12836249910756408599207651670402691470189457253048470571408310293697570799616 -89957821137359056393801843026144645477720961240687064113356371611922523488256 -186628143002875342454100646575613221588500043779267673627434610024013060416436 -57810819572866260801492155256759413876483749626656973452292976127618654522846001818070108358802224938885657621123322444739974859616822961140014252032 -3586935919752527353984027215088868451772937854013928716747601409083300019440067660008036473811750553056666280422401084064457379199486614970622678033275267 -11435172354316143741773241295887896087133672859698695578907055835282817586890921066517171600518967766241323412371609567006600523639894522363112407210324509 -15149040910228070805694652326182650730845401534077532391632591405118117144643051256922675471878552887101021773709591676502861584900921169634374950540279808 -4352157484305171917414400736736974322230700579288245632185873247491184195730898991437344106792548923888580847271187361373793947913900504263300740461685586606358268444829299316120497158281612307205034189058550655426163375786508423319573157431875873496129188997627673849109716799860744235677774874935296 -24655669188850607011881278212500400404795975111909544352042335778191251712079013936428534764805902649880208931889745231758199080159268053714657146238568540885026847910322826747799581068534312565470606227666766265055047378610529765358823154325332792516751882522879055713682140011583363538951298044003038164972718406208736221386819603161486554136555558914468701937507614273119563961498468609340048830696861579728696267046957787891673696324284268296592010 -0 -0 -20 -0 -995158961158262555374402928640 -134121906180378853498930390838142450437 -6919681730812989105961680682293875199438003339556752544938537021004054528000 -111415284413375575279069783743044849713138799010818236990829948938800785784832 -2671371225382503991550810752302543668307773911036096851249073522360117594907 -3196717805164369921128204528085730572110803813535280667544983013152498020676968653158980718912649444544541678773084521623843027455344890340658923962368 -1238216679956500444264616028232887647747940490327785007262817775307688862239704307927037312429375849475227131933476467593816834523153314124523020288669761 -11027839566584582470519059073521721670466350661122931561173065258823257321580571220589430064206794766082774897831215317085884716390531116370426677289293467 -2022634134337910980433929460688286697109516578140587883097911933500075648632085115589857581520940210394331242638360018211669767050461136520845948293742592 -10563633569776338863997290139173141475448369840952853889830314442522523629045149771574493906944834062931170774068081579834010118509008087930549452650473545745495642812824093639365842736796360564731533873032609439082530461159518786091690259460722677617446344350444358408993792066302845337558798580056064 -12824372483412385861669199400205004566724858538474303800494747762440269818404951059835352877380356415578282393020015717678870100435248949572316256128400151457357751827937645568676301032707345577683626030686702589840795543017433728119877924868065460364994171679438527788229515928801213836621134264837100427090704057536254578168099404041165838330491183445948965724854110273982983705590693431410760655261855587976233430383255504302646591767978918856150863 -0 -0 -16 -0 -1074929557660986703509960261632 -310308103079793704575757950092990989086 -45830377016999964195415645114843325971494172471228418297876829545637299093504 -101060401631390047762632218125084929475187708866471415222687033363449381912576 -130474939331530224408995396282441784260419370120207375947563617259552477561186 -2355941672152922857080918796873312219472407301725598088408859346047953344326591361786096096705419672944173727217808802505470853131296892573634755821568 -1316454184270635300204354290028403652975569924791362044247281669809677739990181839549155145392827806973474851174980544451539377747682379975465127356763282 -1438923259930704879657001108769207409876637192084506601145086731796010515496862959970405934371385188574753305943073462813023599491372378876317837370133527 -3751312292780009820304966556683277538490745683704566160236438372682961982986048670343223416367070064938538731816396930813426231559274819821553090255912960 -1940812635972614747466109277992726340848630072707912304640929127912329064087768370597314351590495738864766600213011565689114652892971392013558976325205708385347610787529794002191911334996478270010718764337052847791754345043741034784083083057127201125434592632894903882614831512194082202201086343774208 -18021429550902313767357511567759601756356647595430959756983217203030344977480124379576430774082535283607744829695070380577186356624450300463936384113907659808083311741619551253897275613952178963423684191041978549151808016907300923588567042148170623295160006737511147422878843457848402746737171046772562256330802876792353279038296767776587843369343160581335263159088902098345089167246852603087883635586088364841422928542822495523562426663120058625130224 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -160 -0 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -1267650597867046177654064545792 -0 -0 -1 -312 -0 -305764342221524799935332959201681860527 -43179616752915754651548109831528453372307533305539601542967080491130306953216 -17577324162381258630474635337405333643146914114762554675606397827067886436352 -24302243256145833886805174285503224697924343810958724170274784478667392432942 -2455073261000987918671945239574537486815749129964150471432702836905807585811396531610253905941293957332101512899044268740293992626007607127083491262464 -1077242566599992264249169571444336551411248487528972966637628471569432402384081668659908518747150256909990581460430565820193233307152827275575539899170758 -13073126603118771003805243197447306343271660677454831683154753707889268850436361661628016500641989777790467968280342772010149753216162050495370020985042625 -20998284069276981893190892536141895412205721732777582241948778013718640245971369156599887283883776856426273476192138787335689583588114031186267728857006080 -9895687224941938536992396259410735585498593485949826080868857632522617767715344081138466212990213054852400162837201310103538489800752934384336855267244623540847988822661005638222750684585548680702427543946047149085737687298331380026993105619948605279977576581565502199750299350287074957960820551581696 -20330471440166965706846550975654713890652417870226965905923146732405275304116721701265925830155132264142742283294001589707864787012405943213404119056019767248830063561795881859861133225475226440778669219796000363700993800365618586534090055278009338085683400928935050079339354878794718829630509418239605013719652286315425501679172072558159972643172621667859406242995437705040600030465945478758984414424005354845660305153595541783513391622742931412397213 -0 -0 -1 -104 -0 -308509185836607975341692036936651238716 -55518020932873470218319288289245721296726991639699521321270937184899723952128 -112628490590563884833405386435939751658584809004247538619207709896844158959616 -5922841801814876533914360761483372163277450765372489528717658348886181069591 -2564817866139487541320504390805327358442199437592476952716613284652304314970931783459808490723737608880437784464822337666800292869999879039669023801344 -398463165885851265042497914635418511071393473395199568610621293995767308754233006664812655610002899538162554806154059048581305437649155727562069976883240 -11845528388829065193137342380492024118612741433871500160171557205928409375950091328760923663375034610212896359622832576619866946421226527978810823517767195 -14358105553296630195074581259093482904061967322039003650287242246847189245898106579740731184467142158444184654938258232190794449000467281976153220954718208 -8724046093635123581045526611633144774030370511834937151107124782757791671626741053594651970417496109952491903631645243345303037829497694196648996824200842520327610130549622341880795147265298435073802163280558766387420771897374896142381275499545438532579692773311139765116038449092364593363996255453184 -7405751147045042170442233630583323728853684512846881489652126352481138580343808254155794109418214211938178940574968048906922983783473775456657957578956020062439863911134378708160968666080910153080712910213618483308281268671163181505833074812656056876069748103205570600234366976045578890131475420080402034328956554170169080621020401502037844882798216390950223171848402002782939936087102304599378409563146797567777945011228369651410924564026853389623899 -0 -0 -1 -820 -0 -92377192736350021881806334564236622586 -30966933304654384056562480896427815565136977421206545694335698204395214733312 -82119970857858981914834549178898483174623261423734314091990446749364630061056 -17335345295685259772267515166522970642719156121663286480022840319361908909536 -2314109225631884097329071519390891278705119245506353961085436228554532183298397816728391508885600113143907388260489256179338412441709786163323932246016 -4631405091549513365618104032938964387036004178571962489969520427453823044584554995003585135178458975230639830757208179222570849484879646249622084312888560 -3444397905407459769678888603161852413323651620442902175963208412202586537665061311535470334927067187735566811052881866689633902610439151941964220310971721 -11022665256141102472940378463699540949238908279778600071282259749712264960911250408144499157327170064963756957223649027433072458668570655608803856874471424 -1149493853622624808951893133000311601994554292143458692563726487021442743023464156391272602913618081421849882373383362805133207036962919354651311719256865291542887462144185133870512659168195548443958858491083766172641138569350640961793151838633119997925593177565959971136032627767125937725101431586816 -33826235027620277221304225387441637043664748422971678909986538422912010422112157161893624219767292791117193745224367096503738217947106120516761159479154541434507081629430040858090956433405889392516115304242345520261752268880565405366762142190916629498630348949119250396008683103444433062400285561745138697466209715485695816216568719770239333912527091815214766386375891923409276947021071960719444492160160428059721106325731604292930332234337842204147864 -0 -0 -1 -556 -0 -132190390248470898896680912765144782208 -26118405364148793884093212339004353321168506206731428575114534916913543249920 -57371932048380839143645765917598495087491748880125189544237269309841806983168 -21907868082798520198592834325003250611892002016702940923441999346792832444518 -1983010347367670533586158746720918426725859238638826101738778473039940830888567731427474683445100376144146431698278643920358008341796317600412673769472 -2606640266791684811701307747992020704987556721798189736831558708134786779427826595516656788456057404569214323026273791700577064277010116095681833143649967 -13236721874325271723025473459287198396620022329708721480674722710511848773677038674125983763343329458361710367424043866874114509274517527946107266648826241 -2194764262264585667059858125941452105865892742975859841108712998947329687982788884647082000066632025028061458492389933022294535208755309187928296471396352 -204309344949056669756457560943541502699162518130681389120968275752795085274348261696673034188427085066909553427932479215637901119300398120607913517490261871972031537818140203177045230095689669755307530773417745785587153318345703950240765166902545254968306769674012995910371703479321012180805203525632 -10264690826749513230358184346151757544435920255861917426522952736046646856221133004608608156420505462277842900802805838197750732768067254277504971522375036317591854497981434809048391519641178668320883274044427240323533445722232511793549340418570864089915044452302975506872587143937799291446332426997988486186420527441812688737993113263455373353444533552218632449194597995340604827994474495437980620590990737309478013598033891846127947111075468737667005 -0 -0 -1 -340 -0 -998905004448329441454522467488976926 -4927413081688125725138099137632369118723706439675800220006419132836783063040 -84352496855087273591478468036086052663893064063467212113548648838828702826496 -107903726561082941806970174768933557491971859433891364382659859844852394460986 -2319608449060187999684790351453024136538626650066803987926996295704247719880909540662904401039557482146640056079214446055684288473572080013990468517888 -3229174536762564836328011009025477898799910197080321024421312234854337921760217907684033379377552188666880062823173769265434474194314757844200157057703739 -1423443399352876324872592588473564301454095472277230446652620290446968276830664095418889947537872334002573975742103104497418388304230155249816071500187318 -13271987893729173924722826693052254951121133786126776376721905614595108288958742926463506237918989779603882913708829786515628223071604050168421092211818496 -4601804950488826494167685270760036664893236871832882663322149997831635784436681349022970436277158840767511957327023782099178816414168280990846944956415328077143836700852459969097230280911772452313608645578171031885121285719728944681182534906015347671757933737842458574792144739909126764366189368967168 -857479341893762723161505496595417165049229108770456259194779683064981414515307526837194732925160817384742675728910002446344631831783238186297049084225178616281383135711434226661298337670136802627018979396403252157951565007991996142431686702381810961834168285921445713777780679851079387977357401452731948432492393075599084080144393344786427912661179463547435908489113931675491545959285551896625752610448451638448866450487107364387582471184159571074175 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -3 -827 -633825295391748780828659810303 -0 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -340282366920938463463374607431768211455 -0 -0 -6 -883 -1151402479073526177054249189375 -0 -46236487016914252810359942606653565611806735985113905556189104784313205915647 -10141063897320778511376522974043618320650062159021091584566880470490557710335 -78190442020038551706136595408815344419350554279639655464038299447602848702950 -5264101363851496851433282540836956541101368807777991293344941388857765825339723752116476539712642325105142882152577944513410405922445245546495 -4274984277410983807532089925150768740931153586735292491383528412859129258433112273099949231101888023707157602612028830310955239728286706980227996295680904 -4270974226494341897280469825731968602385022467387106892501039803249858350601697035152008485439522684257776791254316572547412071137653017182505839419643661 -13396349486729820333578617551105577176007659045388305976467765207187599750765003306881228272040491956095560694041316948995285357929407282941862450720407551 -7272107039633935551591400893562218992924676126105717460127870788013015797432989950658439810996946118473016444182279548084821341534588106843981486932573866517856077154029000374861836839944939375168692527383494491021504979898639557323084128794258468279454347871141949852954622679013053097034606228537343 -4024681230464577896473641062977638052721373802614679861781599094800123563495932827294337297078407941193782141971643023681636515761542479169594195464691208343312685562380387487284859733536618386758347477945214430213026727223935953464725954742778965827480842612641410510935813810716514672572547641952771526945317395473564193078364064275666028733643505934945383834412116242058173431754061071146756970189972698298803191543547137198977609076610984071659602 -0 -0 -9 -257 -148913685258606776538030407681 -0 -15737081446634197346448238543290111090647984834849920547563580853437339795457 -17796349368611048392083206935955698801625485975991150886750776582747396767745 -87042183171820405426823900509602437553981065786933287231059322442248803404950 -1872579959911606123270219006911173139292436983412774739613566899721054729108647438934586909747652198625290890899088832075544795394544595455034418790401 -1412681115817651652595578657596182058840351787817337255523617847758399731969803154217604617416738018019082279140815098858103221944816565427541047989874575 -4658367006324170812599422256080523502806559591300942419231897265664273942632706886970881430455450954648568107656318501922464893981721336262565505150036230 -14176910549874618607407657930219555895908368234965503682114333452984200436110890119648814677868732070859714001297650338292337460853941658691514163789824001 -10406141366637179727319354575345523585198131445101199614041074944321283006099873985593501657875961054722659983805551437203724122242706464697758320434979188004227317962713115722036138880945569626619984608791769942492732939213456452058202944264921993463328233802720857330376187422666409410692321365721089 -10395612500766716889498607750936120296402196259538392550447369284462443521703220089793251095458371323061297217472250908800671528775762556075103359185483070524957305359923584052804148040373365959462663236012867000124244297047788081721144621971838346991977347509145949856725062202597193816565726641315796367190832625962761358471335171016260228986247896685407131636015822155281779300035844200755378496158753851995591046914832248761433986938772195242877368 -0 -0 -18 -33 -501502021891302937219905355777 -0 -3229040287801688211109538153528907359157521678782897421936034456493449281537 -43674379635609232592374808570316762057057239464140599073454048485319171375105 -206574116687852983759940670284339037133974987477578735810964428283965343595925 -992419486452661222145984173974299929589195994084254138342964889584701966790230864615423021215758227245793655600475560820231442393114209491163228930049 -867054567978498531065761454390276935399048293801759280371014301861063097032842313817626802406894612171009202210526526325159367606967184116106222709354994 -1139630468367775490336631812613571548165746938068725127033848437473514644842035232747054391798198457303514508910901267746988126523368144746838663920634335 -23229321847788976756725283113649930370792069582610592470231250035730463613494249923319913356844479204498929051652932802538286625056745478043326957712572417 -9736393711512156676697476147793419950291123704462141453822865116456122510755024608271599163197384361427364997715319701954677607307667967970314752567786721165005692082957947082637259982017311319355343061387874272954404686630047193927081844593179586832512413662625777018863736941974537158057318938574849 -29060966502289446762773527309129862532230651461433207672335349512468314509838153919700009183613587271911577714742576064666717735555966747507902189346161650683338259890112722032957837515796161015553488353420265757652831337573527786397820733107579265093849101520705267722311390949184609843752198524487159831619663983822993580005359239978622465631388243890591655090541561296753761373713020979145034193471076120681878728773637249747647754915387598872616720 -0 -0 -6 -515 -140262897948655524553823354879 -0 -51292049059523452610506083592610024599583816874803914322375719502751486443519 -27936184963965071766976378876421641742859886164075202272073313001233759338495 -13449010363647692703508349667378797433516756740069562881064298383864033242575 -3007865154522879628838942692472346158555510514358321404385880396123667658951604878264737502736736088022367734668256726008347601098598257350026528292863 -4592124389902639952157884879500633941880823326525745966966661569784155220592348399170518240885296517746840773500441608980855453698091666787607843899145829 -2534000532084385254011173048792691142730414486367806853286959714601853302234763393270798424710144792599095332446397093107565422159020315343985501774159892 -15542028513463832582045168836396386001625310864606581833373826691519685781220976702479707834361513658452848273358428791133185408252751328679278502490406911 -8412092699337531037787046468081884678528099171920466557150153840517555441701513747481625075399369031563363890720070512929533552898722630769019938157826781770070834212210476738149888508884995219178808489342005439633046794302879951435958690454691212867490392351796728559169919328744714016812403628441599 -33830106619343559855814362535589211924203444187711545573142435195593086511328847987971132905556265209639736610793615201190028737913698317064723958072416856829114676871668002147741395866264126547513200446705626505358831619201264825403452572963238108829829155602404009157481163421152595415563917960605621467418213148184629070795051181898610631600475141956877575705748780551030079535279390822434842453037166286438591706030638299501460332593582408355701860 -0 -0 -18 -793 -197025322184063122457151668225 -0 -2920290130103280979299916267396345225782651892499153454132172827501589954561 -13539515947035890751742634672716012403055571371579065400912721307212126879745 -158307368218366335347174104263331952261761856873568291783365034272918926713725 -1815215034323212852396070290108011856137567892027865591453387561513196098766849400352437123459701948446227688759510102669983999161585665721657907478529 -1313998427018914497731975785557000192540482097274033470133500010806607846954570954898528158955314391602627353029912678650049483923494107529991028097123237 -3558766711272482011504448167665545486379425587311683496485361619290623375415884515332307272266520310480366471739749365076632262898225547952923293595733728 -12553285567146229581143238572266763310070996960196734618418238189114111487087176302379917708160855599798506766652438515952406574783180790667512374443900929 -7334817924922815993844247909475070087281744359403537502526299289084906210615638233675595384256475356219608076645306747447902878463733829119335042011404584250731670549991672963716637969622660364460577985065151746629898564582075539489021571565895740532432194811300868623563387061791622447110534725632001 -23782765486299170619653377638001085226491596574584464898704365460889585549109410835130873109130617681428671842761358877647827448636728589051462502446489865488918684639573926641287700719325755142839567735191800755724523772975690463187286534957742763295127666200814136161150077106827630178598134515070629372319788894871157470118252128383759870860296840401062420257746959094446951505893201604983152709936368275205715331071029074242829807922867113197544311 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -13 -120 -145483342680740634262446800896 -170141183460469231436539398536531279872 -0 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -0 -0 -13 -588 -242981830122332196998498746368 -141543884952374228579411301124356217882 -0 -110892457497452005403581430237946183767136503117162566153549053970000476372992 -189155222634588421211288058609537932434095476696578287565656039885444474631257 -2273620924019535126443377586964826655364563651525119527623848142652704686460888155148600115764101538394624015930243455367013584122475807191504328327168 -4718242244578560577933620411853546035676043730739668011742858611491785678155178214146108560032528947886096115390359535573786208426628238424552910518225609 -5354055707309912886614410393569876624773886934053676926684306993550773407750553762949175437211369217571333055727536737153756343047932603108461352921558471 -25365469084896632438831937795363726978720559453448504867481253590410035300967847867532559492662554029011867176416570131146842894254418120377083085899956224 -3757578315429890131235493992649120836389777957623924867570462633554550213501972098599500200214418806050260619389176706179192857127356531256489639401245300261047944289856878017480929565003165920312519588880225017152460044735034054827437950584392201188531715789576969371957511327370055692497232100065280 -15253647830407583141547363309274688061512324567554978156617633130357138545424717528865172974543531851717065650176201323923438841684204225724333600965120694028156933393649297273989140526164630013338776321111358526273453216724232977621477413581907629724731139256634361519074694441451017597636834753579301989604484256575167632226812528730857727215779131743352342648896678763239802119364145369163238668734832577049562494126042421431166789603595812731097644 -0 -0 -1 -40 -447233008701926529533965500416 -293158325512187360695470417449441151016 -0 -80370191198978495857548168233658974342470488197481929432131097469881528877056 -57378722967569161858531872288267370459698099854972954033385237027489681458401 -1266685019038549670156131957936105569332778969355417709861995585153701875900859319531983550779488151228898464900331805671022343202096261388828403564544 -4007316844468480444786209097240877242135343232573279363036730296408578470321526904806238868824798952651885510964017728127623908601645102032546751410140438 -10809419853862469069424671860661466104583061712836069230246390212316112130066125544420392691125603322947467815628376833408555549515946984480656880021651380 -1850019664799561828446887689859810128523634383437118940053115370804552962470182093340221950762057683211340120378944062888849213207787569638787758996586496 -10601990121875444106767485014957569656736374682760746624229897705443065241696873816254196776531479775231519679842263077569364013222740741226981954932170832015958461515448934122357561377336766895492078707171525168572538566552146347786295929420700117193632141413315523494643262931844585426006586863648768 -28508439658852678107665155972792842206287661263432505699726272954607239927480675380840437519995918207158667265234219975518214394765767765060644972734142492559569055673270149098731414835043509095821925810223271993800625817447425850539568468486314744453634053786991467939161412382560926663037539162059349437789487898945599562092125838900291727653251158883415512092048307124528711465011479916269612248338449949978973514357464893125428777863416659679547856 -0 -0 -1 -412 -442771250107780063583096799232 -154158747942568048877474815599350831266 -0 -83509925808939041219467836468971382374645162274742749382395185649452566183936 -130737775035935455315064283330339683168756409303633081183629254780389959201676 -1434569753988477104238938016621393717922537334575046291954564311951618243596601987643360144150294172150115473086916074540367171462792383909655650238464 -1628053801365026402929640374014765553703071179544257678606217838338537677419257865674757673512650450839264317003577960931228650240349967706184064403237564 -9528330235712431695508651348872596587940214388314172729001944199117139203073649460506789237728120154262303033791074115687461447137304611451019062450033166 -4143685306341548231504887338288660968707624803700705709343351955022110657856432837240377395875927501705908299984063250507069218496972459859740452129341440 -7458796787007837004712235977661789416985633116148918114280732607368491371782197880736806507445402383850766124164590251775004743970419719155659219708540227384445648790605201658248003617820791276119099869395011354078111731072541949883562883648840249249510616061917989297687935201755531527627290779320320 -32562067415072239193840246016716096268985518768069377976952382448190013331748839889139882498448289400400757853808819969655477710609459023410834554011819177127950022030097667847290699738778525902043243023637500887645421123275436342796803206335835309725086671594130477830499317959884237607103504253659374293236168368765551370942719124768927841271066850440350466143929412219292019549741670650796223584473716652795660385114766444013731211424652116447263871 -0 -0 -13 -172 -791101013288846030830655504384 -153476591093627709272587559525863637788 -0 -16620630689278877851873420518904814002737213549417357007588250730268341567488 -135713742926877628027400301750580746786742856540376082400065882631878268256343 -2763703332326056666675771568612443973251095331788999459280007079557401109082037332230846287789955462113928953782310527076648915665904957779729505583104 -2824436745521083250434559952136747236272578919613634664272602203887075383079538439468738841849895882276490589513884561192461063598286468221544075155317742 -5573805721606072201024464091196637283572352485715830551875562715416314364897955988150179092473897788638830452265884540199145584775259028641318262487547968 -4057677748936070618844094810747404761610038515502652344029344965685330894561953958031306249055086692013728933315233447834639061360828462307224389794398208 -5784796441501303882265576458065577676796946906096587650440461985290957058829054847129274276669244130440701590711328886296578934710291199277222000695005904568910944144582690667672945892139302539970077461280831973659874645207539604298268246794000404198399473879519441764495134256354634643900506642055168 -27926326319599679689321531260972663838094871826824944182829437453915195129091090522882499755811750977000485175430688110045958476439969398119085050907218285133398254355136892348358892640344189516520338960373270419222146816179324538294913966113727777599048121837592524129719217066985421105982471108005619786655759673241565670064548335049859971927753583710716463045164399494432220069188699341199218886010208466355717064435978272444257082416306333129756637 -0 -0 -1 -316 -71681696331238174643235848192 -237948749361170373273798232100232473131 -0 -83778207020986728476145484258908144082269934037053254715152909632561590829056 -221509419269785716227233899606918240392102327497753358712085651922766861983551 -79315321146264542418544101067771002872575912085812381774279752184308118738724006743714953988893825146071572131840361116250475308904572550776268783616 -3141911224089662508005439140547996848411545433412668670184330989833051246389721569721933639157984163331306326586989550527910321306108944965118472936437373 -7056836934790078890629897242686908388561326030807269602244791722619134700685270860402176255162872248124156286310896170748542196945067054699971451991857017 -19653627676393504480845906820110557077219860495796321885850081681411361274754697849285945541928921052518914208933686885858752894441356909201046802838585344 -9683163169799910671354293907568672381107851254294002957127298074004784481037839670632521780649121780401926430183897832969166328037150107405373952334255388250551814999528496252119738140300795402325170176550137471892883221550198049424126188627968546323114246254076277484385665176149283033551751023165440 -16624156320060803479105655673708019093724859687856669901597323414016554716036267842673966767033477560761233327486461318339447602081002795923903537066139452947433702150477385673218681847304679734427371239598965310386307842392299911576146706135987880533258592628104184356529185963203696378503916725011966153849031868468134727041450767305498104186987445591841485782186937410888737747186818628076918609180767095586934198055427262999789790553748249680495030 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -296 -920477174324206192629261533184 -9284550294641477953059815425 -57896044618447473228882389021020048158893283581286713298429387432951596187648 -0 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -0 -0 -1 -576 -394649121464702711197113253888 -330655358119337089933926862882373999920 -19171508671161797156614710182257630792593514679646789380628699765537557708800 -0 -83428280595193522049620352001877162940388365577102322638744416599597810157500 -2383427170914810336472146115059610133938440685431786051901133872674812685256214433004766571822808713024702089068992214313240618263661712821448505032704 -3543131743813569641335946273683240931826614024019546282265784836005828417893383322228810942263163410646159776819689834231870373605456177912242267705525812 -3201888256116239379504709172928241207634570507519243666267842079354934745091409880730742354222322722404797424377578771802961012486596039415971972097760189 -4721437724763666216912653616574178996088489462586407187533602132486864388960603129501403388719024042140502457650359696753171122610737975161314352895623168 -4837005771188282971935407089657043487019168586830902406943047384547231889109685650839979581515180335872804870881921663586570464571734302300526117404207560436370497430406529093043461008746914986949167798918225893839078999027089145630276892534029320307629830535688150128766532774699466359036038881476608 -14649538351459906058741226567249552783659862553950272384082762918585814063949755926925837749924987768515640556340283222177993507623584971708636450851372760248421615193323790004038285247571226256925988926564345592560305885533717028697892048480537531768156992921912334188996185887209116041579498773878589854193709529378983879403351880522010001304035516272695800246073052875655027404371065192473535905888797416623200692032732055359224565770757807776402248 -0 -0 -1 -36 -459149829216013907374855159808 -212514946886893049623689635030161573600 -30121405346709427309695531890582421791203074728165296179965859962342252478464 -0 -42435402933391614285072618340065308663204835805291910450325661435301593697950 -2723474109035793261196285209480520006576094880312369272827686699655845402902440783445003022414244095338650103254192634946547862282922709256827062714368 -2366345409847035124374650448074879585773647708631341355179263252964806807879670158353217088899380315556678858307117619065167384939975455280949447515369567 -13191762144369989130760985435688757812828881793396707694471183793997116204175863881278765015080350072806582669305591779418584954819749146010893985699341570 -13301718048073450430547712527884367748161420561064642294015103641915503834019416126543999762601710015216018615418920000282926562454589067268249095837319168 -9391084627976509998795459430240744148278054341930566001679916095435726828423076214248815541128823696135595365039592549569884022180775653333743792501900544596968163878667412922650434328739761497861462359470427289461508215509253714046614049256486535514319610185904255475081934449011049104472856091164672 -7354519734624006876179435352514087233297298809165790925922795673494116116655759843604125047003991533731435264281192336103815636919140214933167210447579405287498010619153112075099093006295245714725499708200955637344617781547142646463544824911616543471784407538549422907647454757217835547791373749159887064306770673576013161274312701154428403688789455533688700894782342280314573076414570285083813175010660748552095076178542404200729953294305533949916369 -0 -0 -1 -440 -111480890522555005842506121216 -169821875159927040016519827500463371995 -2219279707535425826019993588723715376924609733291444929791090369095624818688 -0 -125210688265252194710996471277583934881834379414003707914695928587186801398100 -2487150548049686483577986346486345896197470598544823109842683510353284256291612496904302366730404150860292761990843784069916754136788389949069787660288 -4665596396220733640168649174535027159196397070342267963244347648666006311146611981668674060621225920926771133113452576288300091774874699771692345174655000 -3321497911172409553001804903171022673679565313946048256955779288266740305599386551480119034076080803092083102364750364882135550956683614114559617436903767 -12793018574047350137248079672509016968931556367756809163171704828712247163091906244764359814474025125944855607579655662889196220595429789208504167192068096 -53376332098238942237058265874185808937843825750519948116793606680215516009579250363703665595580229234392378617881585484051555178971860102930997202131537779988926409286598509132127582039147943382149262722075187323524856262926753691304631056792968823860069761025941851259838112955696975940302445477888 -19923611385063419051384812211007230050060207617704483913568487020386612675099470773370717657374861044992939563075540978208277455783654511878538950291808744228334204522554009216806163343973548097843046243549174022328700851586804159313601461216565391487177684815873717679059019796761667669491458419882506144601791158476320022142436392910265642137030624038589331580844312683788761159106773836049440285100183481918534526738945630197824116914691687618255349 -0 -0 -1 -192 -973066898438133470773494415360 -61333559381831070683658258698802878545 -53535005721204496876936515275724889845817409334527168350061458281042045566976 -0 -35340054082346922390131417025011886439703502295343037882213639103251549897900 -1009118888395535762047061721180456806194166614565541999396274651526674300640202434640874659775936931364083317600665242264448090018723165449003588386816 -2392526284157188505188392690013448960986950491375028571859495919060981215979514074503662055648827708202314679184721591212604079491336362235307206391833426 -4218798631160832202661168847672965043016773529025064083427701368151868437320716279368190139450621334670500868570495563594616568204374854957138784941027870 -483959849385694416988953239395437763233014877575377690428602005170645490229330810160206389562974522706669622381302406569004289640692782430642495811485696 -5378187878649244049653816422966231411527819255785030355895748698860605699359864142748498411935665392420582096163286983444186194198233107257177496094195107895074872712441771334893808547355079651652051885242856910759791626223884287793085982216148604993192657336251775590261767563683353789243163725004800 -32818464130850205246467682789169918339482637627874185171064672905340879331577799944668821853359894806536530578739275748702344346513314541480359830789085211784100573835252933274724858360731614753176374779056545876405547001284878778829435612577133895639650041742079621450894836820613872672377867785376695923853094317140137484881752383755066269670040095376107209776772131790659671001065420513961226520376690403010625950002651054751819424823637290081472387 -0 -0 -1 -532 -1054096356549212854433844559872 -295167673194252499689312720648542539285 -18569052254320792886536065199102429830591425911674802887337142847422563614720 -0 -97896720708781798801687131335879227111506109430789223376551280139659913587350 -1634009508410887242647804687779058371050929112656850452045994095398157878806417902701340267267910135426243622542827304902620893278343438781078703177728 -862159323782353319562779470318789629705961090965297342320245925680889441369443314188948203254697918300615698372425403937959274851949640461887703447193841 -7173051967940195554257280536479042043827601659905799457098258573897554700956880589901442356513658795342086705483095145011273200575189131337241532322688171 -14778026829432832620717758207920676238440861869481283376192906681351851826811501922740289231253685732115671799215873523794595875524613727991318894568538112 -9743687940329798123999941212290764982687335446528161500746427614131976390988057307286128146303396660476408358788140586545951034783015956845304363388199684637129690259093248015713809461202981476094156748203762337562483089253099990690430154929727318541968412839173701447769414174975320032013797193416704 -11665082978646551184396197271822834154968679459301162080769250076458812934480608734582177152703187939426687223961976274547227366150916137584109379949067630208858792329939845114289322648585580755616610302258512584989884644997352747262852786631806253344305668062922039579812843505258327167494097412319071183014601014647063034669866001123270058546336028496149434886023941746932012392894414262845484462335477059377413559348424920746843432610014073597213636 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -4 -771 -891784777631246170114448424959 -1327929446201306785262743695648620545 -57895602960811796650871631801676582813791887579127636891104569893774562426879 -115791647579680518644692972256970658065423327120836162316857392245886991466495 -0 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -0 -0 -1 -43 -597446603600272666897934188543 -335986975837048587653674597853034419125 -4960875119562861993119998040929006214931859756877807299872704131313015193599 -83869314384839239184918994159181415456293389193220202757469792852202756243455 -0 -446851339107039186419289111745794461503166996177271801631416983378126123568718875224988495884755883200400258616355472950696139342262717961597794385919 -2457416883750494183832570853589468397031071769924709837931117427688509339888648917495080941417107639148560803684251898538275596934697939251488325371868124 -4104295260045454815975181617904063417540583687524096503951973213007375671429493052370291608008405377354342405201451646421020861407202042797591936611216757 -5398900427668751217850873803494875937404578551752982184373461962988643267134263496913051856036153441820443871129747572123078186712219756428262779956232191 -1007218583726087024268446200406511915539475815058077584580036382202886749107233498655574150289262240696650047786995708501433958989054102047792490904760349592902261758650729430923763743863222004063022441814082480599888346140582423150899204609625387915667741403853025291774074147108688932055983390195711 -23380145599663018538794334849478795685367611191421527490464557496763254711125422173670092394177895709559935294769976819952372348766078401488089491379204849818544542158134496224979987816433965631446790943462305235568068590323956450149969681186862262029930095126068867520361231472357215498730835672433665458819876311608479695607535070166435960898021320714467950701155806239822554229659277947203115399804129178780683995750006285527204806890220566457893817 -0 -0 -16 -417 -51915870197464503363519381505 -252258564697022016064972069604476995730 -49219110417420231511113764378238860427237875311237523872333835875498405658625 -102059959947892163134217117691190804610012473033509494849327043219849901768705 -0 -294741958829571476136926871256484717091819171292816858794352010629523393545452840612410539842221513608737007525936314033110034418127477704314176143361 -3610022075817249902604614007613923579547402226882542852635039392814912818785402413253274269359316403441885507203823787712636067696281764519975647585808036 -3482683400560148150354019097545843271463498486574340530929160498845628623564983594731900657921818042087045491261078134766035389271551015123919424955561779 -2250865723942111784039421608251851432625547218473942867505887413831061852377508665133755951631672797483190995230665622102487996363019684093932899173138433 -10365393947735305013406914790529970011789937562186538656086799243490315444313309044458058836146192026472268081854266767322163579707977712683519957790124192466318755078159491340837738702367012687896445047003782661660364048868352982928925323993821529472941240126796375997530714377580986794001906926616577 -14333822648693704865076879128906075720499136539069158690685854059407099164825884209184916036182302301395671457986593271682838667112004613576105840990149035878508820984562415792148035482874225110645395684214966452961820472792442602064243527154948068695736851229344379321130087114111462740896607157184206550890192589389891097286967351231550279425607394341507476319668354155045448922078367672145026743791767604387213710928364307934410387263608077250700922 -0 -0 -4 -857 -1131685075580794109740493832193 -5591051640426086522729162377581522820 -49306867245429292665712135123169680084542437782148851479415184718925278478337 -25169675183049498057756995668265957449819867477380947926503567596715595792385 -0 -1542102799772537760963096697799266983934002048485565532539213661192226994429815251647197396526306187090160124800082409862575273365902118268755683311617 -2878686104109625229862354165402805665509620736230260577444969531934998053988812440085505116849926944621437581036715525742444317675163909046866434002617548 -1408524625048880495289336975458683532829516256219036238078109087870567897704916529748103852417398524574297919263661719753670147382638802928308999469587009 -4742693590966914277133482345622645931210627503968707620206733070482049794927860629080377711683265908227819055370520162972241526589942916768449868513411073 -5553130642134937791530098743023191297911732972994212582055485264717254209908250004950803382001574291176411334745038178232430168856024215688613524818989709760819986306959630308890022984882592785783047391490235914166320765169341522983194375620252621448545812049279764384555916944408353668680790336077825 -4723927638618295083690092755463316838498918330240796682728223697622545893312048720733281849001727094418300588431465926349278460120916795941753250274668142622894086165783902042659225253028435298371078758268910795425148305403592272806883261778790469890737429382002305486407398555872939312784693343967014010596526975636760014820772215746889139520167274303379900890377661917715485803657804374133841224806618394107058611468658108088260131560551896063029806 -0 -0 -1 -339 -813911142051622544908469927935 -4998080979218566999874015281917916555 -36694329931173559945696159169023191810080707655034316545018050435414281420799 -28634157081599137704071405870600522487246030369305940433755254306653996056575 -0 -1843618193774705784137956843790595835260885788482623306691425639970821561161960610834735278405087149627169615102857943696661773073162375892056240291839 -1170950137596410394079556452052007744667922551742356085549311726107104621063174324321159198410238181081409377899289339696505183364108241398143346683397274 -6266577599180715272643179829794667116364415231701874317566806045550798989424764451453171897199722686363150830763178386494247478884029147366386550475745174 -19499454418662965629802092201099350207580257918576731805737028058666848388525076659636862212534884659279639848323707620894715396779028548909594207393415167 -7491310775427379205451275241696534198775207876533479087995103252323137907742560676206102526955127596768143236592364563919391365130622631807244861360530642258721353802216367646769792844931749654022069462592705831533949527241530587573297737411586728906086303832296331156380881819739166686878092144672767 -18796502162760160226250152204618694839807906286113092800003110777883789218842243583036064249900793594494008242546403509188567430371285061255161460873411492857908336448904619340775306266718509033743784612836222680866203517611201799111354771581380221437368528919952566186512228630174278700984373922250123310919722657324347467475261738175114760435522588005390001769791388961028828314032397203388180386644894795950381375883062194583758183135747713996158476 -0 -0 -4 -729 -828471727968036044453779079169 -246763246873648168750114309847746005595 -14797796466515082470342263148884814370442076847061299435927018837432355258369 -53523753874056411494904927181451501266586517086289761739581598242912772030465 -0 -1610256322768663008681400364814073486033869865214932600830364116109232945229182624979010068028626424299039929917408136658184480247613110744087848288257 -4982989173773022649022397963184917180752190882657662748886552370901797910421968943370653256257967628629024664151919676967847090084950251857702290490980262 -12148110333218384648436139282566844904693423767379435822469549432550659540325752661673352721491851141598081552703324243494124595306618572675953315479573797 -11028869767950066853862903870251721369434866526464337153519928986032553183047292589177288689002878431824162808354999536746934113300550015294401283448897537 -5564677243506565432840796326485830517108613266274939211083439123715117854386689205611896780808790236784879267345611559615161743402643098893029929273758889773892627347825037932396714085133601074675261736569510119123888317868706628104410262093816075912392494216258946925258732634257705061191794611453953 -12832448199509312748037695466110344603691973686346158577275697531431038398255234604164046550781119126216534644040340178530673012471457078814611960997016443056894042854161746711315668268536386219382705407726308690881678952673969590544355499320160817266809347245168990155961021732027075310147074025336573553132150745598676058388830602694665869887746332618578258133919549090512076129869049818309689542631433818773293308811803158552451157660610127239822650 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -10 -348 -734763819450510610632565325824 -83076749736557242049732541826465792 -56086793224325083479877516880625996376700331315327416568653997679101469523968 -43066253535244233026187978142387001755402803069145978156050831917314998272 -201496559500976655734260440277137434576370058288390243702942488773257463333742 -0 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -0 -0 -13 -684 -887995200883511538239500451840 -185744035486811956755421374818265305947 -28022724762678085694347421423886262818477620187692930983847526359050708058112 -60066058720019429804858835809980860963604546002890479581904231770820593057792 -140726188198724864302983488206145216978022023086026367060204697866126599261742 -0 -1306435882293703054785864617754127645947981008635081515972982328252373992773175682602366698784049948578438144756464452476167658757197266011674411590215624 -3418924933199934873321329948743314146142040692630731923496865500679236033474734183436540120875605867521473258874285532970466381831296084581446997731696468 -3109273453047763295057753183837237869395959180214923717206774456268927599702732452171437824488600294111292564013762251960507352853270412970588497512497152 -286731836186446095857785724442739726555989697273304519023165182400415887707383423935925307951900182657313805119211164740403675553245412634677881978590896153075228565724249371402865963565486212287922871904886718220392004596796756145262329924195978312198219275306469037658944155791679821415216932978688 -23705763208580774588928458369265619438916460021945211232193047627926603512005878931377912938311419163243403002660952903410656586223538662133420783063393034282975381898012298576963467515440532649689328334345780681671723172171010972029952896075198416960048234210840439701334495379764884464832012212719290831505340271260696067947540265478850247171084561966330905870702345126530017405343636921534310353745046761481665427795564834777302251191884558790364186 -0 -0 -16 -284 -923020903585570222185243475968 -134595118892137229728955299113857603251 -12517788472856075617475369492923779675790060603142796585343152963486180442112 -21278317616479394781203625492118767183546382422255138071596449473207327522816 -37333224946615587454531558429668776609410791968643457941551824417764439077616 -0 -4365216629959533172982077795378474518196312747569830926192625581814797043834797277039496659650371970445843961712911189437934023902885370155197127447599587 -7786275362280256985096504919805326940788214494037837259488750879599254096754641518066648702992692840392471672645638933505566197966897842107066681649920912 -8618362445903795498495298150872761763162723533326999016941555427533106887247180867507912332927251479902784257469217137485980295377407380260430728522629120 -7982146058423899625168899480055973629935142133954608148082398488598972256455265091746814757927002125120326401286119392678755814780700585901254416951099507381124434116044162971886485060919796269087997434118497014919733636378546760466317072097028651097132741041399433702808164954962506455701888258015232 -21989330961427482320873414443063015928257919942443821711178892798696487896352353009088507622971045148342817299121972243674879166058756712149437499808420544292407293376143293804754263654378017796839550542953209140796361828649433680420247205870246799908001987021274080200394165262473622337823240257874872815088714497275294574219657771744609557582141606487864476140423350129460552762119376149626806864803509401361323064126501267414575167852478576633701103 -0 -0 -4 -192 -132781846299563114295034118144 -287795638097315923177133982791898021661 -41260134549646540530567879497450034797936197027784201139228793125077872803840 -26725487537631090553213382951117408090775065651640692466752663021330299355136 -17991000660342902270761827603753917202037974525700770708412111282505637002686 -0 -3944008675763809747015020665178678882677044257366818833894853057097872891661745300374363390097768393910140535804055885471681266094856681311889793405842943 -10432168002169925309120503644722046609224368185326214525537866102657473676610157919783033661419495704812662343601179229565468596161053474859566232729971168 -4434125550755468286273915949559378521845137875362780075693690876557539422008078027298618389135234122502995076657800647221775819541243724097410850717958144 -10544028428859860647631953921720386323000119376125885681800950423087768127297571058267839503395689317829039753434382369495774320720145371495400808557366564483951610047346873818659355869536197251947067485092374284236784198628790721882722429857933128554802811282519317048898934233902279839985805232701440 -18440345941730146769481994533733567141044993718475504938583318912857102648847047027910392382495051573769813528456979411954962447707741851707281536897396641672916772895898381890381674089051912642497004147872377088851984352979390381063683748636451983558056315085668918214320300476071304869797011014426609032047214117423653962127333957708782154126828418118548172708012943197384144043383315600410200355075913830695186216882152046505722142344944887793337854 -0 -0 -13 -848 -582024649450436441833425862656 -96569028480694229617495306964621095513 -51864362273957721702450812674007399695894707256635407766080228745350205145088 -42338700632985114555032701713036006818320082283349136714641228033327395504128 -215954730055182411688222939177706107427072066045627310771072503279957579162468 -0 -564120810776501871547030068641973310984074415468950923614458445915309234305596816720344025395793468749961903973331424982658487492675732875715746581881639 -9512030017005233270085163286414408214444876161604376761868292912053847917535106665754020297449298958739630340441868032179720694634048588859831514895174004 -3424474661482523359099400350868558228999347406743051468541630110333927244078257761445483195343636488588952518919760460591527948463291377508337491634028544 -1908744027142267160255992222033230928186240062062564360139414061079951535468660083714712566829573866331135382316682210055579103865954047482673249785878901884126518352007886346248743951305036458287883359238321077240214116300549133893047140060961188058073853208070901174162050948796606119057608052572160 -533753182221943739411515817506559992144353474201345586358967700583566469936103300520749166184587887860573873190047587658861707366381179609208438444812890854907402119224883354291361848266886930865694292240182736475266290660159879661714355945901578730736360959787897025448543671196789177297617755152629881870393271660514425363164245734715462258579427757199028980848704112940977349320451917649697374845997311260177033885249436939940782382383929118269489 -0 -0 -4 -524 -580845881975944426787514089472 -247672215531302623220114886854143351291 -37388457217608581848439794961125547405280755409544281555421884293853562798080 -6867524968084435742227914739535272191184841314026237436198416499210501226496 -37084585770552631634036071894836390875870489411136211932476363892010270509161 -0 -2060718003102261095469378358151405280518660285538331953442371394551388847723544748074563153067316177877347237081738459763835643097859427740490945401065896 -2427597878315108052588416153186371822454229878691660809974423528713640874637568365876246285814256304894224389434236414966957500210729605332124313726402355 -17899117585006203601483637166090154016991728785619486538375724587636009980913873117460186227173247676970981855052572465455831400785016798907992702502043648 -1871601166577895913665863813882743743306248246207644360499054669218177312807383799762174801630805340092267502315367248573627278277545825513989809282952455822056852517152157679111824332559476177533337546335447972701488371422446112963735366800940695179512495443184058856851596498196420939445759478071296 -10550306778399659975487897356875358924973318622498728253620155978576923389364488120390171602550388451242602890206431322088607185746985283921168954364764596976217073705682936664824865112089874261838527911965608302408800742105060068062502398384764473486663935558909957592004243003066730197686300227260257298269425658277997389598475973630768006422518890534069851801433726348188900604318019697404931564408067035791107685741964005839508900413176154475821036 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -1 -455 -12835319081690733822122917887 -127603331931914074262646774143133941767 -57894298449951398757252466847559442906950400042978305056517893187912714944511 -82474589191995733226059000413673369947276401483368126437014470136553367666687 -1725367873614246661397681099761093360336884063153660970896243052915304594387 -762145642166990121634319750876330910924084988636669303246807590962648009181396757661856053558136824594202566053704052044355748404436481867775 -0 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -0 -0 -1 -455 -346299262836863942390852878335 -124566106711135523024142034815609358702 -44045214583669272699005754870852537422943743579723467162109618579770773078015 -47191182087471614723727659086024420134442459808826251007744893899083683463167 -149345394318679384540349467866290540580664685942593858325103856164763257832712 -328659738499559851395369286572775271201389799649696769367887874387602713649950541005767198083760164244451135081042951771979928777420726556841593536511 -0 -6499574949616620637580116906143754514426259529884439117780273025054849187451370731789917263550769050214853609122367946205434263410894715910936878759479861 -10124369117566771149603816821574722189892029783289052707167197978669109873476852672835440349606345261291423564961708638702389275798144171277206026719330303 -5383941699543092305623443842804493263947292181555684893992973883142751498900796716464867906615276957493629319704781718428057228609756150862864742004037399095952297373496665788422781648005837085478113966408640459815231657886564133913536806437981143729147690610590905694337501640066370356251688307785727 -6310918068059471764026319883889981132676900864298663494645342741409042787564204104397616974568887642296873516370780274089671686771704841938229887196137460632598595783254274133337225772320128927921843666172747542030026661734330465262950674563868305274037519191385934219987327624738988091242143029337066541173427000341834616390107777280313836624864077607937735030229348205663463578720868333899592726387334113240438244508441849656170478117348105420506878 -0 -0 -1 -1 -1081180894199368861240340250625 -276904095316794738679647588766540076161 -18514213011776190595773191080849496970028811091221965026218765069756819046401 -95073983698370028065196578355547349954385319767423967546472360718799690792961 -6693017956846532764960681557697229863590470801886832055562479247632768202596 -2629164625513944344764393375912545052754690348620826079674933659671918850737622014550902801880361819290452858809500518180554683024947040651570430607361 -0 -4137577240563885180314014646510639308253117303602681600936018963727274657401877961996913350454564200277844605264306113013779943962820037004955398417119598 -6012634743225204725211101132320048969685865768619552174466530181728480133292301029875548285114373185900664580122272341980596861811413330588763908353294337 -254535129586580270548521975414349752244526806343151862080007760571223205791187472902044998439332623334230660834529731711989369170257700618020245017747639011641677093780420045542350067272071826391827216607645254644193288995966198490603503031365625040118877912466523642200661116519635298806043651342337 -8385908846676081908370043980559351677127770716607791744592576475690297800091571658800512758412511961004663163941376701719082333294800426334317916965716031020176657167014768130949406498916053374967901129501825532754676652724685176412371614884225185706503174134155152063944407927152995929183429819648489312242513817944158673167844009257444561330167132349514611454316120198401977968656265677200605323359155355731762973826116236680898629609918324923846369 -0 -0 -1 -1 -324956523760712896376838553601 -47627363697928134504927977366887218436 -33434307187530355896632894137563272179790850372650630159758741607677205413889 -104315921941200306811166882397908923183277873670404242656007610443530523115521 -205533708257112897495155981027938658151590718760836138711462112141640293797081 -1107909686739446306967869518645944435031236156727422752526394105581762893921951275569530192146029955926564787705997591876292833451590952315825059528705 -0 -308755345928398507077827126197262399264414124207949539753718673573534243084848112587571000480595914906260398850382596175138781946603416961836963870626141 -18244350893087399850665188670118991037975220133032205465990746245721929325028153136705422106519390226837480732385191993725441112016188775082810504002928641 -3665588193601842217160462892006519794441699353581412583510916962644156398320556835171594452576616053963810443333586339255795973680000246325868129939290031865642638045425971867009672427500503914468057445618838753197439907968265469989645596428647594500319536081932047598179754671610950943455199214174209 -22186396831654097227986496390728371980330693530332007779166541519242688898973938381447063194690736625552685027691280623961530978041318772892810396870809949339891780432739513792778708087762348742046586160063394433346940941101035727747372800903757578028991776450199349428475680885800121505072160076081825165777670772329510069207190667831629973354820426821121553497181841257104073871622072935426694421062659417600761519902665044177543487193516620418169098 -0 -0 -1 -455 -1168225574662879022832991338495 -57044890746169261651982104206166026733 -24779217388362851886903530808112954986166879528618678581940026232185554993151 -55591006844159235471682881367005599231961414654778243528698592315005808410623 -196546087471840559446390920880856282064404926864490466841380522742929941658568 -1917639872072259012937469746034134309612115999398820982521714520910586889626920621215182691543587130631234794290116996439471618261125269461687047553023 -0 -560629320288680383605194363023384807151678143098424596613421718363041709472766750167486947243276747104145109416759625120625677741081131727837587049341019 -21759673470171209133072662941401074809641596506044027427359195245599749269615278218888544963788731822407161900052925229605030503595641862078189438914002943 -8222674955398877316557535473602868565827602242812253563419515952040766275770537334852962079852348771177051126858608391846792829268299315517383515972974712379197466243571886838842455021350337318953242740755305732748699335134286099636570483789761728214215928903659103496254292223405306563391980052676607 -6704878406080177707560203655054736070477248576489688306407842672251903096919006312415980371154994403260429964471609192482935456676801001230508899453034708688807610209409717279310365716437632450197121589568242633422750297260272378736694314947182768068352565076127017290514776717356480481674630872849763970700450069226388331363736946106411055783778057065098928098706626638969150760900186745176895660013716070551573583271188993227435662677589978033750659 -0 -0 -1 -1 -87563840629716667648756940801 -32581458921182292884541920892394116196 -36836091762090661553341041736371299478161889753078991612037085885874369986561 -103386798190572160839245264014111757730316335866975469301775408799589041438721 -230979096632485379690874166782108500616204584679462971821585472432375012098081 -1175849592681947186381704220573745682736611171788630769140595898826048744669637879095677970676093415500222347357756142334095120061003014283574860840961 -0 -11889537611764019713474395414522017738805331131412830425961734413527746223621889642851856767739924676858324754442498238690013743634420772752231361918208575 -10100837533498068062116682421711269237464416549039194254318934545331492474511664814492105364025928254622293940722169331634657785497327849544082846163927041 -1369148440215267019286304149733761118056665924873961991411630969747965209899998790716499635578218937487656801015714762781120580385002698505340071100124982713842184248347860416733386896580942622009293934979960183456583184237569483817916647944103549712738217905254990813029611090034738596009778303991809 -14470891946382593133261871975556948917962250576470186541215002308627316792841475378647804951570288535703522370652296694295712464047904010907340184090003647914959531499893292863053894273874528256748420135416037596722727653113848255103464219786106388140414129037919023044763659100696777268559628822671794913188044005920185870352459166957980274030642096976079120265889000691672667107327976040012293388052690990946304488345186187456257606086924331607962389 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -20 -595 -182776107722364003135434784767 -281466386776064 -57894277771803943810359491595023458960167522338927730828258057680034478424063 -89555305827206481420887328961785203324625996138257453019240897699860153630719 -31072229483910585358509303280765563029411398133731077240605874038996845471709 -3273390607896141870013189358366943131609359382662427080975450085374873026606564249289725539410814263596351691407518053929870103702401568479817676881919 -3351951982484124983609172268969732236347481510662869536744042230485685559782341996467619926017805728755414692283401971053259449792684445385138897718083585 -0 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -0 -0 -20 -99 -959889322504300279480128110591 -226336563431145028687618637822844548759 -8191728281812111000214169178820381725838839982899041198234467802159092072447 -89010858809825214210137289255494412179471657721652615002925377757309556490239 -28296599574001589588954577695238704244097106391390255507549917926893049677184 -1143685232425095012373289446686042380253702819534317091382577237068099768813347351859388607019602275279637030972001139645555685678576527645905260642303 -2104386984118747727716517063913738816025890811467756992449715776590348174368338808503581044664946651173257522380822233775261192222343142632013731451133938 -0 -3245766926972643552330628549049705392854964955772154252338528686239084242071182385973867724746592501989847967320150395945141828002524173519974765401473023 -6907648306248975720047253807553315878303563975921476580151692887533957733952838913222178155862261045104101262891677093360305327510435202370854866877221225386828546336285443261625103246327521271905514699410432996107397381514692809796698965099058352936055010684764360915671953963860003695683345510825983 -26447750664679572972311511491346762878392092007822795854735091849389623944255827031514453721868656369736370805514656452589804235525013818434397127292257036933491312808959509859350482891134824058764033024690355796359079598096947363393151627873770672958867270537674600576785634138230894329775351387231396268146781903236645159728891454367132969379219264931998221585031609847512363429272555066238888068880222596086485264677276997340726172359858551867347999 -0 -0 -1 -853 -801006859139436247401554247681 -142225711339612348039388698959539597716 -35410378673742450051313678883687618704562356389379983514233123876029687922689 -38091574202374902858714012832961735959144676797295175057041826999843956981761 -35509638606720435404002212308149594900713246317816589861892489724156349420746 -947006889763449443971526094184752460089916877997363377410340189611125125701316093754306776646584059092783200306323088027637258553889934093760610697217 -4220939006243733889354999574941943865608293932174863319944209124029612039884827143990223224550002012724043690083235647740267932838159837905350721905177008 -0 -9819440398814080363130785191409752685155104538075120057014007750225191492119731772827023591993721591147390320845851382883568011993500439254883415399333889 -9655632408759825233958611797456496067063588648590435065602226373676034823927066598142456746083088436655720971023229982832504728539123316354948596655920694029523232211427760301619988760938379731840724545418059474244039925314243108598463317618776112331037188490273232491842485947576029350960119525933057 -19168469482771522387361980195401090898697209536327388812153014901529211406007624393592650590928364242770484062532946351666565045957764391288622530585296240046291185627706970869937489824896647625260613504074528292679224168776865581606886288126591395731294608037126460284763239262254718080804765957557128258706900873267005249160304719047478911756155253168469506131790620297150118426293519712473869983955423743730285845904324583142963587786011293140146359 -0 -0 -1 -673 -715561516884788010108823011329 -286119718739330631910267662147206086291 -4077367256260361378876724861054846658815066802262232907668922921382880215041 -100388196731105783095258894359755309057443209346921752384716203296701221437441 -161978619973690354040532742933073207830461397640286489633556474311275198068706 -295808498796001041580957434812431144336907268953236122391222657342664931238894722072411794573977944314328249736260072780418263762201867190982817087489 -97407145078903878701182151565338220720952838018650765330450334535905937357373611965592469739325221569980257894281512858606923275277875824669884901395310 -0 -25619912338425179981237074026942021799265536991310528535894660424287880718210785582129672576271686161615856398250702958965821900733894974363009685894725633 -7671522909468965446688811864997649775732139334764200965671339202409525004787427756456574114546598384573443159084990772200209956297641268137668960261240194749599773379609102037525886640588454985746187171015912121459949370747421414640087855414458925160365198194096646399383154836512890554710890718953473 -10293884923205428378666956554848182142244715690619212169171170546179865224723565444900771453248701102868483061985574173559709761183179067864659447677846955231286308377671525004854738789280605580119191885659203370511449399894078589757295087079227410959307116809855467581150399434097595488801159507371338585214103760300181569615667928415747705672332480417684601788700985353510796076482470500651763753290405004222433976439506565358025254851862958596926224 -0 -0 -20 -319 -798574734973800499883498536959 -119319092661737199044961145581817753859 -41294191017998785012725086702072135678398504724859270409452353997253994610687 -110624822424825875387330825570332783320826449688572761060969648171618999992319 -60004897054289201390963390115257285329375358987352500183853788324442296431274 -2150478234121502140094205664847123566690038384648319032584399902322112031029827710253123600637285764878597164636106830261747369442317038978555055177727 -2286371016578508441121921294709678407693328940913329697268533575124016682365838296403222603898047913087019704067878310158113313849417316810388464204629572 -0 -25671226303654754146969894507457657987204391426702541645624778236755811429128127378887919394161592482970532540809070418766878887011243610093297304929828863 -4785525495332916713108346669310355883208597124913721653495570548939574646651963675833362058107793696545444101958156033302876198568608530737409310207901760770957083322440752303097212064072393248697788251227338207068162143919875155956848187111766304706403350196933167632508223394324726953817363397476351 -32094431582633234807734495384819130272063712020829901878525215417797644447839755174060744776726644205182311880852974878748451402374419467270518797046912443530456212016605470991508907045276371141670695248538943422952924891445929100158107096854447459717681547826391098044944416207597160685051923871604127853310380648807504003049978615375745963324507225789653536595005326797804437482047876186051782235982636836244442075633553513047827811973923415770476767 -0 -0 -1 -337 -1188247491006021359695801876481 -11358522768134003317334293217035462861 -6973218261549576848638199934276587054115075947565903430900153448684127780865 -45591291715308727736165915509600830342618838112033396612024233841157189140481 -40977506359948200822020517638847374989428006593590887799032148830447784766831 -3158526125081113331509898514788313887509900397230108802808242305275074329114995683632326747175671847567894522724549111521860848666266947552987433664513 -4584447565436503172316825244033692918247702864479587471557460110462846155092582971475613387484731203139053010262859517492416070493565968167184179196803079 -0 -17855886664960195299137683256225599460539695469189441741138167148311674787837063586188982923974069115198316431121434733749422291458227574255634138536083457 -1374356246318253574025982110729726842105081842171225422931088363015788466146368528015009583509706677602458662747215994780981399824925913453782201779377138318045172999325810798864144189015648497899487658934661306497156780183553405477807924063800170898266248650878103340616913829333509130538752749338625 -1640563579891112614924709605958688587289742793630758509110339884654417246046905788570037457484399424416760895124676877531011891636277126802773558750473620855831931500866708684883937438953118514443126192930877064490752020898747438980089537975395182532494013272495476219349907646220024050095700438285617434068609057901263757996869152424637406600611987744170919997651080917069478242122542753946615128758176926986841759042912203967255896726167421198572976 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -3 -780 -899245128272588436190215012352 -79382824738944801807794176002 -57892510978869681736730162220291002611042557329170362915611609916721313349632 -63318549916452990938470040291368379201286383559458191806845672058759835287552 -174649700752953765434988902296252491183916410461948522823307150782111144039507 -3273390607896141870013189019906287111002076719299707330406074198757955051929170942113619750485120149822099821188584330248544763114365430245700361256960 -1675975991239013909235918173490637855139324507692685389812651662983087942796182042459207730713681429512584287523480954202975430917613169254383951955361797 -17917957937422433684459538244547554224973162370938960458267029029640947834979519339152474433150005542914 -0 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -0 -0 -6 -704 -1177162594896717752709689638912 -96077425054455585888525548032358255307 -32860001485564213363245573215878063920603649509172460851204817722599339458560 -60109254545096573330255392159285415923549233358667844961269905663499962417152 -3073211245680220492517146661351308979695018043393915095083610251485928253557 -1196437601768571072681596644798276004178149983088278508148600069149523733201731793704103372368213233390444497494452110276684749064047644093326087421952 -2038636880556966905914764363156480651959910168504797327228316486248128297682164213768446666903998086070536989636186162862522556977670168122610463846604180 -10761508670374291972420269797715021028414464448240558938464987728552613552119689435329519427607648808039987095579973579961133046464353196386286909020663497 -0 -40984697395123061397847385885955617731982529976694509690496120168455541366383914951564162858485528121548558319374726064139914899078481865279546572464299479360080901581918627814605543248487499283343493082927078480873799428963538897690536507270633025904660571444960128829640263091486837879144125038592 -8909946412269299572792850981460782799532037067275283441188867265579333027637974855653738811158117573684759311560589042257190296847643010765802475698723405320867966475350089536733110413273085947267298794710610764685212306019986582674496969299883756072077594732387268624852957690791194886450004295782387045096350267854332914068470074912878717285439467272539570799182006042059497909029848272463040589609458879066125823035788194404021371601097559221551987 -0 -0 -9 -692 -76435178552732951009197817856 -231982479817395379926203139743231669376 -47577898445412852300055548317787946557302802230354890877227185969553614045184 -94970241355010768267008081913617218797759253919929280496382103858739366854656 -14056327310363451370485055691408505290446120500764073466549198485574965172326 -2766964662182057386500329725111256292868978381151632013212396637813257618816895179949288796855976654014890661438562190344471725761340854297277946134528 -1329225061763580875918533781650822376275620990297295670554223160059148641553029627129765204098380667668821227128123235735809087554397139852326517131173276 -11097141842847614394079602992178709247589894415852402133624794662338776078636709858667481909108996684238974927213647046033793578164937980468332310219323018 -0 -8071735877529897797164814472711670751575699750650911010717417970127274646674179517149969617423521215633934503699616678817716843715742637948946050252837432727686220974468561142882832356080149399758341834298569043889563654149450777405007560189562518343814488242871896319575202397519320214473602582446080 -6694616185800266287626591614740434614172450545677003882600376830829359762042179214842368391192674719407443643400544441630973206517018113283369936295245057174712933556994499956071283288989464799795553730151588182776157104143243273082778860642399792205046014812501849329466277700807982917596823152488508302015315461955865789728769054751228692423119905880893937895064193158759226982592756051890511086607781198053342618530824939847343739509034244875431247 -0 -0 -18 -856 -672949534961130560651949768704 -232952537159279159427935901397589147661 -53562723566230157237791876909273765997707933576810908258367261806129122902016 -31550994824562540598335530352687292695019428977242991470692369974431355764736 -152032362650815553704368562568087238407459967027457421226225849525712097091101 -45958219062793756897818223297329408371898301258718170247988696901754793869347716750803095228248960915336985565984017868792052415880945925312017858560 -2138965005429346794405216904139045984058362385566693925431000008613749092589355018622253069902180893858672397449645385554064735573191661559383999731945459 -5599082768478558353474373621584847716101862099962719911376003810521845817678124356992801556560959828813284665370289254359505555309567567683413487963442538 -0 -8505562198751426520419753868937928657815376861050869644650730877638862873089958249260761602153572619531088220914388128107806730704564885365227693238095778773347289827488140170092404396918489146978219366997692666431664422833499810391011971777952027507988195640695475217721220156144534273026766902657024 -13258845752058319557761867621646364193350685009107763072613748715545508884518792435165640060432501692620709571169303323832489898753595064750109814688579187658973115795780901167999045757923357842908980476028181042805278133908688854546483149229843751393689435259677649157449342132761603805685178078740303455039238350459994854784015714248007648831119423734010949858462504093063563879993972734732657191983776886556653813278840564588343475007599515963220807 -0 -0 -6 -528 -754710143931888045283579265024 -287963055808859601191421471911256637338 -31470892304589511166080140750820995558894235651868644947081847455352142954496 -20368885260017261654021615802767195047009744205269123887896635371822470135808 -142720835682631691219581295413272156653298972135487346569310533961626415868843 -634034310188921143352280112839185376851989590898296042925196037660929073594178058676330909116314511976492745895031863182439397264248057241967936929792 -3536260655104985228570598047629889621504635464480007413999695872026244668858612074261286775235489798011926649959578184502755418831731290347207977473778761 -2287281553939530956352194620419013279616295380484047525310562106105104280173822770723063903213369365468416110828105561770407010047970222328014275531881062 -0 -8975406365256287079502146141544330687925839285578604542063444104478512627003244297195048898182515489030820157009675126108192822666606148894492389023997343919294064572180355360315826219274413911422788253153439868196680254069763329891225781141566431534338291820281857844001159772664584722309392818503680 -7627895627796776336034103253504663513973127224674837000702424659700877395432210192501491531145025624704509245843631295415207650789564811514832835249177414395254574557066114110734069582082204595410051869299928733226428505155385671730599432801289079265733997957718465603964310879479766099831516659589939704922842510148318960095699074620514977940993795465684303075866898594805143270298319852548800656967084658804532267409910838781960922542128682794059262 -0 -0 -18 -884 -269006938810274604690777833472 -101610588522779797032951766648409694306 -40658360805639445426216385690775372728200090304603522756100519340351932071936 -91802138973420634587973914099224098988335694649088995732701581040017689542656 -160395547580151362819010763928022387697275046750539372389069219756723503990401 -2233124152381198796145991717823834504772859747063952845191626176084833539989086207836671472551515196170555448158422751623837827519669626403644933931008 -1919252284176976160011289332010981490746074225906227007498726993112622893994450491566696784468278809972885041734059388168593055735985280406694325759910450 -2289668776080774022092664264319203559647600991451909561040327250000009538496148645073308529369889500343496260137733562205719817974360067449226154885838315 -0 -8759003555859924455289792006122150340086642892965675685066523367563039345030166298894450331668432839835781802150906003659255941165890838655350310430355795467012027286822624520715979773959322702857888683940335230551215550420172560712753155144372559458294216901317555971294843609695973013254603739758592 -10233986988627486160165893250925551838419499341074966949334890607408070394472982377098453235058445034249828511040640776640636214044010669184255119316736950277091273009417324454157384181382413000016000601683912644163946480527308355567900081185611244964219361614299468279593357197464317206904586553970296516293220670021691347612227687198102745489374326883191094857906024566921950771760071555266307078912566589261856641951389747392777294648176011723094938 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -11 -372 -21559839277448701880456708096 -5316932265549267143283400319839567616 -16282337714987120045892153486177165723161016453744476162789802658371874062336 -88537159989150876890408569427587371627685568624275408353614000822051296772096 -117153649598454680903779921606971322936867216714956963589387307178373077018966 -2451846285358576582757929577719947826359368522202829009982370031469538161149259226929244677345525601309596834316982200231651181236759995889790497062912 -3757219424385931343692363754866841943466352992489416825487678472853020775555494604110835156534238535884545156565469882173219151445924025758587329876446051 -1637494313049913248505508525988843145443777840250318553676797222770022673451141317105487157651955800518089884835975451904017985829916792949984404185120 -10058766516776922387083424546997939506014390161211981301999104219673036875504700741486695698194962976600388399803269774949866748354955056527082238634885120 -0 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -0 -0 -8 -788 -946214455905379764424855781376 -249640706902979523796329170594729366801 -16258878864784814636110793294682776772576083739386883456710601266131116228608 -94078769493157252401658832572786963194593512892920809466055866983486739972096 -195490272915595318817582071325338439133008656712282569735706902622916446459266 -774359154233456237796402928872914317257521270747766957039349342659625972382672493574510375099070233552293990548180408226281598743426255631871050252288 -3324275818746059767372921081282057650219072022078335429667273973120625111543946446086475227802464005339069654858828935205186959839930518363496383948716964 -9690305591136628284730559742274731850602666195501871310082095979151178872403510613019650261986889225542227473459970356781573066183889915340294060566934540 -18854688550460679120040977419238299860098014817785306576788948091134630080082228033258246996685817245124205310980844728342008317740737273944965604408557568 -0 -21535908620540850229409686341283386471970416340429967737238370022240247758101364064839301635897318433287340370763594753912136240228661108354045783804012930997208048017799043921041828011421457343668782820520536104076035026053782745857307697762578688266768524636747474268145327146906132830376635108519593754580661809442020459403107922707419305832717345589771811762862349427813533987428011905051344117484841279401140909699065164456004599224024146858711124 -0 -0 -16 -132 -980393085630777633795127377920 -43821595176334581224008514546980603456 -52058795012750249675444812857939886156709846064922449115753994933360369074176 -14561123691201700806224839696324937581522964314772521776090379875080644591616 -175349175863053101686937135303271674300289639455959650994302374762982917881921 -1131906497036762609639522228534153459919865408591834031873180959858521631664870050151451799898073343006753689509175537114042334594659610848703981551616 -1350536895369391632569184447114500324766670158350291610958967597949326028999359576936432279782089126385784555900383659506910365560510605065726285256239859 -9451728608924473583394143032579162808176109643324961089109032935808751128466005303662886867241622116000970585797391055402890609702666479416682290459195799 -9869891012844468185531924549366273911251756943322915384954636117410087675117010026464336911857990363996496352787552233421136612436976661888444063719358464 -0 -29160913186613439708872461352513122879764789952607298290885068203114782142216922372207081593038688735241042977627651978016800109665004648282579021506383793652512992091245080903136500261598244223396601485010319512598372184283395628393048826477026318554363070339145452721174808395510502917485184825084502201409114714736758473035605478534635042521922391709556430295750595675343883087393107990838077832220859144502660929828804609103025888309324882798051740 -0 -0 -4 -484 -1089134261820156880321423343616 -145538748117878092352760460206159211126 -33511658511802278583722924194874647566922276789108093402830459143321542459392 -101058486350009815877613019026909063961257758922502987153303461721695947063296 -55893599922312747075336422508333078260508029486824190273117160196130533025956 -2458978570716352272715788097961829640376943254320968964331207836957962374258773872920562816268264474274565514907090130109741585328325854023827972947968 -2334497061062585013441347827924568919650652349786907365392347487262095082662967762597898425035389335443705851967166882197635071826354135997079594483994794 -4739636748710839604647340865523976068039985893121701111166740470358505579292913487988032483975449672818248784390230013345327930989784690681998862554218456 -9268358303535012104892996424126494308898855298485453509135477774190853103484671018397846744502851397110775756567946279667738536399988345534648240817831936 -0 -1823333014513972248453863033569237311230812126130506337878885326530740596368720446811271380284232373400475839583564476423453964756030828084801793759122506966503712459173121792772565318978814203256490836178101826827909880676810922045422401824859785223968311017274407457720180425066972434143458217681896098086428204645340725330308523442939629221459319570158112385542686278442818549344024940355939362383436777208099871277202253431959816109988249138938651 -0 -0 -8 -268 -345705300287849490539146641408 -28619945476059463819047280294135199591 -50097187803714017428498902612256509194829161297911658170445563991107297083392 -85421690222206289410508936520273729553730897899163659208114955446435945906176 -23541147492225259737409530414900909030720627244427625246343510574225863591276 -811358695156145842831903450818927915525548089569942629196406351050494125902340038663677284364719310507462367292228961985914579995483031930887980711936 -2753993259413215653375383555168520262036721258923608032707398699340884867309124328134824761429544678847308130542242013461361725575679679273117130844404184 -6291784738152052628532475385001151529792773731941954632670769788526762258081592087250332058353673371670605911117825763975584603160350868362121314372190208 -8246304950196854775397532690840382052681504659869650088188493089155770401666344769741621508722408724512112431250395089366004560986597746949833784645648384 -0 -33536828490723711025794383275603096340930562958525566355063509107668073876964224976171882248532778409771216997252213433993697133630589947644361952834437975121876157813462137576683247086121046784363938117600983461647174331186404053947864440728674994199031341263900784628270176815603173354730641751334159968196129982738215961466145470666104403167324840397876006086216517663581877927694551780431366423367588590449610474198496508322115190229617947779491804 -0 -0 -4 -744 -285597678780049650206757617664 -183060435302525962072268027628016111021 -7217761771929207302500684142267832220669089126781480397245769148255541657600 -79477460217247376097886641006546273302212937742057604494280155910320628432896 -158450537078399418888641617303234395161356907531049363529305739478391665140056 -560479410674256955928059381764241238133905670084218664847601259116454401923250286188028355182665809615792144602857372046658783886046707955042334277632 -3683866358503387723371342100656401419267927238139401708364406415400694153274197402996715954111156399475059634029565264927949827386724995677572872987734714 -12590844567997964881164942256818297297627752677819872355996517914899426206584352337319457485189429758905990389059981412286350729613199131538807367459067873 -14260854143752552717856629622964902246009611015390566846603377483401216738344769373127606724470825630558473764635392820940186579136492501381274523880390656 -0 -21800320263537007047472351208796015562335481192952840431265409041550951526374116630066499902549548119697525627775845229207308993284066362779188144732297218576386880741913758964084484707758910160792538754632482272801417299710417022721348611414238310143561872419421028837234898971823910500714741024986033307017463050796451118315775556231911389073082154651438223368297410117325974472883309213628390772734914681877034242596184674973753688803388293273496715 -0 -0 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -1 -0 -0 -0 -303 -1157847834746177602004396802047 -339617671798359351079692875821060456446 -57867775067306645753843239588701162944294645608219998114893217643713234206719 -26369455828243150957066923597651481411694301395220676885210503666274163228671 -11817720390503827648781894443752171196964219125141796458180108788425643579396 -7804371375807015860240250407429415282553584425143433436919818048882206801446222314107580658597196283229772192970700820967091727381696957189718015 -941081632068259047813718693871170463934954812652267338340003979702879896717377687462914527089361639645292415086148993612559161291073345891219533759743345 -13407795142668967188561258511782701242040321017549139392778624385515507058390936234830335193232662892196414947249258255251754028773259240421675666352640010 -18030219496951436955703469321804144806589781292361309272091751131804808417784938468039344100394760314581363716192040882359255669821551713959394630176866303 -20764409093138106714694669222174000783080657450980639056024872831998438690744740872244449057340558976478438798965361453061982147397763104606367603575189606869434278459569124428885756214636676791959099839519692515219337740131125546138808227180751694999895383762073154332479036368513723304712662417407 -0 -0 -0 -0 -131 -1049832718450901370153113485311 -123743968547971240881793449350717343096 -54247495121211160361188037929436149205783261053517263337868798039971357261823 -43780720696046181429968922798344646336098289195769104725971763934578188746751 -8569638876184228017621190554815028317573269823425357131497263831998166914171 -2590756693431741009163041429286398894656679441703939344261083891915266425352426310916864582943630782192228522635328133722758329149109900984640654540799 -1922792972978790663157142765037754247364399993465703829196794167418278912188407110331170404215500826901691954309618913442459626285713809675553469719932485 -2247688179853902828346517371756160939505222414700682406758025105256274372769418491926470116598950917484231339173818993910715883012571037685660436398094565 -14071886071206496987190907766460338856608548573141424962453698818757002916637223518158300237915282267942872621643500179521389478132153075114062917306155007 -6980263492707976602733081771294983285805560539203752519918453497642718603261557999924227728869489680883742630490486041372040492077056076650919876897423133050548479425912646008193088180932733170859088326636344779595580028567634175375390724080269085084386954408009560789015111093719791523327272483291135 -0 -0 -0 -0 -213 -624277807757669988326564691969 -308806362863810512481109604679086238721 -7575495667463650924420531623779877444872078518414758729895107613392445112321 -71383655898197942633634404834290712896942744228408684751177316467115735121921 -47122958114890946067870921450228790803155389424276201823055498825762056188186 -1994424534807216528160042697004302546045534768650260352155667756798588514332350607215428085715884919952309860849179354235231346459029751145877699821569 -3146301561202581022604671318145679315132240673197187143392208577019128708207517211248787901932425426040980775091796171281106110880987357700982231152858994 -13344055815468537346229177929721616555294581393221545616480099523908865321613366395170905103332895603014771880154289842243792973144146321750132365948266313 -25653689183378345635977168873503678049300684399452321461457658485062084019322850001321503409853791883406838755199097647132019767454780407950907465283928065 -229130338950058715207075928314567718431940966481184952335048896861640341691504660128894140126073639123936931770837384336344695028165941321264091705246687393301105660309858229907321110227251032801854835879822879826073555284111211015122519313114936258162164556856278990251776549227306961333644609716225 -0 -0 -0 -0 -141 -119107286127314199610661011457 -208956661746708815346102549108455455236 -9304183766217687257009318351289386378056338413009755635813258086246793609217 -37346116786925829034687685788004865887841441332555982208115369087891606077441 -142686669406791276574941284020696419378508583519717415488223479096553530067216 -1022103513376169960952043514852766564406369544025973264953283529967298973963692347373601150129718093616182401830320452020826518193269025639232195002369 -1255461492445777082599853012891109353852057873636592494368775587155748628015369099916821369435584805024717479183629939627196544920025710945751532635492024 -1189975803267431345957974690102770165991401096160981798863264688637086156816693253154715236752646520545321786646254224097289874096394507609482395432557936 -2038989167013368656643873390716729359930711113157962588962483025137830789336536213929010174321600155153011333126258568329562186707136497102974740273823745 -9084986068063143759355885696834360372551159629320665871137722600252611748073183150082604901064288041886108395689572588307893872058553059179847191635406482453723540265118257106957652545879445444515005992515527078762521603272600432053705760074646655367876806955197570127991703691485644599174058580377601 -0 -0 -0 -0 -243 -699092340274526400217322881023 -38592925135126088279952503537704324536 -24069098860725904074101863281316659899407559169599337507189559069499782594559 -31845123066004062045091085308083188950704500797090491164647969353944050696191 -118305855347934305358536379357165472350660178373988900770159391774566491848801 -2008713282085666284652556551621962437401356361830493232520690122524894627206383197505895885671920146557265344301589773021846167435240002500658026512383 -323133594322353610393135271506551759249338578228327732110434346721529507354177413565941533352573023280770193553578703771044066939448141422832699655754215 -8866309339762256938205367118241359468285084241706741644373897192876383324845891938408677922953893394868024823096760328985859074426231649039808204582908518 -10592335116562605574859104705966049302824382333355134511227046941609708791279611163990078774097256277263081299114817404233848814642481057406588005371609087 -7409638199867804511590556491020804147437821443902201231464956650918710757587485835871076220513184441280932875327658339055507870288640330135470374231086564968802510793220658631244921907134557333508582119960035628956742572301380943132749810700571732870307187030378399921152414041403031737491047579647999 -0 -0 -0 -0 -361 -1098223571363824020337471782913 -73118673265328369333869451006373159426 -12612570963041677221068251937087603519725683816332068400361871614991377891329 -44757643964492500248872741260097920363273353321461345189639693578247602176001 -3942245179751587580113754740041160627070588205547869974769586858647333898741 -2612294559420208791815554010100531022826670009294237097218906452805851976960451833971257091500484048552506300644536870798907627346813539746460119072769 -4886652767199484464651425905879582096234981128410546139257549524800652233964932550117395659883947428238070691107034177061699574595056075593731862734910922 -476948687153533538165001293464509838331769398407122530531483520520031422134660870238181672367938291384232556352408026637315514098467464396275313797141550 -4019828793218805646023303231154957746362032987800527539184202417766187717897646394634196457153911354739604912893653289014782783880263859608454097188945921 -4075360670358372722795335962773428342675661975784760871564112696474315403655585860035546105060954687834105799318439691150952278271480480434794674741133762365172004076850361918268011359368504306942773658004160938910939812513459072944161883845284706441576028699349927725653931250854074869857900046581761 -0 diff --git a/evm/src/cpu/kernel/tests/bignum/test_data/modmul_outputs b/evm/src/cpu/kernel/tests/bignum/test_data/modmul_outputs deleted file mode 100644 index 5233592c5e..0000000000 --- a/evm/src/cpu/kernel/tests/bignum/test_data/modmul_outputs +++ /dev/nulldiff --git a/evm/src/cpu/kernel/tests/bignum/test_data/mul_outputs b/evm/src/cpu/kernel/tests/bignum/test_data/mul_outputs deleted file mode 100644 index b53c5f7e15..0000000000 --- a/evm/src/cpu/kernel/tests/bignum/test_data/mul_outputs +++ /dev/null @@ -1,225 +0,0 @@ -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -0 -1 -21 -908 -1267650597867046177654064545792 -340282366920938463463374607431768211455 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -0 -21 -441 -19068 -26620662555207969730735355461632 -7145929705339707732730866756067132440555 -1215816936991820049838389159501298295810509592791450006603913202743172264886272 -2431633873979216987644919328942719307147268547998470985870930338835155784826880 -4863258473152507879183471746339103126521158417536030394524935575998782605623275 -68741202765818979270276983633379582196549482966904360579127216519201261330098607324506894304856394094406282403777947234369674236221393804088784959045632 -105586487448313957217630953653425358968668408786294503634300774628861320362441676458635398984170320306132770645519405205878947411928992353796866863213314027 -281563966528794539091054524955215094900633929296509267540226436097922037480312534843090816414714560916129249828990251803876343269504358060681650578506383339 -563127933057589078182109049910430189801267858593018911357569558066951448610928205184820357265838911550428123265590126067657221108914838323326397307129167872 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823685991988607159363054170329353334944355625786930020224988415478335601579539769494531176085547834954163494030644162001543873246691321674227292917459616882753536 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280754490927819272344442130311818432332846202054796801431275025655264802408764738515518151514632480908325565788780147963367006809604639382187947539029097971691 -0 -908 -19068 -824464 -1151026742863277929309890607579136 -308976389164212124824744143548045536001140 -52569608513741552631107493182246612028378224297839838380778723242419067453177856 -105139217027291858322932702413332815756653325789648174055752607031539116791562240 -210278033029641769252313921222662173280057706815367409439459119190804505043139700 -2972238671969696817971976244719460030212710977807102828849881552354035489891882640507250477562362182748614496315732194705126866975667884481553178229211136 -4565358600146146340648043138919534568740519770378829014283100160143146613766525820211473441791745277998502654577696186997051630953882145583216910085604244596 -12174289600387878166413214698063586008084552752439543567929790665567295715815418173215545776407658157706921849748721363710462842319521767576139939299228384372 -24348579200775756332826429396127172016169105504879103405365388510704376920891562395610327828446749127989939805959801641401559846042603485599065178803489734656 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518129793109557221580317097753720451186105453926588775689583539463154010576700049252756460830197065735837134519004638182709904558099057065808050158672835248128 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377384655355233299464450205863387455153540545988356938076082061665735266055161074861451503585061555464743511248208302416059151577191074239364588830400998014068 -0 -1267650597867046177654064545792 -26620662555207969730735355461632 -1151026742863277929309890607579136 -1606938038272679619211255036084048932956190504430095264907264 -431359145870941220571487096504865044588697904564591140391738786447360 -73391955574979118963811141843059488536193514605218060347731553038824318137413435829926783487818828867436544 -146783911149691239803259475393272332038744581223672095908357420057841712239442615794649035123910216788213760 -293567262432083559770702660509494961636846893913475830448684457955877331972488384611363806317219648949452800 -4149515561151917970063980879655710938513649460124350952720371065270297197065154634382680097543307069927884450339928718724097725668943949230978441358030208342019760039438410280075264 -6373655901930312136397229380018411440828683949391920950832693445711366448193584697763678864931677968612065262908033170282412527802037703004824976134384286640214222530054133889372258304 -16996415738478256005382065682640742151192912704409604594012987116129634408058546371285779101609491343355313613863898166638327059654603396304113335697353121717251389843622698066460540928 -33992831476956512010764131365281484302385825408819231901736066162392911122587750794642859557837487570646738733764326406607430768230396539092082721200286809873288301231428402460695199744 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028934363876033198780003232825417916826555570603003610443324900765322801514628836373961563717819815659178099324514051673737887522648522145975473923735339139072 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269862152855527112109603873427804287879276629501582896265202691196110634325565999430887153483257613158570830305101308846059434951620873330091758706311542341632 -0 -340282366920938463463374607431768211455 -7145929705339707732730866756067132440555 -308976389164212124824744143548045536001140 -431359145870941220571487096504865044588697904564591140391738786447360 -115792089237316195423570985008687907852589419931798687112530834793049593217025 -19701003098197239571963727475337245584161626291901231402719522479678259504890677218990119895590117915143388591554560 -39402006196322807380529480735708200350692396090822410401547663254352517428719749608020233606624972587007562114662400 -78803862104411649792976274791681038936454943300723566886694079153850261012036590002656572187311458765011955822362625 -1113877103911668754551067286547922686738237475419584309931192581897577662915063323503306740447008536028968181678028580322422866333819711284625174374608617279642589745120484326564854874767360 -1710915231608582551713494414139930175751260546116444122900349352360496966554854730076753484481830650675467827629295222707109502155201699203484369755223655341193278275893163301956243837193027585 -4562440617622195218641171605585119131739514871918667547682857357314343535508689562160604455918497575074715174882382908134196095677901105600185199282794955018371204524886410100925712980030521345 -9124881235244390437282343211170238263479029743837341192530852050551013988199468564099149809149237792502394782872367659707645708326849200364829008985690446628655225628506036591091211274089922560 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744913649306569979494349478121435366144715292958165239232610420731738086890347478323006048396719686780691510330825043607290550999833104265740262684222585569280 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428758998783243913325146240393321801800775493463196094645471464263521615496507631433158100292031999009575957202146963989209941350094442798986370318517904347234305 -0 -57896044618658097611351864738157061705262361561497619362091104892532012613632 -1215816936991820049838389159501298295810509592791450006603913202743172264886272 -52569608513741552631107493182246612028378224297839838380778723242419067453177856 -73391955574979118963811141843059488536193514605218060347731553038824318137413435829926783487818828867436544 -19701003098197239571963727475337245584161626291901231402719522479678259504890677218990119895590117915143388591554560 -3351951982485649263264086660821751293167574115217012473116062855570117177114956810549394311722122195190355926629690380263290286253266199596551551712231424 -6703903964959104207882943247098074879292236184530784614687051259089361504778664925296585557644723899819989557097938820112754998714546796218504411307048960 -13407782359700221432208153137018396716476230393601324554188676058418403973105159781474496977845448805812756231084668278028521746573850893544243696815308800 -189516368689051383356419666365934487249694726206307462692478442160356412055175068191548410359233923189538270288357620597887942150501998384340803566981539803652861191767034299241276777771401726930027167539955532412991464793964544 -291097142306427050053565423426590890568146840930776532405423684287884740444915857761347334012000265903675449121187612221625638517177392299309155307502337486020927127535947499456450345719682189031665783117734919052512795878316048384 -776259046150354466227894953415272126532120228827236797123305565388337686400499060284004070246335310139188795312112703394374362640691719752700909206017051198060493495608220461125520225112836119459965070690227765389768580522718527488 -1552518092300708932455789906830544253064240457654474631625503351024913201337446226079742769388732571127058525201398326436194714101150988019032351961389195980792206263906993685249030935631117974530339035198582125552984050009714458624 -620361101309323186180458062143306311203234091808422651940994483172973212453462540277947848500764537416293185308049243121091077089522237714087216426627812178598932718744797175293795424927554129248204812001597295596246882084347634304130710520242400817201806901439842621734294451519310289297352148130231477204202016235965703658712648032709044435339313088432114418262153009154752512 -2030684202530045702032438070068470600111523314891992114474287665026563901579442604747297208342924347358657516628421307413109601517971206668455722861607048951866317121347560401223028395731439655580245638497036905507303055096291514983167804903577061365248747133480848909746535730849828042674125732472216127172563383280944806187156793401092909358110607810689164992655422507992440651826516323860482006072417239646401793958680956430020069720523666773505207631846930990177373853120582291091033196123813538806140647566683428129469366272 -0 -115792089237105570840234253759177109864155645142784332660520492325483608801280 -2431633873979216987644919328942719307147268547998470985870930338835155784826880 -105139217027291858322932702413332815756653325789648174055752607031539116791562240 -146783911149691239803259475393272332038744581223672095908357420057841712239442615794649035123910216788213760 -39402006196322807380529480735708200350692396090822410401547663254352517428719749608020233606624972587007562114662400 -6703903964959104207882943247098074879292236184530784614687051259089361504778664925296585557644723899819989557097938820112754998714546796218504411307048960 -13407807929893819778475470707735784992488440665279129110225796518690280399801487040957178859490788616767266574533518552379422042573571257824675478529638400 -26815564719351665682859297115793503881598601899157213443769731667066042177950468012051000327834243644827516674656869253925854969676662574929007714762752000 -379032737377413310837469826127201516165849126556927185280268831441004642386080191344591587626743143491163530774059885949190517071683841202707214877193839283509836239507327810571115256102701286181423314856476535119531046873333760 -582194284611795095882563124181957331911668652816390808061798178917116866814434754607160150716463467811845369643570012125338680346889780167007790616300675328647243232411818768880659637664081627824716845155217383295556538120651407360 -1552518092297884921190276407777826343730130571016241164825192478707830380921635634356568453745503455149401263113730019700298099019902002012202155472213879518073654497303294521076488615535022163842239123103052036543841131161997803520 -3105036184595769842380552815555652687460261142032484404408169394138177593232526559709091771925126394796328107261127062087481484183515508524562872429687439110406240134689348936276584863546005281248676694097265868804492346319133736960 -1240722202616389513973922768685786106091078788555724681396110088894901580356174059693107801547999717844793849118253907517164294570375212313898259715085141105940658891307423763778538377665051892100124228941562467259128201610076266056373405707086736336167605239314782881108716366473706926696989024480092947548903006603393526774842227227605392632574744471346260936099413707173396480 -4061368405052703825017540452826323628177065892919822203995680056457293914967717151139514347845670761968317643193023213196105279034485542899856942497055973489887306964055240783810529148217259878326321073593635104947630604439996612121186052320432514468047976270758130684476727539892394554268861392044474193564110067997362607705131765085400073399409683739317269432145800594368855385753859106179981112207797478255195155380669937444019554506527587107321605367039934467094788088851405871320736566808054693946822238648612224007804026880 -0 -231583736816786089484927226016147767929578972263620494977377884571370600267775 -4863258473152507879183471746339103126521158417536030394524935575998782605623275 -210278033029641769252313921222662173280057706815367409439459119190804505043139700 -293567262432083559770702660509494961636846893913475830448684457955877331972488384611363806317219648949452800 -78803862104411649792976274791681038936454943300723566886694079153850261012036590002656572187311458765011955822362625 -13407782359700221432208153137018396716476230393601324554188676058418403973105159781474496977845448805812756231084668278028521746573850893544243696815308800 -26815564719351665682859297115793503881598601899157213443769731667066042177950468012051000327834243644827516674656869253925854969676662574929007714762752000 -53631027158026444898639041353951338860236953565976155186370673275827169990229796710610136585486710294744741538759339503142188427219888626557524901703450625 -758064029037559548223859302619650075474792064511873124215265408149659395559453789942397036648834306197292055977388138161024258210175532633810972040915105374809744387652086706188503922572983286780452241329985943497170267983052800 -1164386348601867966607659549490709240641434805493466720013626865708760416816760684474263347086593403580537140168446677038569831210140531685534851163995750025031331763664446019825967919583282914146489408839507982335431232969112551425 -3105030262937843909524927703451704725658035213057063685463909781308268889930827638236818973565112070382840731126979240983820442568989111483626724942061970361307566813811606244576718762256490550467423465073089242630619613999057076225 -6210060525875687819049855406903409451316070426114131520435474836896735901928651243521579858300210079569809751772692509393442960425269123499217289079803270033146012536744468900746753485654275750950451702497211174173610068660767948800 -2481439672835455316435450222961490952467054688477443973252759241836914049418059193066289201770080478782010589768308256548437208615056252516149995383823877308087652590010038324508787501850632011084265376115191445269164718609708653219057772287156297315205415965661016801043979428655461218374679406517792258741473669803979329510535342890018189384338466515427440201885258439091814400 -8122721319120455379930921158326117871838290539711891253924140849349950965031209192469013362813226005733220497444267273168824363782607514900842646678617218420603025285381689301022402706647780653422402593097268270904777394649862358017106423565800216445602438232961812733726274533361295534877361561034733716956723820342508274535124544488827440330912196294237990424996646092080259959888790753448676537815274083485701600749922454909872662388097681488248458568576219237116237159724865297204930388201921385039717285631411970780665217025 -0 -3273390607896141870013189696827599152216642046043064789482248405676250539528505110690804490707447337828870590656092725446174963629590181147084998049792 -68741202765818979270276983633379582196549482966904360579127216519201261330098607324506894304856394094406282403777947234369674236221393804088784959045632 -2972238671969696817971976244719460030212710977807102828849881552354035489891882640507250477562362182748614496315732194705126866975667884481553178229211136 -4149515561151917970063980879655710938513649460124350952720371065270297197065154634382680097543307069927884450339928718724097725668943949230978441358030208342019760039438410280075264 -1113877103911668754551067286547922686738237475419584309931192581897577662915063323503306740447008536028968181678028580322422866333819711284625174374608617279642589745120484326564854874767360 -189516368689051383356419666365934487249694726206307462692478442160356412055175068191548410359233923189538270288357620597887942150501998384340803566981539803652861191767034299241276777771401726930027167539955532412991464793964544 -379032737377413310837469826127201516165849126556927185280268831441004642386080191344591587626743143491163530774059885949190517071683841202707214877193839283509836239507327810571115256102701286181423314856476535119531046873333760 -758064029037559548223859302619650075474792064511873124215265408149659395559453789942397036648834306197292055977388138161024258210175532633810972040915105374809744387652086706188503922572983286780452241329985943497170267983052800 -10715086071862673209484250490600018105614048117055336074430675836924241540472703456698285220172692381666915465456597657220856438022326048260043738079097569861723477222864084024723456654120868104119493560585512807944190828392178187984719137393049169103254142087127248661337626132381236011316443311243264 -16458372206383560850154727152772241309834362634645429482097685030171884111143709030259566480970840675586286057165552281949963074948236086284290260005656649082848245798566424861913543183906541851941660459520122404258933779435071795354694349641611033685309336221143617936715894403545863381859480370679906304 -43888992550349509466047490008389760228034918444740354476264789433451422494435484145605446873947256471512988292597450618642207676514741311261882165968599848430310026415377131508214755446432997138431116604680521746555008944242629428478468183278110882114932777127534190355484669739785885245968619478007676928 -87777985100699018932094980016779520456069836889480767605004803903623391638540464457280122746011077411993751425324753978750781979522477580196467009117071428016628499217023421730630965195213525748235513398478599337876370083082111993797578339643292113170849335330813036879783075982297998725326138636180127744 -35074662110434034853557842365135370752418744845644232722536724705537763948482350096800897815346751615649214933728622564185847196492435060706089044924648133026630781093917108095545664072447733261889308217617387286462129653489067160073127037621299577013488448084508231783465815261392679840044175715075506479855049458960417568692240224459402814116944692003822183536118940032489278563958573604110859792014017609258239480765944544557609136035015279952003072 -114813069527425452423283320117768198402231770208869520047727692128105340272556505252150160006414760200146251310083289009338166699942758143608103582817139261613860686884404865091240091700335916571366968398775231636972558602982410372368561085607640039695044427708003371630792169233277670446637805866344012196830083200549854376617192853167566486801110672010487276196765581360935421367998631422802129683085092788505721142860577202194007940588172852101767238437699363756153062785321947495141655278338111834268668260296874876439322420209270108736741859953710415066991479177424624334867465316525824363705925632 -0 -5027927973729236057982426364448826617555638513633071601633370220421967636306746498030257094484300966958703364072352628851378448187094873990326993486348287 -105586487448313957217630953653425358968668408786294503634300774628861320362441676458635398984170320306132770645519405205878947411928992353796866863213314027 -4565358600146146340648043138919534568740519770378829014283100160143146613766525820211473441791745277998502654577696186997051630953882145583216910085604244596 -6373655901930312136397229380018411440828683949391920950832693445711366448193584697763678864931677968612065262908033170282412527802037703004824976134384286640214222530054133889372258304 -1710915231608582551713494414139930175751260546116444122900349352360496966554854730076753484481830650675467827629295222707109502155201699203484369755223655341193278275893163301956243837193027585 -291097142306427050053565423426590890568146840930776532405423684287884740444915857761347334012000265903675449121187612221625638517177392299309155307502337486020927127535947499456450345719682189031665783117734919052512795878316048384 -582194284611795095882563124181957331911668652816390808061798178917116866814434754607160150716463467811845369643570012125338680346889780167007790616300675328647243232411818768880659637664081627824716845155217383295556538120651407360 -1164386348601867966607659549490709240641434805493466720013626865708760416816760684474263347086593403580537140168446677038569831210140531685534851163995750025031331763664446019825967919583282914146489408839507982335431232969112551425 -16458372206383560850154727152772241309834362634645429482097685030171884111143709030259566480970840675586286057165552281949963074948236086284290260005656649082848245798566424861913543183906541851941660459520122404258933779435071795354694349641611033685309336221143617936715894403545863381859480370679906304 -25280059709008981479231968148711644861442111696433705443231567360117402528393306066518309787037990431336656280044426224316649696164180810324022564882675140987960579876942528723700768267175237032707899300231700312150169638715161500573218061631068318350665689512114702779435677385026007774824467356638267834369 -67413492557347065242233762416053344604668789415978336070232719704519730695842285928289497175591340668357371303688672579355774019833840277487199698360245654983419254719431470785652320406511710713843764264258846732773932462012692405900266395961054012873582577495350462230973011642886763600990552681342023237633 -134826985114694130484467524832106689209337578831956762230667385079098314604114856488714967534864721366751145206577896381937685648970101488283024945486839684466321300593943839555804243973666843820217508302523380061872683673515732869098988513858354359158586336115486301550288354364817320561524260650122775363584 -53874681001634843991219960220676811838216618976411872431379454389487697453585414607630678378827390586054634875212617995067952662788488677051131226188233783645486119633174249397007355413950452332486425618874867205381482252662669001815967811090854730467120253594575199233845159152018106715728564966104973555959854476034899985603379172050429045260764066870120309159237337727562784303384359771520036909014223788365313020881488428759631128761329980986194132992 -176352874794152226923041126648344020296255845787663270025002097998433518218912651792864315498223942025499431461820100039971032945845086214853910514425858431681855101933052310870599356102672426974402827054711569107570218750844042593899023102723914290002809698086928282996956938154665332804357164535720651529889760012561396833002255365927318549914998445177047355818945707770980966071916771923738923854573521041830764111506524804411686150461839884079980325493144566147614078318969489021758698999020279168507320287970878237811504779638217033120905407240942949803405092731964364881039731836747753076040480587777 -0 -13407807929942597099574024997867385471458758537929012740010782671329620832395834992528134114986407662672821420428107228756016346166874193365792884690780159 -281563966528794539091054524955215094900633929296509267540226436097922037480312534843090816414714560916129249828990251803876343269504358060681650578506383339 -12174289600387878166413214698063586008084552752439543567929790665567295715815418173215545776407658157706921849748721363710462842319521767576139939299228384372 -16996415738478256005382065682640742151192912704409604594012987116129634408058546371285779101609491343355313613863898166638327059654603396304113335697353121717251389843622698066460540928 -4562440617622195218641171605585119131739514871918667547682857357314343535508689562160604455918497575074715174882382908134196095677901105600185199282794955018371204524886410100925712980030521345 -776259046150354466227894953415272126532120228827236797123305565388337686400499060284004070246335310139188795312112703394374362640691719752700909206017051198060493495608220461125520225112836119459965070690227765389768580522718527488 -1552518092297884921190276407777826343730130571016241164825192478707830380921635634356568453745503455149401263113730019700298099019902002012202155472213879518073654497303294521076488615535022163842239123103052036543841131161997803520 -3105030262937843909524927703451704725658035213057063685463909781308268889930827638236818973565112070382840731126979240983820442568989111483626724942061970361307566813811606244576718762256490550467423465073089242630619613999057076225 -43888992550349509466047490008389760228034918444740354476264789433451422494435484145605446873947256471512988292597450618642207676514741311261882165968599848430310026415377131508214755446432997138431116604680521746555008944242629428478468183278110882114932777127534190355484669739785885245968619478007676928 -67413492557347065242233762416053344604668789415978336070232719704519730695842285928289497175591340668357371303688672579355774019833840277487199698360245654983419254719431470785652320406511710713843764264258846732773932462012692405900266395961054012873582577495350462230973011642886763600990552681342023237633 -179769313486231590772930519069826442426264354005082326596360185112449176958549873259557850386600277367825925997915804457268344327753240407083712876794615624877762257166854166161646934596377646965522119647578649647126703396773127858133295428017635762092566594653974618708449402594449637475763618354340068065281 -359538626972463181545861038139652884852528708010164893433258891975305712994145996750811464699841724874842731010897931000393441458205293971046234853904111613343804779646728343027691647116232436982584254759296818415737834043273351893507362234301351226814369365796651940053069649153544102516262530232441150373888 -143665816004337806760172922323967843540707266966555160070938769845933482343514311921981576218185379382379331497993348644831971734671586556667433058226409769129546130073493215528938527708576559133205415270644020134698724204081225254029881946465693095984137609224865240709292656860316268992459694963883823498044606777540574301742157684362334319609311262061951308672635789253885343679712825576151996358495453517343899352653487644349083554108658142161712185344 -470274332784334653125768479190507147507942688099845821153656843754997301836979240962837606053917822376117946484914782536168160296609184534239096896145262203039351588043847354547077881392556187451052716096931348618124350989790368724551688012179157579351487604719105146798178247445433672967393357192101321816498019101823012168469706240238546733430563115610529101897377344839733586268940478469960836347004487048570855680122137578043206023975369775048480356517721340390187833972378623137126307547351741242129046523455257536374422351385724837117101473491922399552018441281779378146120832426011456202350251737089 -0 -26815615859885194199148049995734770942917517075858043397979502765092926124329914532610493203135186264306101107885244098459867671853087539206018919387103232 -563127933057589078182109049910430189801267858593018911357569558066951448610928205184820357265838911550428123265590126067657221108914838323326397307129167872 -24348579200775756332826429396127172016169105504879103405365388510704376920891562395610327828446749127989939805959801641401559846042603485599065178803489734656 -33992831476956512010764131365281484302385825408819231901736066162392911122587750794642859557837487570646738733764326406607430768230396539092082721200286809873288301231428402460695199744 -9124881235244390437282343211170238263479029743837341192530852050551013988199468564099149809149237792502394782872367659707645708326849200364829008985690446628655225628506036591091211274089922560 -1552518092300708932455789906830544253064240457654474631625503351024913201337446226079742769388732571127058525201398326436194714101150988019032351961389195980792206263906993685249030935631117974530339035198582125552984050009714458624 -3105036184595769842380552815555652687460261142032484404408169394138177593232526559709091771925126394796328107261127062087481484183515508524562872429687439110406240134689348936276584863546005281248676694097265868804492346319133736960 -6210060525875687819049855406903409451316070426114131520435474836896735901928651243521579858300210079569809751772692509393442960425269123499217289079803270033146012536744468900746753485654275750950451702497211174173610068660767948800 -87777985100699018932094980016779520456069836889480767605004803903623391638540464457280122746011077411993751425324753978750781979522477580196467009117071428016628499217023421730630965195213525748235513398478599337876370083082111993797578339643292113170849335330813036879783075982297998725326138636180127744 -134826985114694130484467524832106689209337578831956762230667385079098314604114856488714967534864721366751145206577896381937685648970101488283024945486839684466321300593943839555804243973666843820217508302523380061872683673515732869098988513858354359158586336115486301550288354364817320561524260650122775363584 -359538626972463181545861038139652884852528708010164893433258891975305712994145996750811464699841724874842731010897931000393441458205293971046234853904111613343804779646728343027691647116232436982584254759296818415737834043273351893507362234301351226814369365796651940053069649153544102516262530232441150373888 -719077253944926363091722076279305769705057416020330267347594827451426144142384493965014457252965790028388273268575745766448202845714472108972056832957787126548989380860079998712572623109761917189596553766242330909605534894906264486337757228291297942005327959842043718998160370035708197081835945941328224845824 -287331632008675613520345844647935687081414533933110512134339071188196745795513335307638657529820500030503638059893998544639282004826074078543526937501430385498822553680856810441605837007924382387640823649251663812111395581050675179334316291609265083908971530669507424781643811407050868800014638372550585796767486279157989351235817419037012278476998673070763482207177579797214780269850906321355704457864297379025560392407254253435440813631626425868706906112 -940548665568669306251536958381014295015885376199692270773634051571468443177252576492255360423853770864325258737964248491672738005473375204458692172487804734089712687353813343670064744128701098573532877590228667667008286737596697852387981631862326481177071413971930746756905828624662822957794948866823607625220615269013165228239618537011536940291208905424160713389821033135818514340985521905976691408942139437741483410228329038000371498590009406379772049151623867582176028814687068466685902099735918960489164147117893952824903803155286426295341357243145288763878804327513759861599032840758403923281677647872 -0 -10715086071862672019870723708373567867164049597134887969429342556289689092328893032953381579589338312602609246283412714238525362926688916032991604094856600340922050198587112063568778839323187143820237543594206457218073322356882436956454658807341118763364007714359232059366253413058442519879029375369216 -225016807509116112417285197875844925210445041539832647358016193682083470938906753692021013171376104564654794171951666999009032621460467236692823685991988607159363054170329353334944355625786930020224988415478335601579539769494531176085547834954163494030644162001543873246691321674227292917459616882753536 -9729298153251306194042617127203199623384957034198478276241843041111037695834634873921670474267119187843169195625338744528581029537433535757956376518129793109557221580317097753720451186105453926588775689583539463154010576700049252756460830197065735837134519004638182709904558099057065808050158672835248128 -13582985265193575509847153720290630277475301176695966793104558898916525902171099726111653252346386417687634059875171486934990855171785554727726817192028731914702681172768151028934363876033198780003232825417916826555570603003610443324900765322801514628836373961563717819815659178099324514051673737887522648522145975473923735339139072 -3646154850295010964902624396817474390399390616036693719739415376725561063085178919082942505698777176089060633115597677023110409583667009527018497076154392047301826729011247840192495744913649306569979494349478121435366144715292958165239232610420731738086890347478323006048396719686780691510330825043607290550999833104265740262684222585569280 -620361101309323186180458062143306311203234091808422651940994483172973212453462540277947848500764537416293185308049243121091077089522237714087216426627812178598932718744797175293795424927554129248204812001597295596246882084347634304130710520242400817201806901439842621734294451519310289297352148130231477204202016235965703658712648032709044435339313088432114418262153009154752512 -1240722202616389513973922768685786106091078788555724681396110088894901580356174059693107801547999717844793849118253907517164294570375212313898259715085141105940658891307423763778538377665051892100124228941562467259128201610076266056373405707086736336167605239314782881108716366473706926696989024480092947548903006603393526774842227227605392632574744471346260936099413707173396480 -2481439672835455316435450222961490952467054688477443973252759241836914049418059193066289201770080478782010589768308256548437208615056252516149995383823877308087652590010038324508787501850632011084265376115191445269164718609708653219057772287156297315205415965661016801043979428655461218374679406517792258741473669803979329510535342890018189384338466515427440201885258439091814400 -35074662110434034853557842365135370752418744845644232722536724705537763948482350096800897815346751615649214933728622564185847196492435060706089044924648133026630781093917108095545664072447733261889308217617387286462129653489067160073127037621299577013488448084508231783465815261392679840044175715075506479855049458960417568692240224459402814116944692003822183536118940032489278563958573604110859792014017609258239480765944544557609136035015279952003072 -53874681001634843991219960220676811838216618976411872431379454389487697453585414607630678378827390586054634875212617995067952662788488677051131226188233783645486119633174249397007355413950452332486425618874867205381482252662669001815967811090854730467120253594575199233845159152018106715728564966104973555959854476034899985603379172050429045260764066870120309159237337727562784303384359771520036909014223788365313020881488428759631128761329980986194132992 -143665816004337806760172922323967843540707266966555160070938769845933482343514311921981576218185379382379331497993348644831971734671586556667433058226409769129546130073493215528938527708576559133205415270644020134698724204081225254029881946465693095984137609224865240709292656860316268992459694963883823498044606777540574301742157684362334319609311262061951308672635789253885343679712825576151996358495453517343899352653487644349083554108658142161712185344 -287331632008675613520345844647935687081414533933110512134339071188196745795513335307638657529820500030503638059893998544639282004826074078543526937501430385498822553680856810441605837007924382387640823649251663812111395581050675179334316291609265083908971530669507424781643811407050868800014638372550585796767486279157989351235817419037012278476998673070763482207177579797214780269850906321355704457864297379025560392407254253435440813631626425868706906112 -114813069527425426929660656670434000556791117993150086180221643697431093173028910532415727113435976215204539871783667883838967071195340228232917109351973450013767101034272479645738741907650504496198421145870980109769343781666731468018474148841379223523433938268079692841589810552977465445261846437407748635458762124821556936873529967035483590621122322119705006554547460062408802518269990075352861435909928146945580063563725505925881145977291236879775785378910221502159993605883245075109657690762294065063726665915384443183063224455834919138638489409150864878627937633765733984255718952202044576320454656 -375828023454801161958069925084019843923978286415518836749560060086790811063826786575473978319828101315166509670501153778395493519601305062611233710167108096659872687219140685926605165995932330503576533938874126310080807833945025154398047371417183906188778761688181994841114264769649793185124682348180893134333861320517448227288705530984286877458322203246948912271425933606164725949285658013879720265044644617847420446340162585011712000860105735035610334678196167563897824599954042423669530327316471628496333180947012248953569457951187522058076800530227428892238847959130402967459985851634689104636645635632818315245484817355205865998912643567216769076790812429039605288671959330499956935814269560500882854907846825228822521982049802574527070231420993536 -0 -35074662110434038747627587960280857993524015880330828824075798024790963850563322203657080886584969261653150287318235382932361986378200976930485864824618483190079311572443216561952044719477365706568052969551481762567552970942589810378882925959353769117684987193135809357565477252870988890605581060988309091800917730687720491038972968230771526418895306251191697869752495655463738834197691172975281348836466132387998255571752838316161056568930429957046271 -736567904319114813700179347165898017864004333486947405305591758520610240861829766276798698618284354494716156033682943041579601713942220515540203161316988146991665543021307547800992939109024679837929112360581117013918612389794386017956541445146429151471384731055851996508875022310290766702717202280754490927819272344442130311818432332846202054796801431275025655264802408764738515518151514632480908325565788780147963367006809604639382187947539029097971691 -31847793196274107182845849867935019058119806419340392572260824606510195176311496560920629445019152089581060460884957727702584683631406487052881165260753582736592014907778440638252456605285448061563792096352745440411338097615871547824025696771093222358857968371367314896669453345606857912669867603377384655355233299464450205863387455153540545988356938076082061665735266055161074861451503585061555464743511248208302416059151577191074239364588830400998014068 -44462416394276340862910922260389321581298853470913371563358965890746390942505208917810214508921403677924050484037361854923909199530783769557857398908416797467991642660044081596444758567725905941578862500220928052627591160031402858547990440510112144073496748573294083122100295594485512238065152913601534980743295758670057701269862152855527112109603873427804287879276629501582896265202691196110634325565999430887153483257613158570830305101308846059434951620873330091758706311542341632 -11935289041890653422458560211344367565999989567726224393815132782921219808519438180124970259072038417888105302535754774032670805811336900569676094726678661851388189281957447472598923409448779291182901295823514011338832830575108282476521982723289897702706625317681157972521881629518687524749107700488703863037130875637878556278141428758998783243913325146240393321801800775493463196094645471464263521615496507631433158100292031999009575957202146963989209941350094442798986370318517904347234305 -2030684202530045702032438070068470600111523314891992114474287665026563901579442604747297208342924347358657516628421307413109601517971206668455722861607048951866317121347560401223028395731439655580245638497036905507303055096291514983167804903577061365248747133480848909746535730849828042674125732472216127172563383280944806187156793401092909358110607810689164992655422507992440651826516323860482006072417239646401793958680956430020069720523666773505207631846930990177373853120582291091033196123813538806140647566683428129469366272 -4061368405052703825017540452826323628177065892919822203995680056457293914967717151139514347845670761968317643193023213196105279034485542899856942497055973489887306964055240783810529148217259878326321073593635104947630604439996612121186052320432514468047976270758130684476727539892394554268861392044474193564110067997362607705131765085400073399409683739317269432145800594368855385753859106179981112207797478255195155380669937444019554506527587107321605367039934467094788088851405871320736566808054693946822238648612224007804026880 -8122721319120455379930921158326117871838290539711891253924140849349950965031209192469013362813226005733220497444267273168824363782607514900842646678617218420603025285381689301022402706647780653422402593097268270904777394649862358017106423565800216445602438232961812733726274533361295534877361561034733716956723820342508274535124544488827440330912196294237990424996646092080259959888790753448676537815274083485701600749922454909872662388097681488248458568576219237116237159724865297204930388201921385039717285631411970780665217025 -114813069527425452423283320117768198402231770208869520047727692128105340272556505252150160006414760200146251310083289009338166699942758143608103582817139261613860686884404865091240091700335916571366968398775231636972558602982410372368561085607640039695044427708003371630792169233277670446637805866344012196830083200549854376617192853167566486801110672010487276196765581360935421367998631422802129683085092788505721142860577202194007940588172852101767238437699363756153062785321947495141655278338111834268668260296874876439322420209270108736741859953710415066991479177424624334867465316525824363705925632 -176352874794152226923041126648344020296255845787663270025002097998433518218912651792864315498223942025499431461820100039971032945845086214853910514425858431681855101933052310870599356102672426974402827054711569107570218750844042593899023102723914290002809698086928282996956938154665332804357164535720651529889760012561396833002255365927318549914998445177047355818945707770980966071916771923738923854573521041830764111506524804411686150461839884079980325493144566147614078318969489021758698999020279168507320287970878237811504779638217033120905407240942949803405092731964364881039731836747753076040480587777 -470274332784334653125768479190507147507942688099845821153656843754997301836979240962837606053917822376117946484914782536168160296609184534239096896145262203039351588043847354547077881392556187451052716096931348618124350989790368724551688012179157579351487604719105146798178247445433672967393357192101321816498019101823012168469706240238546733430563115610529101897377344839733586268940478469960836347004487048570855680122137578043206023975369775048480356517721340390187833972378623137126307547351741242129046523455257536374422351385724837117101473491922399552018441281779378146120832426011456202350251737089 -940548665568669306251536958381014295015885376199692270773634051571468443177252576492255360423853770864325258737964248491672738005473375204458692172487804734089712687353813343670064744128701098573532877590228667667008286737596697852387981631862326481177071413971930746756905828624662822957794948866823607625220615269013165228239618537011536940291208905424160713389821033135818514340985521905976691408942139437741483410228329038000371498590009406379772049151623867582176028814687068466685902099735918960489164147117893952824903803155286426295341357243145288763878804327513759861599032840758403923281677647872 -375828023454801161958069925084019843923978286415518836749560060086790811063826786575473978319828101315166509670501153778395493519601305062611233710167108096659872687219140685926605165995932330503576533938874126310080807833945025154398047371417183906188778761688181994841114264769649793185124682348180893134333861320517448227288705530984286877458322203246948912271425933606164725949285658013879720265044644617847420446340162585011712000860105735035610334678196167563897824599954042423669530327316471628496333180947012248953569457951187522058076800530227428892238847959130402967459985851634689104636645635632818315245484817355205865998912643567216769076790812429039605288671959330499956935814269560500882854907846825228822521982049802574527070231420993536 -1230231922161117176931558813276752514640713895736833715766118029160058800614672948775360067838593459582429640872806815375600524611787633664372109038831131496892713847574204213375769343685580784773753635629758429922695406379579200240048301333922009856375733053746023334939149959900017297080529761791881121040475796858581600002403295404329868081465157652227751491087455277833629681152969524186808613504119583496193428420962898057357571055319374451607243028930569896539578660288198289657864101794216603970753824498208473733314597712660353208543367490975176753797670373382265859509054611517991409426349053031299407068631581080918639237312826090371923206219034977458927000306459751555164292071452400788382130601457910261333218639691866553206384714007138038691594287732934081410852761487999922797074320518605005374647219205312884015226747835223983423030251792941745800299484458323597491553884981698082835005441 diff --git a/evm/src/cpu/kernel/tests/bignum/test_data/shr_outputs b/evm/src/cpu/kernel/tests/bignum/test_data/shr_outputs deleted file mode 100644 index e332af0713..0000000000 --- a/evm/src/cpu/kernel/tests/bignum/test_data/shr_outputs +++ /dev/null @@ -1,15 +0,0 @@ -0 -0 -10 -454 -633825298933523088827032272896 -170141183460469231731687303715884105727 -28948022309329048805675932369078530852631180780748809681045552446266006306816 -57896044618552785420117126879588554932077822571392166330260246162741804400640 -115791868408393044742463613008073883964789486131810247488688942285685300133887 -1636695303948070935006594848413799576108321023021532394741124202838125269764252555345402245353723668914435295328046362723087481814795090573542499024896 -2513963986864618028991213182224413308777819256816535800816685110210983818153373249015128547242150483479351682036176314425689224093547436995163496743174143 -6703903964971298549787012498933692735729379268964506370005391335664810416197917496264067057493203831336410710214053614378008173083437096682896442345390079 -13407807929942597099574024997867385471458758537929021698989751382546463062164957266305246601567593132153050553942622049229933835926543769603009459693551616 -5357543035931336009935361854186783933582024798567443984714671278144844546164446516476690789794669156301304623141706357119262681463344458016495802047428300170461025099293556031784389419661593571910118771797103228609036661178441218478227329403670559381682003857179616029683126706529221259939514687684608 -17537331055217019373813793980140428996762007940165414412037899012395481925281661101828540443292484630826575143659117691466180993189100488465242932412309241595039655786221608280976022359738682853284026484775740881283776485471294905189441462979676884558842493596567904678782738626435494445302790530494154545900458865343860245519486484115385763209447653125595848934876247827731869417098845586487640674418233066193999127785876419158080528284465214978523135 diff --git a/evm/src/cpu/kernel/tests/bignum/test_data/u128_inputs b/evm/src/cpu/kernel/tests/bignum/test_data/u128_inputs deleted file mode 100644 index ca67d6e7ae..0000000000 --- a/evm/src/cpu/kernel/tests/bignum/test_data/u128_inputs +++ /dev/null @@ -1,6 +0,0 @@ -0 -1 -21 -908 -1267650597867046177654064545792 -340282366920938463463374607431768211455 diff --git a/evm/src/cpu/kernel/tests/blake2_f.rs b/evm/src/cpu/kernel/tests/blake2_f.rs deleted file mode 100644 index c5d800c5b6..0000000000 --- a/evm/src/cpu/kernel/tests/blake2_f.rs +++ /dev/null @@ -1,134 +0,0 @@ -use anyhow::Result; - -use crate::cpu::kernel::interpreter::{ - run_interpreter_with_memory, InterpreterMemoryInitialization, -}; -use crate::memory::segments::Segment::KernelGeneral; - -type ConvertedBlakeInputs = (u32, [u64; 8], [u64; 16], u64, u64, bool); - -fn reverse_bytes_u64(input: u64) -> u64 { - let mut result = 0; - for i in 0..8 { - result |= ((input >> (i * 8)) & 0xff) << ((7 - i) * 8); - } - result -} - -fn convert_input(input: &str) -> Result { - let rounds = u32::from_str_radix(&input[..8], 16).unwrap(); - - let mut h = [0u64; 8]; - for i in 0..8 { - h[i] = reverse_bytes_u64( - u64::from_str_radix(&input[8 + i * 16..8 + (i + 1) * 16], 16).unwrap(), - ); - } - - let mut m = [0u64; 16]; - for i in 0..16 { - m[i] = reverse_bytes_u64( - u64::from_str_radix(&input[136 + i * 16..136 + (i + 1) * 16], 16).unwrap(), - ); - } - - let t_0 = reverse_bytes_u64(u64::from_str_radix(&input[392..408], 16).unwrap()); - let t_1 = reverse_bytes_u64(u64::from_str_radix(&input[408..424], 16).unwrap()); - let flag = u8::from_str_radix(&input[424..426], 16).unwrap() != 0; - - Ok((rounds, h, m, t_0, t_1, flag)) -} - -fn convert_output(output: [u64; 8]) -> String { - output - .iter() - .map(|&x| format!("{:016x}", reverse_bytes_u64(x))) - .collect::>() - .join("") -} - -fn run_blake2_f( - rounds: u32, - h: [u64; 8], - m: [u64; 16], - t_0: u64, - t_1: u64, - flag: bool, -) -> Result<[u64; 8]> { - let mut stack = vec![]; - stack.push(rounds.into()); - stack.append(&mut h.iter().map(|&x| x.into()).collect()); - stack.append(&mut m.iter().map(|&x| x.into()).collect()); - stack.push(t_0.into()); - stack.push(t_1.into()); - stack.push(u8::from(flag).into()); - stack.push(0xDEADBEEFu32.into()); - - let interpreter_setup = InterpreterMemoryInitialization { - label: "blake2_f".to_string(), - stack, - segment: KernelGeneral, - memory: vec![], - }; - - let result = run_interpreter_with_memory(interpreter_setup).unwrap(); - let mut hash = result.stack().to_vec(); - hash.reverse(); - - Ok(hash - .iter() - .map(|&x| x.low_u64()) - .collect::>() - .try_into() - .unwrap()) -} - -// Test data from EIP-152. - -fn test_blake2_f_eip(input: &str, output: &str) -> Result<()> { - let (rounds, h, m, t_0, t_1, flag) = convert_input(input).unwrap(); - let result = run_blake2_f(rounds, h, m, t_0, t_1, flag).unwrap(); - assert_eq!(convert_output(result), output); - Ok(()) -} - -#[test] -fn test_blake2_f_4() -> Result<()> { - test_blake2_f_eip( - "0000000048c9bdf267e6096a3ba7ca8485ae67bb2bf894fe72f36e3cf1361d5f3af54fa5d182e6ad7f520e511f6c3e2b8c68059b6bbd41fbabd9831f79217e1319cde05b61626300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000000000000000000000000000001", - "08c9bcf367e6096a3ba7ca8485ae67bb2bf894fe72f36e3cf1361d5f3af54fa5d282e6ad7f520e511f6c3e2b8c68059b9442be0454267ce079217e1319cde05b", - ) -} - -#[test] -fn test_blake2_f_5() -> Result<()> { - test_blake2_f_eip( - "0000000c48c9bdf267e6096a3ba7ca8485ae67bb2bf894fe72f36e3cf1361d5f3af54fa5d182e6ad7f520e511f6c3e2b8c68059b6bbd41fbabd9831f79217e1319cde05b61626300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000000000000000000000000000001", - "ba80a53f981c4d0d6a2797b69f12f6e94c212f14685ac4b74b12bb6fdbffa2d17d87c5392aab792dc252d5de4533cc9518d38aa8dbf1925ab92386edd4009923", - ) -} - -#[test] -fn test_blake2_f_6() -> Result<()> { - test_blake2_f_eip( - "0000000c48c9bdf267e6096a3ba7ca8485ae67bb2bf894fe72f36e3cf1361d5f3af54fa5d182e6ad7f520e511f6c3e2b8c68059b6bbd41fbabd9831f79217e1319cde05b61626300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000000000000000000000000000000", - "75ab69d3190a562c51aef8d88f1c2775876944407270c42c9844252c26d2875298743e7f6d5ea2f2d3e8d226039cd31b4e426ac4f2d3d666a610c2116fde4735", - ) -} - -#[test] -fn test_blake2_f_7() -> Result<()> { - test_blake2_f_eip( - "0000000148c9bdf267e6096a3ba7ca8485ae67bb2bf894fe72f36e3cf1361d5f3af54fa5d182e6ad7f520e511f6c3e2b8c68059b6bbd41fbabd9831f79217e1319cde05b61626300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000000000000000000000000000001", - "b63a380cb2897d521994a85234ee2c181b5f844d2c624c002677e9703449d2fba551b3a8333bcdf5f2f7e08993d53923de3d64fcc68c034e717b9293fed7a421", - ) -} - -#[ignore] -#[test] -fn test_blake2_f_8() -> Result<()> { - test_blake2_f_eip( - "ffffffff48c9bdf267e6096a3ba7ca8485ae67bb2bf894fe72f36e3cf1361d5f3af54fa5d182e6ad7f520e511f6c3e2b8c68059b6bbd41fbabd9831f79217e1319cde05b61626300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000000000000000000000000000001", - "fc59093aafa9ab43daae0e914c57635c5402d8e3d2130eb9b3cc181de7f0ecf9b22bf99a7815ce16419e200e01846e6b5df8cc7703041bbceb571de6631d2615", - ) -} diff --git a/evm/src/cpu/kernel/tests/block_hash.rs b/evm/src/cpu/kernel/tests/block_hash.rs deleted file mode 100644 index 23ba233721..0000000000 --- a/evm/src/cpu/kernel/tests/block_hash.rs +++ /dev/null @@ -1,125 +0,0 @@ -use anyhow::Result; -use ethereum_types::{H256, U256}; -use rand::{thread_rng, Rng}; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::memory::segments::Segment; - -#[test] -fn test_correct_block_hash() -> Result<()> { - let mut rng = rand::thread_rng(); - - let blockhash_label = KERNEL.global_labels["blockhash"]; - let retdest = 0xDEADBEEFu32.into(); - - let block_number: u8 = rng.gen(); - let initial_stack = vec![retdest, block_number.into()]; - - let hashes: Vec = vec![U256::from_big_endian(&thread_rng().gen::().0); 257]; - - let mut interpreter = Interpreter::new_with_kernel(blockhash_label, initial_stack); - interpreter.set_memory_segment(Segment::BlockHashes, hashes[0..256].to_vec()); - interpreter.set_global_metadata_field(GlobalMetadata::BlockCurrentHash, hashes[256]); - interpreter.set_global_metadata_field(GlobalMetadata::BlockNumber, 256.into()); - interpreter.run()?; - - let result = interpreter.stack(); - assert_eq!( - result[0], hashes[block_number as usize], - "Resulting block hash {:?} different from expected hash {:?}", - result[0], hashes[block_number as usize] - ); - - Ok(()) -} - -#[test] -fn test_big_index_block_hash() -> Result<()> { - let mut rng = rand::thread_rng(); - - let blockhash_label = KERNEL.global_labels["blockhash"]; - let retdest = 0xDEADBEEFu32.into(); - let cur_block_number = 3; - let block_number: usize = rng.gen::() as usize; - let actual_block_number = block_number + cur_block_number; - let initial_stack = vec![retdest, actual_block_number.into()]; - - let hashes: Vec = vec![U256::from_big_endian(&thread_rng().gen::().0); 257]; - - let mut interpreter = Interpreter::new_with_kernel(blockhash_label, initial_stack); - interpreter.set_memory_segment(Segment::BlockHashes, hashes[0..256].to_vec()); - interpreter.set_global_metadata_field(GlobalMetadata::BlockCurrentHash, hashes[256]); - interpreter.set_global_metadata_field(GlobalMetadata::BlockNumber, cur_block_number.into()); - interpreter.run()?; - - let result = interpreter.stack(); - assert_eq!( - result[0], - 0.into(), - "Resulting block hash {:?} different from expected hash {:?}", - result[0], - 0 - ); - - Ok(()) -} - -#[test] -fn test_small_index_block_hash() -> Result<()> { - let mut rng = rand::thread_rng(); - - let blockhash_label = KERNEL.global_labels["blockhash"]; - let retdest = 0xDEADBEEFu32.into(); - let cur_block_number = 512; - let block_number = rng.gen::() as usize; - let initial_stack = vec![retdest, block_number.into()]; - - let hashes: Vec = vec![U256::from_big_endian(&thread_rng().gen::().0); 257]; - - let mut interpreter = Interpreter::new_with_kernel(blockhash_label, initial_stack); - interpreter.set_memory_segment(Segment::BlockHashes, hashes[0..256].to_vec()); - interpreter.set_global_metadata_field(GlobalMetadata::BlockCurrentHash, hashes[256]); - interpreter.set_global_metadata_field(GlobalMetadata::BlockNumber, cur_block_number.into()); - interpreter.run()?; - - let result = interpreter.stack(); - assert_eq!( - result[0], - 0.into(), - "Resulting block hash {:?} different from expected hash {:?}", - result[0], - 0 - ); - - Ok(()) -} - -#[test] -fn test_block_hash_with_overflow() -> Result<()> { - let blockhash_label = KERNEL.global_labels["blockhash"]; - let retdest = 0xDEADBEEFu32.into(); - let cur_block_number = 1; - let block_number = U256::MAX; - let initial_stack = vec![retdest, block_number]; - - let hashes: Vec = vec![U256::from_big_endian(&thread_rng().gen::().0); 257]; - - let mut interpreter = Interpreter::new_with_kernel(blockhash_label, initial_stack); - interpreter.set_memory_segment(Segment::BlockHashes, hashes[0..256].to_vec()); - interpreter.set_global_metadata_field(GlobalMetadata::BlockCurrentHash, hashes[256]); - interpreter.set_global_metadata_field(GlobalMetadata::BlockNumber, cur_block_number.into()); - interpreter.run()?; - - let result = interpreter.stack(); - assert_eq!( - result[0], - 0.into(), - "Resulting block hash {:?} different from expected hash {:?}", - result[0], - 0 - ); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/bls381.rs b/evm/src/cpu/kernel/tests/bls381.rs deleted file mode 100644 index aeba6fbd96..0000000000 --- a/evm/src/cpu/kernel/tests/bls381.rs +++ /dev/null @@ -1,32 +0,0 @@ -use anyhow::Result; -use ethereum_types::U256; -use rand::Rng; - -use crate::cpu::kernel::interpreter::{ - run_interpreter_with_memory, InterpreterMemoryInitialization, -}; -use crate::extension_tower::{Fp2, Stack, BLS381}; -use crate::memory::segments::Segment::KernelGeneral; - -#[test] -fn test_bls_fp2_mul() -> Result<()> { - let mut rng = rand::thread_rng(); - let x: Fp2 = rng.gen::>(); - let y: Fp2 = rng.gen::>(); - - let mut stack = x.to_stack().to_vec(); - stack.extend(y.to_stack().to_vec()); - stack.push(U256::from(0xdeadbeefu32)); - let setup = InterpreterMemoryInitialization { - label: "mul_fp381_2".to_string(), - stack, - segment: KernelGeneral, - memory: vec![], - }; - let interpreter = run_interpreter_with_memory(setup).unwrap(); - let stack: Vec = interpreter.stack().iter().rev().cloned().collect(); - let output = Fp2::::from_stack(&stack); - - assert_eq!(output, x * y); - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/bn254.rs b/evm/src/cpu/kernel/tests/bn254.rs deleted file mode 100644 index 8a90ff2479..0000000000 --- a/evm/src/cpu/kernel/tests/bn254.rs +++ /dev/null @@ -1,252 +0,0 @@ -use anyhow::Result; -use ethereum_types::U256; -use rand::Rng; - -use crate::cpu::kernel::interpreter::{ - run_interpreter_with_memory, Interpreter, InterpreterMemoryInitialization, -}; -use crate::curve_pairings::{ - bn_final_exponent, bn_miller_loop, gen_bn_fp12_sparse, Curve, CyclicGroup, -}; -use crate::extension_tower::{FieldExt, Fp12, Fp2, Fp6, Stack, BN254}; -use crate::memory::segments::Segment::BnPairing; - -fn run_bn_mul_fp6(f: Fp6, g: Fp6, label: &str) -> Fp6 { - let mut stack = f.to_stack(); - if label == "mul_fp254_6" { - stack.extend(g.to_stack().to_vec()); - } - stack.push(U256::from(0xdeadbeefu32)); - let setup = InterpreterMemoryInitialization { - label: label.to_string(), - stack, - segment: BnPairing, - memory: vec![], - }; - let interpreter = run_interpreter_with_memory(setup).unwrap(); - let output: Vec = interpreter.stack().iter().rev().cloned().collect(); - Fp6::::from_stack(&output) -} - -#[test] -fn test_bn_mul_fp6() -> Result<()> { - let mut rng = rand::thread_rng(); - let f: Fp6 = rng.gen::>(); - let g: Fp6 = rng.gen::>(); - - let output_normal: Fp6 = run_bn_mul_fp6(f, g, "mul_fp254_6"); - let output_square: Fp6 = run_bn_mul_fp6(f, f, "square_fp254_6"); - - assert_eq!(output_normal, f * g); - assert_eq!(output_square, f * f); - - Ok(()) -} - -fn run_bn_mul_fp12(f: Fp12, g: Fp12, label: &str) -> Fp12 { - let in0: usize = 100; - let in1: usize = 112; - let out: usize = 124; - - let mut stack = vec![ - U256::from(in0), - U256::from(in1), - U256::from(out), - U256::from(0xdeadbeefu32), - ]; - if label == "square_fp254_12" { - stack.remove(0); - } - let setup = InterpreterMemoryInitialization { - label: label.to_string(), - stack, - segment: BnPairing, - memory: vec![(in0, f.to_stack().to_vec()), (in1, g.to_stack().to_vec())], - }; - let interpreter = run_interpreter_with_memory(setup).unwrap(); - let output = interpreter.extract_kernel_memory(BnPairing, out..out + 12); - Fp12::::from_stack(&output) -} - -#[test] -fn test_bn_mul_fp12() -> Result<()> { - let mut rng = rand::thread_rng(); - let f: Fp12 = rng.gen::>(); - let g: Fp12 = rng.gen::>(); - let h: Fp12 = gen_bn_fp12_sparse(&mut rng); - - let output_normal = run_bn_mul_fp12(f, g, "mul_fp254_12"); - let output_sparse = run_bn_mul_fp12(f, h, "mul_fp254_12_sparse"); - let output_square = run_bn_mul_fp12(f, f, "square_fp254_12"); - - assert_eq!(output_normal, f * g); - assert_eq!(output_sparse, f * h); - assert_eq!(output_square, f * f); - - Ok(()) -} - -fn run_bn_frob_fp6(n: usize, f: Fp6) -> Fp6 { - let setup = InterpreterMemoryInitialization { - label: format!("test_frob_fp254_6_{}", n), - stack: f.to_stack().to_vec(), - segment: BnPairing, - memory: vec![], - }; - let interpreter: Interpreter = run_interpreter_with_memory(setup).unwrap(); - let output: Vec = interpreter.stack().iter().rev().cloned().collect(); - Fp6::::from_stack(&output) -} - -#[test] -fn test_bn_frob_fp6() -> Result<()> { - let mut rng = rand::thread_rng(); - let f: Fp6 = rng.gen::>(); - for n in 1..4 { - let output = run_bn_frob_fp6(n, f); - assert_eq!(output, f.frob(n)); - } - Ok(()) -} - -fn run_bn_frob_fp12(f: Fp12, n: usize) -> Fp12 { - let ptr: usize = 100; - let setup = InterpreterMemoryInitialization { - label: format!("test_frob_fp254_12_{}", n), - stack: vec![U256::from(ptr)], - segment: BnPairing, - memory: vec![(ptr, f.to_stack().to_vec())], - }; - let interpreter: Interpreter = run_interpreter_with_memory(setup).unwrap(); - let output: Vec = interpreter.extract_kernel_memory(BnPairing, ptr..ptr + 12); - Fp12::::from_stack(&output) -} - -#[test] -fn test_frob_fp12() -> Result<()> { - let mut rng = rand::thread_rng(); - let f: Fp12 = rng.gen::>(); - - for n in [1, 2, 3, 6] { - let output = run_bn_frob_fp12(f, n); - assert_eq!(output, f.frob(n)); - } - Ok(()) -} - -#[test] -fn test_bn_inv_fp12() -> Result<()> { - let ptr: usize = 100; - let inv: usize = 112; - let mut rng = rand::thread_rng(); - let f: Fp12 = rng.gen::>(); - - let setup = InterpreterMemoryInitialization { - label: "inv_fp254_12".to_string(), - stack: vec![U256::from(ptr), U256::from(inv), U256::from(0xdeadbeefu32)], - segment: BnPairing, - memory: vec![(ptr, f.to_stack().to_vec())], - }; - let interpreter: Interpreter = run_interpreter_with_memory(setup).unwrap(); - let output: Vec = interpreter.extract_kernel_memory(BnPairing, inv..inv + 12); - let output = Fp12::::from_stack(&output); - - assert_eq!(output, f.inv()); - - Ok(()) -} - -#[test] -fn test_bn_final_exponent() -> Result<()> { - let ptr: usize = 100; - - let mut rng = rand::thread_rng(); - let f: Fp12 = rng.gen::>(); - - let setup = InterpreterMemoryInitialization { - label: "bn254_final_exponent".to_string(), - stack: vec![ - U256::zero(), - U256::zero(), - U256::from(ptr), - U256::from(0xdeadbeefu32), - ], - segment: BnPairing, - memory: vec![(ptr, f.to_stack().to_vec())], - }; - - let interpreter: Interpreter = run_interpreter_with_memory(setup).unwrap(); - let output: Vec = interpreter.extract_kernel_memory(BnPairing, ptr..ptr + 12); - let expected: Vec = bn_final_exponent(f).to_stack(); - - assert_eq!(output, expected); - - Ok(()) -} - -#[test] -fn test_bn_miller() -> Result<()> { - let ptr: usize = 100; - let out: usize = 106; - - let mut rng = rand::thread_rng(); - let p: Curve = rng.gen::>(); - let q: Curve> = rng.gen::>>(); - - let mut input = p.to_stack(); - input.extend(q.to_stack()); - - let setup = InterpreterMemoryInitialization { - label: "bn254_miller".to_string(), - stack: vec![U256::from(ptr), U256::from(out), U256::from(0xdeadbeefu32)], - segment: BnPairing, - memory: vec![(ptr, input)], - }; - let interpreter = run_interpreter_with_memory(setup).unwrap(); - let output: Vec = interpreter.extract_kernel_memory(BnPairing, out..out + 12); - let expected = bn_miller_loop(p, q).to_stack(); - - assert_eq!(output, expected); - - Ok(()) -} - -#[test] -fn test_bn_pairing() -> Result<()> { - let out: usize = 100; - let ptr: usize = 112; - - let mut rng = rand::thread_rng(); - let k: usize = rng.gen_range(1..10); - let mut acc: i32 = 0; - let mut input: Vec = vec![]; - for _ in 1..k { - let m: i32 = rng.gen_range(-8..8); - let n: i32 = rng.gen_range(-8..8); - acc -= m * n; - - let p: Curve = Curve::::int(m); - let q: Curve> = Curve::>::int(n); - input.extend(p.to_stack()); - input.extend(q.to_stack()); - } - let p: Curve = Curve::::int(acc); - let q: Curve> = Curve::>::GENERATOR; - input.extend(p.to_stack()); - input.extend(q.to_stack()); - - let setup = InterpreterMemoryInitialization { - label: "bn254_pairing".to_string(), - stack: vec![ - U256::from(k), - U256::from(ptr), - U256::from(out), - U256::from(0xdeadbeefu32), - ], - segment: BnPairing, - memory: vec![(ptr, input)], - }; - let interpreter = run_interpreter_with_memory(setup).unwrap(); - assert_eq!(interpreter.stack()[0], U256::one()); - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/core/access_lists.rs b/evm/src/cpu/kernel/tests/core/access_lists.rs deleted file mode 100644 index 69dd2d27d4..0000000000 --- a/evm/src/cpu/kernel/tests/core/access_lists.rs +++ /dev/null @@ -1,212 +0,0 @@ -use std::collections::HashSet; - -use anyhow::Result; -use ethereum_types::{Address, U256}; -use rand::{thread_rng, Rng}; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata::{ - AccessedAddressesLen, AccessedStorageKeysLen, -}; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::memory::segments::Segment::{AccessedAddresses, AccessedStorageKeys}; -use crate::witness::memory::MemoryAddress; - -#[test] -fn test_insert_accessed_addresses() -> Result<()> { - let insert_accessed_addresses = KERNEL.global_labels["insert_accessed_addresses"]; - - let retaddr = 0xdeadbeefu32.into(); - let mut rng = thread_rng(); - let n = rng.gen_range(1..10); - let addresses = (0..n) - .map(|_| rng.gen::

()) - .collect::>() - .into_iter() - .collect::>(); - let addr_in_list = addresses[rng.gen_range(0..n)]; - let addr_not_in_list = rng.gen::
(); - assert!( - !addresses.contains(&addr_not_in_list), - "Cosmic luck or bad RNG?" - ); - - // Test for address already in list. - let initial_stack = vec![retaddr, U256::from(addr_in_list.0.as_slice())]; - let mut interpreter = Interpreter::new_with_kernel(insert_accessed_addresses, initial_stack); - for i in 0..n { - let addr = U256::from(addresses[i].0.as_slice()); - interpreter - .generation_state - .memory - .set(MemoryAddress::new(0, AccessedAddresses, i), addr); - } - interpreter.generation_state.memory.set( - MemoryAddress::new_bundle(U256::from(AccessedAddressesLen as usize)).unwrap(), - U256::from(n), - ); - interpreter.run()?; - assert_eq!(interpreter.stack(), &[U256::zero()]); - assert_eq!( - interpreter - .generation_state - .memory - .get(MemoryAddress::new_bundle(U256::from(AccessedAddressesLen as usize)).unwrap()), - U256::from(n) - ); - - // Test for address not in list. - let initial_stack = vec![retaddr, U256::from(addr_not_in_list.0.as_slice())]; - let mut interpreter = Interpreter::new_with_kernel(insert_accessed_addresses, initial_stack); - for i in 0..n { - let addr = U256::from(addresses[i].0.as_slice()); - interpreter - .generation_state - .memory - .set(MemoryAddress::new(0, AccessedAddresses, i), addr); - } - interpreter.generation_state.memory.set( - MemoryAddress::new_bundle(U256::from(AccessedAddressesLen as usize)).unwrap(), - U256::from(n), - ); - interpreter.run()?; - assert_eq!(interpreter.stack(), &[U256::one()]); - assert_eq!( - interpreter - .generation_state - .memory - .get(MemoryAddress::new_bundle(U256::from(AccessedAddressesLen as usize)).unwrap()), - U256::from(n + 1) - ); - assert_eq!( - interpreter - .generation_state - .memory - .get(MemoryAddress::new(0, AccessedAddresses, n)), - U256::from(addr_not_in_list.0.as_slice()) - ); - - Ok(()) -} - -#[test] -fn test_insert_accessed_storage_keys() -> Result<()> { - let insert_accessed_storage_keys = KERNEL.global_labels["insert_accessed_storage_keys"]; - - let retaddr = 0xdeadbeefu32.into(); - let mut rng = thread_rng(); - let n = rng.gen_range(1..10); - let storage_keys = (0..n) - .map(|_| (rng.gen::
(), U256(rng.gen()), U256(rng.gen()))) - .collect::>() - .into_iter() - .collect::>(); - let storage_key_in_list = storage_keys[rng.gen_range(0..n)]; - let storage_key_not_in_list = (rng.gen::
(), U256(rng.gen()), U256(rng.gen())); - assert!( - !storage_keys.contains(&storage_key_not_in_list), - "Cosmic luck or bad RNG?" - ); - - // Test for storage key already in list. - let initial_stack = vec![ - retaddr, - storage_key_in_list.2, - storage_key_in_list.1, - U256::from(storage_key_in_list.0 .0.as_slice()), - ]; - let mut interpreter = Interpreter::new_with_kernel(insert_accessed_storage_keys, initial_stack); - for i in 0..n { - let addr = U256::from(storage_keys[i].0 .0.as_slice()); - interpreter - .generation_state - .memory - .set(MemoryAddress::new(0, AccessedStorageKeys, 3 * i), addr); - interpreter.generation_state.memory.set( - MemoryAddress::new(0, AccessedStorageKeys, 3 * i + 1), - storage_keys[i].1, - ); - interpreter.generation_state.memory.set( - MemoryAddress::new(0, AccessedStorageKeys, 3 * i + 2), - storage_keys[i].2, - ); - } - interpreter.generation_state.memory.set( - MemoryAddress::new_bundle(U256::from(AccessedStorageKeysLen as usize)).unwrap(), - U256::from(3 * n), - ); - interpreter.run()?; - assert_eq!(interpreter.stack(), &[storage_key_in_list.2, U256::zero()]); - assert_eq!( - interpreter - .generation_state - .memory - .get(MemoryAddress::new_bundle(U256::from(AccessedStorageKeysLen as usize)).unwrap()), - U256::from(3 * n) - ); - - // Test for storage key not in list. - let initial_stack = vec![ - retaddr, - storage_key_not_in_list.2, - storage_key_not_in_list.1, - U256::from(storage_key_not_in_list.0 .0.as_slice()), - ]; - let mut interpreter = Interpreter::new_with_kernel(insert_accessed_storage_keys, initial_stack); - for i in 0..n { - let addr = U256::from(storage_keys[i].0 .0.as_slice()); - interpreter - .generation_state - .memory - .set(MemoryAddress::new(0, AccessedStorageKeys, 3 * i), addr); - interpreter.generation_state.memory.set( - MemoryAddress::new(0, AccessedStorageKeys, 3 * i + 1), - storage_keys[i].1, - ); - interpreter.generation_state.memory.set( - MemoryAddress::new(0, AccessedStorageKeys, 3 * i + 2), - storage_keys[i].2, - ); - } - interpreter.generation_state.memory.set( - MemoryAddress::new_bundle(U256::from(AccessedStorageKeysLen as usize)).unwrap(), - U256::from(3 * n), - ); - interpreter.run()?; - assert_eq!( - interpreter.stack(), - &[storage_key_not_in_list.2, U256::one()] - ); - assert_eq!( - interpreter - .generation_state - .memory - .get(MemoryAddress::new_bundle(U256::from(AccessedStorageKeysLen as usize)).unwrap()), - U256::from(3 * (n + 1)) - ); - assert_eq!( - interpreter - .generation_state - .memory - .get(MemoryAddress::new(0, AccessedStorageKeys, 3 * n,)), - U256::from(storage_key_not_in_list.0 .0.as_slice()) - ); - assert_eq!( - interpreter.generation_state.memory.get(MemoryAddress::new( - 0, - AccessedStorageKeys, - 3 * n + 1, - )), - storage_key_not_in_list.1 - ); - assert_eq!( - interpreter.generation_state.memory.get(MemoryAddress::new( - 0, - AccessedStorageKeys, - 3 * n + 2, - )), - storage_key_not_in_list.2 - ); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/core/create_addresses.rs b/evm/src/cpu/kernel/tests/core/create_addresses.rs deleted file mode 100644 index 3f31657891..0000000000 --- a/evm/src/cpu/kernel/tests/core/create_addresses.rs +++ /dev/null @@ -1,115 +0,0 @@ -use std::str::FromStr; - -use anyhow::Result; -use ethereum_types::{H256, U256}; -use hex_literal::hex; -use keccak_hash::keccak; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::interpreter::Interpreter; - -#[test] -fn test_get_create_address() -> Result<()> { - let get_create_address = KERNEL.global_labels["get_create_address"]; - - // This is copied from OpenEthereum's `test_contract_address`. - let retaddr = 0xdeadbeefu32.into(); - let nonce = 88.into(); - let sender = U256::from_big_endian(&hex!("0f572e5295c57f15886f9b263e2f6d2d6c7b5ec6")); - let expected_addr = U256::from_big_endian(&hex!("3f09c73a5ed19289fb9bdc72f1742566df146f56")); - - let initial_stack = vec![retaddr, nonce, sender]; - let mut interpreter = Interpreter::new_with_kernel(get_create_address, initial_stack); - interpreter.run()?; - - assert_eq!(interpreter.stack(), &[expected_addr]); - - Ok(()) -} - -struct Create2TestCase { - code_hash: H256, - salt: U256, - sender: U256, - expected_addr: U256, -} - -/// Taken from https://eips.ethereum.org/EIPS/eip-1014 -fn create2_test_cases() -> Vec { - vec![ - Create2TestCase { - code_hash: keccak(hex!("00")), - salt: U256::zero(), - sender: U256::zero(), - expected_addr: U256::from_str("0x4D1A2e2bB4F88F0250f26Ffff098B0b30B26BF38").unwrap(), - }, - Create2TestCase { - code_hash: keccak(hex!("00")), - salt: U256::zero(), - sender: U256::from_str("0xdeadbeef00000000000000000000000000000000").unwrap(), - expected_addr: U256::from_str("0xB928f69Bb1D91Cd65274e3c79d8986362984fDA3").unwrap(), - }, - Create2TestCase { - code_hash: keccak(hex!("00")), - salt: U256::from_str( - "0x000000000000000000000000feed000000000000000000000000000000000000", - ) - .unwrap(), - sender: U256::from_str("0xdeadbeef00000000000000000000000000000000").unwrap(), - expected_addr: U256::from_str("0xD04116cDd17beBE565EB2422F2497E06cC1C9833").unwrap(), - }, - Create2TestCase { - code_hash: keccak(hex!("deadbeef")), - salt: U256::zero(), - sender: U256::zero(), - expected_addr: U256::from_str("0x70f2b2914A2a4b783FaEFb75f459A580616Fcb5e").unwrap(), - }, - Create2TestCase { - code_hash: keccak(hex!("deadbeef")), - salt: U256::from_str( - "0x00000000000000000000000000000000000000000000000000000000cafebabe", - ) - .unwrap(), - sender: U256::from_str("0x00000000000000000000000000000000deadbeef").unwrap(), - expected_addr: U256::from_str("0x60f3f640a8508fC6a86d45DF051962668E1e8AC7").unwrap(), - }, - Create2TestCase { - code_hash: keccak(hex!("deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef")), - salt: U256::from_str( - "0x00000000000000000000000000000000000000000000000000000000cafebabe", - ) - .unwrap(), - sender: U256::from_str("0x00000000000000000000000000000000deadbeef").unwrap(), - expected_addr: U256::from_str("0x1d8bfDC5D46DC4f61D6b6115972536eBE6A8854C").unwrap(), - }, - Create2TestCase { - code_hash: keccak(hex!("")), - salt: U256::zero(), - sender: U256::zero(), - expected_addr: U256::from_str("0xE33C0C7F7df4809055C3ebA6c09CFe4BaF1BD9e0").unwrap(), - }, - ] -} - -#[test] -fn test_get_create2_address() -> Result<()> { - let get_create2_address = KERNEL.global_labels["get_create2_address"]; - - let retaddr = 0xdeadbeefu32.into(); - - for Create2TestCase { - code_hash, - salt, - sender, - expected_addr, - } in create2_test_cases() - { - let initial_stack = vec![retaddr, salt, U256::from(code_hash.0), sender]; - let mut interpreter = Interpreter::new_with_kernel(get_create2_address, initial_stack); - interpreter.run()?; - - assert_eq!(interpreter.stack(), &[expected_addr]); - } - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/core/intrinsic_gas.rs b/evm/src/cpu/kernel/tests/core/intrinsic_gas.rs deleted file mode 100644 index d8badef9db..0000000000 --- a/evm/src/cpu/kernel/tests/core/intrinsic_gas.rs +++ /dev/null @@ -1,30 +0,0 @@ -use anyhow::Result; -use ethereum_types::U256; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cpu::kernel::constants::txn_fields::NormalizedTxnField; -use crate::cpu::kernel::interpreter::Interpreter; - -const GAS_TX: u32 = 21_000; -const GAS_TXCREATE: u32 = 32_000; - -#[test] -fn test_intrinsic_gas() -> Result<()> { - let intrinsic_gas = KERNEL.global_labels["intrinsic_gas"]; - - // Contract creation transaction. - let initial_stack = vec![0xdeadbeefu32.into()]; - let mut interpreter = Interpreter::new_with_kernel(intrinsic_gas, initial_stack.clone()); - interpreter.set_global_metadata_field(GlobalMetadata::ContractCreation, U256::one()); - interpreter.run()?; - assert_eq!(interpreter.stack(), vec![(GAS_TX + GAS_TXCREATE).into()]); - - // Message transaction. - let mut interpreter = Interpreter::new_with_kernel(intrinsic_gas, initial_stack); - interpreter.set_txn_field(NormalizedTxnField::To, 123.into()); - interpreter.run()?; - assert_eq!(interpreter.stack(), vec![GAS_TX.into()]); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/core/jumpdest_analysis.rs b/evm/src/cpu/kernel/tests/core/jumpdest_analysis.rs deleted file mode 100644 index d704cc198d..0000000000 --- a/evm/src/cpu/kernel/tests/core/jumpdest_analysis.rs +++ /dev/null @@ -1,122 +0,0 @@ -use std::collections::{BTreeSet, HashMap}; - -use anyhow::Result; -use ethereum_types::U256; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::cpu::kernel::opcodes::{get_opcode, get_push_opcode}; -use crate::witness::operation::CONTEXT_SCALING_FACTOR; - -#[test] -fn test_jumpdest_analysis() -> Result<()> { - let jumpdest_analysis = KERNEL.global_labels["jumpdest_analysis"]; - const CONTEXT: usize = 3; // arbitrary - - let add = get_opcode("ADD"); - let push2 = get_push_opcode(2); - let jumpdest = get_opcode("JUMPDEST"); - - #[rustfmt::skip] - let code: Vec = vec![ - add, - jumpdest, - push2, - jumpdest, // part of PUSH2 - jumpdest, // part of PUSH2 - jumpdest, - add, - jumpdest, - ]; - - let jumpdest_bits = vec![false, true, false, false, false, true, false, true]; - - // Contract creation transaction. - let initial_stack = vec![ - 0xDEADBEEFu32.into(), - code.len().into(), - U256::from(CONTEXT) << CONTEXT_SCALING_FACTOR, - ]; - let mut interpreter = Interpreter::new_with_kernel(jumpdest_analysis, initial_stack); - interpreter.set_code(CONTEXT, code); - interpreter.set_jumpdest_analysis_inputs(HashMap::from([( - 3, - BTreeSet::from_iter( - jumpdest_bits - .iter() - .enumerate() - .filter(|&(_, &x)| x) - .map(|(i, _)| i), - ), - )])); - - assert_eq!( - interpreter.generation_state.jumpdest_table, - // Context 3 has jumpdest 1, 5, 7. All have proof 0 and hence - // the list [proof_0, jumpdest_0, ... ] is [0, 1, 0, 5, 0, 7] - Some(HashMap::from([(3, vec![0, 1, 0, 5, 0, 7])])) - ); - - interpreter.run()?; - assert_eq!(interpreter.stack(), vec![]); - - assert_eq!(jumpdest_bits, interpreter.get_jumpdest_bits(3)); - - Ok(()) -} - -#[test] -fn test_packed_verification() -> Result<()> { - let jumpdest_analysis = KERNEL.global_labels["jumpdest_analysis"]; - const CONTEXT: usize = 3; // arbitrary - - let add = get_opcode("ADD"); - let jumpdest = get_opcode("JUMPDEST"); - - // The last push(i=0) is 0x5f which is not a valid opcode. However, this - // is still meaningful for the test and makes things easier - let mut code: Vec = std::iter::once(add) - .chain( - (0..=31) - .rev() - .map(get_push_opcode) - .chain(std::iter::once(jumpdest)), - ) - .collect(); - - let jumpdest_bits: Vec = std::iter::repeat(false) - .take(33) - .chain(std::iter::once(true)) - .collect(); - - // Contract creation transaction. - let initial_stack = vec![ - 0xDEADBEEFu32.into(), - code.len().into(), - U256::from(CONTEXT) << CONTEXT_SCALING_FACTOR, - ]; - let mut interpreter = Interpreter::new_with_kernel(jumpdest_analysis, initial_stack.clone()); - interpreter.set_code(CONTEXT, code.clone()); - interpreter.generation_state.jumpdest_table = Some(HashMap::from([(3, vec![1, 33])])); - - interpreter.run()?; - - assert_eq!(jumpdest_bits, interpreter.get_jumpdest_bits(CONTEXT)); - - // If we add 1 to each opcode the jumpdest at position 32 is never a valid jumpdest - for i in 1..=32 { - code[i] += 1; - let mut interpreter = - Interpreter::new_with_kernel(jumpdest_analysis, initial_stack.clone()); - interpreter.set_code(CONTEXT, code.clone()); - interpreter.generation_state.jumpdest_table = Some(HashMap::from([(3, vec![1, 33])])); - - interpreter.run()?; - - assert!(interpreter.get_jumpdest_bits(CONTEXT).is_empty()); - - code[i] -= 1; - } - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/core/mod.rs b/evm/src/cpu/kernel/tests/core/mod.rs deleted file mode 100644 index 8d71051c41..0000000000 --- a/evm/src/cpu/kernel/tests/core/mod.rs +++ /dev/null @@ -1,4 +0,0 @@ -mod access_lists; -mod create_addresses; -mod intrinsic_gas; -mod jumpdest_analysis; diff --git a/evm/src/cpu/kernel/tests/ecc/bn_glv_test_data b/evm/src/cpu/kernel/tests/ecc/bn_glv_test_data deleted file mode 100644 index db38ac8c80..0000000000 --- a/evm/src/cpu/kernel/tests/ecc/bn_glv_test_data +++ /dev/null @@ -1,1049 +0,0 @@ -// Sage code to reproduce this: -// ```sage -// p = 21888242871839275222246405745257275088696311157297823662689037894645226208583 -// F = GF(p) -// E = EllipticCurve(F, [0, 3]) -// q = E.order() -// SF = GF(q) -// -// P = E.random_point() -// s = 0xb3c4d79d41a917585bfc41088d8daaa78b17ea66b99c90dd -// beta = 0x59e26bcea0d48bacd4f263f1acdb5c4f5763473177fffffe -// -// # a1 = 64502973549206556628585045361533709077 -// # a2 = 367917413016453100223835821029139468248 -// b2 = 0x89d3256894d213e3 -// b1 = 0x30644e72e131a029b85045b68181585cb8e665ff8b011694c1d039a872b0eed9 -// b1 = -0x6f4d8248eeb859fc8211bbeb7d4f1128 -// -// g1 = -0x24ccef014a773d2cf7a7bd9d4391eb18d -// g2 = 0x2d91d232ec7e0b3d7 -// -// def decomp(k): -// c1 = (g2 * k) >> 256 -// c2 = -(-(g1 * k) >> 256) -// -// q1 = c1 * b1 -// q2 = c2 * b2 -// -// k2 = q2 - q1 -// k2L = (s*k2)%q -// k1 = k - k2L -// return k1, -k2 -// -// f = open('bnout', 'w') -// for i in range(1000): -// k = randint(0, 1<<256) % q -// k1, k2 = decomp(k) -// if k2 < 0: -// f.write(f"{k} 1 {k1} {-k2}\n") -// else: -// f.write(f"{k} 0 {k1} {k2}\n") -// assert k1 > 0 -// assert k1 < 1<<127 -// assert abs(k2) < 1<<127 -// assert (k1 - s*k2)%q == k -// -// f.close() -// ```sageo newline at end of file diff --git a/evm/src/cpu/kernel/tests/ecc/curve_ops.rs b/evm/src/cpu/kernel/tests/ecc/curve_ops.rs deleted file mode 100644 index f107d8becf..0000000000 --- a/evm/src/cpu/kernel/tests/ecc/curve_ops.rs +++ /dev/null @@ -1,321 +0,0 @@ -#[cfg(test)] -mod bn { - use anyhow::Result; - use ethereum_types::U256; - - use crate::cpu::kernel::aggregator::KERNEL; - use crate::cpu::kernel::interpreter::{run_interpreter, Interpreter}; - use crate::cpu::kernel::tests::u256ify; - use crate::memory::segments::Segment; - - #[test] - fn test_ec_ops() -> Result<()> { - // Make sure we can parse and assemble the entire kernel. - let ec_add = KERNEL.global_labels["bn_add"]; - let ec_double = KERNEL.global_labels["bn_double"]; - let ec_mul = KERNEL.global_labels["bn_mul"]; - let identity = ("0x0", "0x0"); - let invalid = ("0x0", "0x3"); // Not on curve - let point0 = ( - "0x1feee7ec986e198890cb83be8b8ba09ee953b3f149db6d9bfdaa5c308a33e58d", - "0x2051cc9a9edd46231604fd88f351e95ec72a285be93e289ac59cb48561efb2c6", - ); - let point1 = ( - "0x15b64d0a5f329fb672029298be8050f444626e6de11903caffa74b388075be1b", - "0x2d9e07340bd5cd7b70687b98f2500ff930a89a30d7b6a3e04b1b4d345319d234", - ); - // point2 = point0 + point1 - let point2 = ( - "0x18659c0e0a8fedcb8747cf463fc7cfa05f667d84e771d0a9521fc1a550688f0c", - "0x283ed10b42703e187e7a808aeb45c6b457bc4cc7d704e53b3348a1e3b0bfa55b", - ); - // point3 = 2 * point0 - let point3 = ( - "0x17da2b7b1a01c8dfdf0f5a6415833c7d755d219aa7e2c4cd0ac83d87d0ca4217", - "0xc9ace9de14aac8114541b50c19320eb40f0eeac3621526d9e34dbcf4c3a6c0f", - ); - let s = "0xabb2a34c0e7956cfe6cef9ddb7e810c45ea19a6ebadd79c21959af09f5ba480a"; - // point4 = s * point0 - let point4 = ( - "0xe519344959cc17021fe98878f947f5c1b1675325533a620c1684cfa6367e6c0", - "0x7496a7575b0b6a821e19ce780ecc3e0b156e605327798693defeb9f265b7a6f", - ); - - // Standard addition #1 - let initial_stack = u256ify(["0xdeadbeef", point0.1, point0.0, point1.1, point1.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point2.1, point2.0])?); - // Standard addition #2 - let initial_stack = u256ify(["0xdeadbeef", point1.1, point1.0, point0.1, point0.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point2.1, point2.0])?); - - // Standard doubling #1 - let initial_stack = u256ify(["0xdeadbeef", point0.1, point0.0, point0.1, point0.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point3.1, point3.0])?); - // Standard doubling #2 - let initial_stack = u256ify(["0xdeadbeef", point0.1, point0.0])?; - let stack = run_interpreter(ec_double, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point3.1, point3.0])?); - // Standard doubling #3 - let initial_stack = u256ify(["0xdeadbeef", "0x2", point0.1, point0.0])?; - let stack = run_interpreter(ec_mul, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point3.1, point3.0])?); - - // Addition with identity #1 - let initial_stack = u256ify(["0xdeadbeef", identity.1, identity.0, point1.1, point1.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point1.1, point1.0])?); - // Addition with identity #2 - let initial_stack = u256ify(["0xdeadbeef", point1.1, point1.0, identity.1, identity.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point1.1, point1.0])?); - // Addition with identity #3 - let initial_stack = - u256ify(["0xdeadbeef", identity.1, identity.0, identity.1, identity.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([identity.1, identity.0])?); - - // Addition with invalid point(s) #1 - let initial_stack = u256ify(["0xdeadbeef", point0.1, point0.0, invalid.1, invalid.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, vec![U256::MAX, U256::MAX]); - // Addition with invalid point(s) #2 - let initial_stack = u256ify(["0xdeadbeef", invalid.1, invalid.0, point0.1, point0.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, vec![U256::MAX, U256::MAX]); - // Addition with invalid point(s) #3 - let initial_stack = u256ify(["0xdeadbeef", invalid.1, invalid.0, identity.1, identity.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, vec![U256::MAX, U256::MAX]); - // Addition with invalid point(s) #4 - let initial_stack = u256ify(["0xdeadbeef", invalid.1, invalid.0, invalid.1, invalid.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, vec![U256::MAX, U256::MAX]); - - // Scalar multiplication #1 - let initial_stack = u256ify(["0xdeadbeef", s, point0.1, point0.0])?; - let stack = run_interpreter(ec_mul, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point4.1, point4.0])?); - // Scalar multiplication #2 - let initial_stack = u256ify(["0xdeadbeef", "0x0", point0.1, point0.0])?; - let stack = run_interpreter(ec_mul, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([identity.1, identity.0])?); - // Scalar multiplication #3 - let initial_stack = u256ify(["0xdeadbeef", "0x1", point0.1, point0.0])?; - let stack = run_interpreter(ec_mul, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point0.1, point0.0])?); - // Scalar multiplication #4 - let initial_stack = u256ify(["0xdeadbeef", s, identity.1, identity.0])?; - let stack = run_interpreter(ec_mul, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([identity.1, identity.0])?); - // Scalar multiplication #5 - let initial_stack = u256ify(["0xdeadbeef", s, invalid.1, invalid.0])?; - let stack = run_interpreter(ec_mul, initial_stack)?.stack().to_vec(); - assert_eq!(stack, vec![U256::MAX, U256::MAX]); - - // Multiple calls - let ec_mul_hex = format!("0x{ec_mul:x}"); - let initial_stack = u256ify([ - "0xdeadbeef", - s, - &ec_mul_hex, - identity.1, - identity.0, - point0.1, - point0.0, - ])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point4.1, point4.0])?); - - Ok(()) - } - - #[test] - fn test_glv_verify_data() -> Result<()> { - let glv = KERNEL.global_labels["bn_glv_decompose"]; - - let f = include_str!("bn_glv_test_data"); - for line in f.lines().filter(|s| !s.starts_with("//")) { - let mut line = line - .split_whitespace() - .map(|s| U256::from_str_radix(s, 10).unwrap()) - .collect::>(); - let k = line.remove(0); - line.reverse(); - - let mut initial_stack = u256ify(["0xdeadbeef"])?; - initial_stack.push(k); - let mut int = Interpreter::new(&KERNEL.code, glv, initial_stack, &KERNEL.prover_inputs); - int.run()?; - - assert_eq!(line, int.stack()); - } - - Ok(()) - } - - #[test] - fn test_precomputation() -> Result<()> { - let precompute = KERNEL.global_labels["bn_precompute_table"]; - - let initial_stack = u256ify([ - "0xdeadbeef", - "0x10d7cf0621b6e42c1dbb421f5ef5e1936ca6a87b38198d1935be31e28821d171", - "0x11b7d55f16aaac07de9a0ed8ac2e8023570dbaa78571fc95e553c4b3ba627689", - ])?; - let mut int = Interpreter::new( - &KERNEL.code, - precompute, - initial_stack, - &KERNEL.prover_inputs, - ); - int.run()?; - - let mut computed_table = Vec::new(); - for i in 0..32 { - computed_table.push( - int.generation_state - .memory - .mload_general(0, Segment::BnTableQ, i), - ); - } - - let table = u256ify([ - "0x11b7d55f16aaac07de9a0ed8ac2e8023570dbaa78571fc95e553c4b3ba627689", - "0x10d7cf0621b6e42c1dbb421f5ef5e1936ca6a87b38198d1935be31e28821d171", - "0x1565e5587d8566239c23219bc0e1d1d267d19100c3869d0c55b1e3ea4532304e", - "0x19fd9b572558479df062632562113e4d9a3eb655698ee3be9a5350ed23e690ee", - "0x19469e55e27021c0af1310ad266cdf1d9eef6942c80afe9c7b517acf16a2a3e1", - "0x226ec29db9339d7ffb1bc3260f1ca008b804f78553d316c37203118466bb5f5a", - "0x10a16b4786bd1717a031a1948010593173d36ab35535641c9fe41802d639b435", - "0x294fe34d7ec9024c96cfde58311b9ee394ff9f8735d882005fcf0d28709b459d", - "0x300f58e61d4ab1872f6b5fad517c6df1b23468fcfa81154786ec230cb0df6d20", - "0x12ff1d200127d2ba7a0171cadbe0f729fc5acbe95565cc57f07c9fa42c001390", - "0x1045a28c9a35a17b63da593c0137ac08a1fda78430b71755941d3dc501b35272", - "0x2a3f4d91b58179451ec177f599d7eaf79e2555f169fd3e5d2af314600fad299", - "0x21de5680f03b262f53d3252d5ca71bbc5f2c9ff5483fb63abaea1ee7e9cede1d", - "0x144249d3fc4c82327845a38ea51181acb374ab30a1e7ea0f13bc8a8b04d96411", - "0x2ba4ce4289de377397878c1195e21a1d573b02d9463f5c454ec50bdf11aee512", - "0x259a447b42bab48e07388baece550607bc0a8a88e1ea224eba94c6bed08e470e", - "0x2ba4ce4289de377397878c1195e21a1d573b02d9463f5c454ec50bdf11aee512", - "0xaca09f79e76eb9bb117ba07b32c5255db76e0088687a83e818bc55807eeb639", - "0x21de5680f03b262f53d3252d5ca71bbc5f2c9ff5483fb63abaea1ee7e9cede1d", - "0x1c22049ee4e51df7400aa227dc6fd6b0e40cbf60c689e07e2864018bd3a39936", - "0x1045a28c9a35a17b63da593c0137ac08a1fda78430b71755941d3dc501b35272", - "0x2dc05999c5d9889566642e3727e3d9ae1d9f153251d1f6a769715ad0d7822aae", - "0x300f58e61d4ab1872f6b5fad517c6df1b23468fcfa81154786ec230cb0df6d20", - "0x1d653152e009cd6f3e4ed3eba5a061339b269ea8130bfe354ba3ec72ac7ce9b7", - "0x10a16b4786bd1717a031a1948010593173d36ab35535641c9fe41802d639b435", - "0x7146b2562689ddd2180675e5065b97a0281cb0a3299488cdc517eee67e1b7aa", - "0x19469e55e27021c0af1310ad266cdf1d9eef6942c80afe9c7b517acf16a2a3e1", - "0xdf58bd527fe02a9bd3482907264b854df7c730c149eb3c9ca1d7a9271c19ded", - "0x1565e5587d8566239c23219bc0e1d1d267d19100c3869d0c55b1e3ea4532304e", - "0x1666b31bbbd9588bc7ede2911f701a0ffd42b43bfee2e6cea1cd3b29b4966c59", - "0x11b7d55f16aaac07de9a0ed8ac2e8023570dbaa78571fc95e553c4b3ba627689", - "0x1f8c7f6cbf7abbfd9a950397228b76ca2adac21630583d7406625a34505b2bd6", - ])?; - - assert_eq!(computed_table, table); - - Ok(()) - } -} - -#[cfg(test)] -mod secp { - use anyhow::Result; - use ethereum_types::U256; - - use crate::cpu::kernel::aggregator::{combined_kernel, KERNEL}; - use crate::cpu::kernel::interpreter::{run, run_interpreter, Interpreter}; - use crate::cpu::kernel::tests::u256ify; - - #[test] - fn test_ec_ops() -> Result<()> { - // Make sure we can parse and assemble the entire kernel. - let kernel = combined_kernel(); - let ec_add = kernel.global_labels["secp_add_valid_points"]; - let ec_double = kernel.global_labels["secp_double"]; - let identity = ("0x0", "0x0"); - let point0 = ( - "0xc82ccceebd739e646631b7270ed8c33e96c4940b19db91eaf67da6ec92d109b", - "0xe0d241d2de832656c3eed78271bb06b5602d6473742c7c48a38b9f0350a76164", - ); - let point1 = ( - "0xbf26b1a7a46025d0a1787aa050d0bb83b8a4746010f873404389b8b23360919c", - "0x65adeff3fed1b22fa10279b5a25b96694a20bcbf6b718c0412f6d34a2e9bb924", - ); - // point2 = point0 + point1 - let point2 = ( - "0x191e8183402c6d6f5f22a9fe2a5ce17a7dd5184bd5d359c77189e9f714a18225", - "0xe23fbb6913de7449d92e4dfbe278e2874fac80d53bfeb8fb3400462b7bfaec74", - ); - // point3 = 2 * point0 - let point3 = ( - "0x7872498939b02197c2b6f0a0f5767f36551e43f910de472fbbff0538b21f5f45", - "0x294e15025d935438023a0e4056892abd6405fade13cf2b3131d8755be7cebad", - ); - - // Standard addition #1 - let initial_stack = u256ify(["0xdeadbeef", point0.1, point0.0, point1.1, point1.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point2.1, point2.0])?); - // Standard addition #2 - let initial_stack = u256ify(["0xdeadbeef", point1.1, point1.0, point0.1, point0.0])?; - let stack = run(&kernel.code, ec_add, initial_stack, &kernel.prover_inputs)? - .stack() - .to_vec(); - assert_eq!(stack, u256ify([point2.1, point2.0])?); - - // Standard doubling #1 - let initial_stack = u256ify(["0xdeadbeef", point0.1, point0.0, point0.1, point0.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point3.1, point3.0])?); - // Standard doubling #2 - let initial_stack = u256ify(["0xdeadbeef", point0.1, point0.0])?; - let stack = run_interpreter(ec_double, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point3.1, point3.0])?); - - // Addition with identity #1 - let initial_stack = u256ify(["0xdeadbeef", identity.1, identity.0, point1.1, point1.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point1.1, point1.0])?); - // Addition with identity #2 - let initial_stack = u256ify(["0xdeadbeef", point1.1, point1.0, identity.1, identity.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([point1.1, point1.0])?); - // Addition with identity #3 - let initial_stack = - u256ify(["0xdeadbeef", identity.1, identity.0, identity.1, identity.0])?; - let stack = run_interpreter(ec_add, initial_stack)?.stack().to_vec(); - assert_eq!(stack, u256ify([identity.1, identity.0])?); - - Ok(()) - } - - #[test] - fn test_glv_verify_data() -> Result<()> { - let glv = KERNEL.global_labels["secp_glv_decompose"]; - - let f = include_str!("secp_glv_test_data"); - for line in f.lines().filter(|s| !s.starts_with("//")) { - let mut line = line - .split_whitespace() - .map(|s| U256::from_str_radix(s, 10).unwrap()) - .collect::>(); - let k = line.remove(0); - line.reverse(); - - let mut initial_stack = u256ify(["0xdeadbeef"])?; - initial_stack.push(k); - let mut int = Interpreter::new(&KERNEL.code, glv, initial_stack, &KERNEL.prover_inputs); - int.run()?; - - assert_eq!(line, int.stack()); - } - - Ok(()) - } -} diff --git a/evm/src/cpu/kernel/tests/ecc/ecrecover.rs b/evm/src/cpu/kernel/tests/ecc/ecrecover.rs deleted file mode 100644 index 2453ab1a22..0000000000 --- a/evm/src/cpu/kernel/tests/ecc/ecrecover.rs +++ /dev/null @@ -1,96 +0,0 @@ -use std::str::FromStr; - -use anyhow::Result; -use ethereum_types::U256; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::interpreter::run_interpreter; -use crate::cpu::kernel::tests::u256ify; - -fn test_valid_ecrecover(hash: &str, v: &str, r: &str, s: &str, expected: &str) -> Result<()> { - let ecrecover = KERNEL.global_labels["ecrecover"]; - let initial_stack = u256ify(["0xdeadbeef", s, r, v, hash])?; - let stack = run_interpreter(ecrecover, initial_stack)?.stack().to_vec(); - assert_eq!(stack[0], U256::from_str(expected).unwrap()); - - Ok(()) -} - -fn test_invalid_ecrecover(hash: &str, v: &str, r: &str, s: &str) -> Result<()> { - let ecrecover = KERNEL.global_labels["ecrecover"]; - let initial_stack = u256ify(["0xdeadbeef", s, r, v, hash])?; - let stack = run_interpreter(ecrecover, initial_stack)?.stack().to_vec(); - assert_eq!(stack, vec![U256::MAX]); - - Ok(()) -} - -#[test] -fn test_ecrecover_real_block() -> Result<()> { - let f = include_str!("ecrecover_test_data"); - let convert_v = |v| match v { - // TODO: do this properly. - "0" => "0x1b", - "1" => "0x1c", - "37" => "0x1b", - "38" => "0x1c", - _ => panic!("Invalid v."), - }; - for line in f.lines().filter(|s| !s.starts_with("//")) { - let line = line.split_whitespace().collect::>(); - test_valid_ecrecover(line[4], convert_v(line[0]), line[1], line[2], line[3])?; - } - Ok(()) -} - -#[test] -fn test_ecrecover() -> Result<()> { - test_valid_ecrecover( - "0x55f77e8909b1f1c9531c4a309bb2d40388e9ed4b87830c8f90363c6b36255fb9", - "0x1b", - "0xd667c5a20fa899b253924099e10ae92998626718585b8171eb98de468bbebc", - "0x58351f48ce34bf134ee611fb5bf255a5733f0029561d345a7d46bfa344b60ac0", - "0x67f3c0Da351384838d7F7641AB0fCAcF853E1844", - )?; - test_valid_ecrecover( - "0x55f77e8909b1f1c9531c4a309bb2d40388e9ed4b87830c8f90363c6b36255fb9", - "0x1c", - "0xd667c5a20fa899b253924099e10ae92998626718585b8171eb98de468bbebc", - "0x58351f48ce34bf134ee611fb5bf255a5733f0029561d345a7d46bfa344b60ac0", - "0xaA58436DeABb64982a386B2De1A8015AA28fCCc0", - )?; - test_valid_ecrecover( - "0x0", - "0x1c", - "0x1", - "0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140", - "0x3344c6f6eeCA588be132142DB0a32C71ABFAAe7B", - )?; - - test_invalid_ecrecover( - "0x0", - "0x42", // v not in {27,28} - "0x1", - "0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364140", - )?; - test_invalid_ecrecover( - "0x0", - "0x42", - "0xd667c5a20fa899b253924099e10ae92998626718585b8171eb98de468bbebc", - "0x0", // s=0 - )?; - test_invalid_ecrecover( - "0x0", - "0x42", - "0x0", // r=0 - "0xd667c5a20fa899b253924099e10ae92998626718585b8171eb98de468bbebc", - )?; - test_invalid_ecrecover( - "0x0", - "0x1c", - "0x3a18b21408d275dde53c0ea86f9c1982eca60193db0ce15008fa408d43024847", // r^3 + 7 isn't a square - "0x5db9745f44089305b2f2c980276e7025a594828d878e6e36dd2abd34ca6b9e3d", - )?; - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/ecc/ecrecover_test_data b/evm/src/cpu/kernel/tests/ecc/ecrecover_test_data deleted file mode 100644 index 115e969130..0000000000 --- a/evm/src/cpu/kernel/tests/ecc/ecrecover_test_data +++ /dev/null @@ -1,184 +0,0 @@ -// // `ethers.rs` code to get ECDSA data for every transaction in block 16141392. -// #[tokio::main] -// async fn main() -> Result<()> { -// let provider = -// Provider::::try_from("https://mainnet.infura.io/v3/c60b0bb42f8a4c6481ecd229eddaca27") -// .expect("could not instantiate HTTP Provider"); -// let mut ans = String::new(); -// let block = provider.get_block(16141392).await?.unwrap(); -// for tx in block.transactions { -// let tx = provider.get_transaction(tx).await?.unwrap(); -// let typed_tx: TypedTransaction = (&tx).into(); -// ans.push_str(&format!( -// "{} 0x{:x} 0x{:x} {:?} {:?}\n", -// tx.v, -// tx.r, -// tx.s, -// tx.from, -// typed_tx.sighash() -// )); -// } -// let mut f = File::create("ecrecover_test_data").expect("Unable to create"); -// f.write_all(ans.as_bytes()).expect("Unable to write"); -// Ok(()) -// } -37 0x71e206f9a89076270d57e93486946ce5803dbcb76279780aa41bf258763fad23 0x5f7e34e4a781f7572f8192b845de80fe24d77f13552dfefb67e03c94388934c 0x7a7f78a2af5aef01a889e8713083ab77dcc9fc9b 0xf457bef979aae3c1cbbb294a8f015a8e149a60ec0146383a4bec6fb097098d24 -1 0x57d71702dde291f2d7c6ea8b9d8172523b72e93db5a7426c5b898bb74d555a3b 0x47303ce56b157b8c237bc0206a610975ef690bd71912315a35fd01ea428b7520 0x1113efd5c8896ccf251ea360bb9d91f113707f80 0x65a5c566f3dea5f436bb33e8803be619c1c6d3857b0199335630e643a1e3774c -38 0x6cb3fd5d878b8b234906bc447c9b6abac34fec019d82d1e1419874bff40f08e1 0x4de3f2f5babfa400a014739e705f64219824ed75ab16058835452366e00b7498 0xea320901e51d9268a7f5789d305b1330657fc52b 0x3c922df979a5c1922d2baedca63215577d603b13b72862b57fbf240ca501bb20 -0 0xa34136f1b02ba36d0644d6aa695bca911c9a7ce5e19272f97b82056b03f481cc 0x26eb167cf65e0ce1f8f0c3809863e3c8542f706b8ef07ad849793fe208bcc7e6 0x4e80744fa23cec76e1621ce0dfaceb4b1d532e12 0xf4e022d9b83d279611395823e4b436d1b795054e59d0ddc663c42c41075026c4 -37 0xf4fa7bd652968977947eb8a9bbb216735ded98405e95555cafdf48615c1d4866 0x77545ac93bf7065641161ec455c23a8fe2b0e6f1f9d8ab8efefa39e6ae3ae0 0x9acbb72cf67103a30333a32cd203459c6a9c3311 0x2727dd81db2f9141fe2828b150dff11b073a825b88e514b1d33f3bec117e3c5a -38 0xca14396f151b4c21129bb15c70db48c97969809f681d7521841d2dea13bd7be 0x3438d0e665fdaea72759ad3db4bab68674314cb50d902fb58a57ff8f61c89703 0x595063172c85b1e8ac2fe74fcb6b7dc26844cc2d 0x26c3de6bd2e155436e031928d2cec402853cf6797a4718cbcc89b48ed05d623c -0 0xad3fd1fb3cf701e53cd5687926ca64b2fa978a062efdb1f6d78d15c7610ef5e5 0x33c82cf8f9cc1072307ac99ff833c76775e0a4c5cb0a177eb4b1b415cb96239c 0x8a89e016750479dc1d7ad32ecffcecd76e118697 0x548757e275d1152805810855b75dfbe12a421023aecab6da0cfa257156695d53 -1 0x95846057f4d5f4e8940f9f16b17d864b60f89a85257f5256988ce75748d24450 0x6a3accdf56960dcc8541971a12484022ab54d1359601dac5b93072e5c55e1f10 0x6da4980ab9a35ff025774203e721a4f63f78f953 0x8814c7e0039cb36f6050a9c5c72095f492bd50f156f3246c516be072f4a7b1b7 -1 0xa437b58f9d8dcb09593565cd607ebcc9ac72df40380d35332d1cc8e3e242e61e 0x6391ca50a4be1ccb9f7e46d4beae2196984f88ef0d3e9bd47a85cb2ad3d2aac5 0x19ff156cbeaabd04ffa2df84eb6eca93f266ba0a 0xe3ea3b265ff5bbf8746b3bd81c934ddcbfda502ca3047bc2fb41d6218c43c8f6 -0 0x912e235df87ed93dcfabb8646e4fbe7a5b5aac00a27b0c0795492df682311f01 0x4a08239f03720362976203222bd9a60536746a0717e951d20656149833ee8aee 0xdd0eddc7d2ac6fcc3a8bb54b4d329b71f96ec8ba 0x8e65adea948f96cdf3dbf74b65b0611455c6c8d8295715744af921a3d2b73fb5 -38 0x1c1f7fd0febe597836a8650dce0e8c72e1b506dfaac11aabb909821a77fe657a 0x23fc3c8b0e73eb6077a9e861cad7e38ea26920ccff72aa46616b241ae16eefa8 0x120051a72966950b8ce12eb5496b5d1eeec1541b 0xa2f59b3fb815c9d3d5ad410e793ec97962032e965f81ecb07bc8606821faaf7e -38 0x88de71d84e271c4213391d1f78e47d2c7efb017b8b21fdebc97b8e2fc0d121f4 0x17a58f16c998f04e22577b88484ac1f7493a0473d2eb4dcdf5ccd659593712cb 0xe93381fb4c4f14bda253907b18fad305d799241a 0x2614f325a54ba5bcff2bb9221bda406e7ac17515a94abfc85e8764340f28f3c3 -38 0xda16a02577ac6d17701ad03320d1a1786320b7941680ae242d9faf5b117d5c2a 0xa475e4d3f36b7afa9af0e558f5ffb68377ff001d7f842b118416840cb7ed231 0x1062a747393198f70f71ec65a582423dba7e5ab3 0xe5bccf131464da99d721c610b1bda164418b645dfba3c98f01c5048e8dfb7934 -37 0xcefe9615f951106d5b52ff9f5e07c42319c998b70c3d291eb2218dd0c497ae18 0x52fca3109c234eac060b8daa57f673fb6b8b2c1278fd6a167f12deaee1071819 0xc55eddadeeb47fcde0b3b6f25bd47d745ba7e7fa 0x22cf2c4159f1fea8c78f1175b8c7f3743b31894525f5c272f027f8b20b56eba7 -37 0x8ec6fb0236f0a39bca70802551fab9d7258346399f6deb0bfab834af93beda56 0x6f273debd0a0e8e98ac63d6078d23fa93a7b5786a7456bb5cb3fecc19b1cebc7 0x75e89d5979e4f6fba9f97c104c2f0afb3f1dcb88 0xfafe13916c038b9b01e476ef5675341a75bd39f198500732b116221d92620781 -38 0xb244a0d2c66cf36f35455ecd8731f2960c64db35603ad2a76ffa34d22bdb821f 0x1a7038fceb3cbaa08fae08d5857192e44dae37666cf841b11c6e2bf84e655078 0x75e89d5979e4f6fba9f97c104c2f0afb3f1dcb88 0x17c8c48fb411df67de52aee98dc4a586f3725704199761f5bd23158437cb5872 -38 0x59ed90e66529f9b21ff820ab501e5ee0f18dde32c1debd66b5dc6e3342032b62 0x3f4b7b15b0af3339d791c8e73a7976d16bbd91316025d256d9161ff1ba894c69 0x75e89d5979e4f6fba9f97c104c2f0afb3f1dcb88 0x4a34d102022fa077a95899e102ef294cbd5941145fce1e29e2af39c6c831ce77 -38 0xd2bd67f5a2ff75cc124ebf944f7c26d87172d580cd92493d50002af32781c02 0x6536865fc12e5121a546458a45b480ca4a14b71d1cb899cf53c936044ad756f 0x75e89d5979e4f6fba9f97c104c2f0afb3f1dcb88 0x8d635892680e858fa7c2564751262f0ef074134ac6a46149b1ff02f16c0276f5 -37 0x274407742377dea657519cee052763f9f0247fb2fc8d6a587d3290b4056abd2e 0x1ab13a59094aaac36a7292c7cd6814d11119bd34363f313c993e46f4a4fe157c 0x97b9d2102a9a65a26e1ee82d59e42d1b73b68689 0x9d22cf1bda837de201fce2be661c2bcf5e6c3829fd75f58232a7200fe89abad1 -0 0x9613c1e52f935a04483aab79c0ef76f8d427f79feaa2543ba4c94a91cbff7f6 0x3d75a82cae83a3647c248f44752185b662055ef9f3f21abf2fe5260f6885002d 0x86e122e39d467eb13d82765881cdd944c94ba922 0xfe0f34ef96a36515135bff2c1fb7964a552c0bdfb88a1ad773414f2a05c77132 -37 0x37f09f9d9d034a9ea8892c3a7b4826de643778f59e217ded5199d5cd32b3237a 0x311f3b9d4f7d771015eaaa0a1c2cd5759ed798902ecc03632a18de47c078149a 0x9cbf099ff424979439dfba03f00b5961784c06ce 0x9d08d5163de3f8437d991d7fff25178eeb821ae6e272cbf42a86f4f1a22023b1 -37 0x28210d2f4b817744db46b71c7c993fd3318ad30a96975678f185cf5e8067b9dd 0x646aba390d36afcce34eeb928b92c8d0e12cfc5ad598569045de59d4b2de3526 0x41d9294128b6c8815dd92199700953220b1bd375 0xd4711cb46f4155bb887a2d978f2c4d877cf9bef8122ca0d30395d5815bc5a886 -0 0x4455fa740404acaec4e670be00843afe7cc6cfa379108ef02eb8368210791943 0x83f2557e17faf4951e9cb767b278f57487776927928cc53f5f1e4f028982cb1 0x0b5c4a7fcda49e0a8661419bb55b86161a86db2a 0xe676662e29b77af78c77311801b74666dc37ca016da761c164a3ddfe971502bf -0 0xdfb1180544b6b942c23ddadbe4561c821dea1727735fb4442c2c0ad02185111 0x6524e1961d5357471ab6d7e4ff52fc434c88a962ac0a8f203dbf67cb4e971727 0xdcdf0feeede933ceafc6131b663f1ee210ac61ae 0x6f9cf3180ba5ffa60436b7539de12d8b11e0343810b0d3f85d6457745219b86c -0 0xe3f04a7f4b367c274a018bf88c3e3929ace1ae203e6cbceb4809f4b6453b665 0x57da3d1b4b3e6adc031deeb9baf408b241d178e12577c105f97d15eb71945151 0xdc5432c573a1d4874d305a5cd7e62aed2b0bc522 0xd79be8888d4ac1d12398740b93f7cf5adbffa332356677973663b2580d45c7e2 -1 0xa29cc033a00f3efda65699bba97235eeede560f1adb51d307a168a2db841d8a8 0x6f761fa28ed8c0aa16773f7a11ab14c34dec9d31a085887a798dabcd00fb1905 0x19f494583c7c933be7b0ee58104ddafac1e8adfa 0x21f2778f84b87d28bd417f57a952fc3b86b86641717008fda61ebfc956dd7166 -0 0xa18dde11da20682e5d3904fce5591b2d499bea1980e113a6b851a786f9551415 0x7f29dab88a65cb3cef6b8fdd633e61f565ba385459998637b4e54de7a69c017b 0x4a3646402d1aed59cd97972474beb7d1c68b303d 0x889719b175613719e30dbdf7c59b0766ae3a642c0700fb43e6959b369796e218 -0 0x563776eb92b4ddecc85ceb07b5968ed78b47956554735cfc212db00e03fdaa04 0x28bac43c2efd049b4e9ab7c46d5961e216da1baab59c4e2930bf19ba146c5e21 0x8216874887415e2650d12d53ff53516f04a74fd7 0x4aa2be7cb95d651d91b8feb3d32c04f4abb1c8c36eb0b2c88a72b1a1630cdda3 -1 0x24dd078a4a604496c592fd0568c50e340c2df5d3343392b62f6669128c43777d 0x54a4e08b684ed36cdf20f132164ec18599b07763da289787ef4ecd21635e7bdf 0x64917e321c516a2dbdad48bef7e923873eb7854f 0x2335ef16b1d02b9e206f952b7d98bde5f453afd6e95391a6083fc4d6fc829e2b -1 0x96942017e0365f7e059d8822e8bdb10f772e186e5f6dec136baac903f037863e 0xd94dc604b36c0b77740a4bbf70a051d239185611ee36f2a6224c8604b638016 0x0e7518b332f469a6a2f59e690f225cef5157cca9 0x62b0621f47ddb24e8581b2165cde8f4f883222c991fcb1ba2610d01948a5882e -1 0x5e5f424b80fb1351a178d36348840d9bd5cf363c78550d829322f21b58a2adfb 0x41a2fb3e6fe3c5a4449106ba5fd2d0d5e9efc10e26e8c17e7133fecf6faf138d 0xa7fb5ca286fc3fd67525629048a4de3ba24cba2e 0x4a3adb07cc5bd5b0cd6dbdafb1d643e41e353c9ef1cf83ac1fda32815b09d461 -0 0x17216ef4d8539f74333914926d1fdec20b06ce4594d846af59bbb0995ad80bdc 0x5806f2eeef10c734ac9e577f3a7c73b338ef2553238b5543a1c2dcc35c3481b8 0x7f72687d4981e85d2d2746c17a0219d8054a2148 0x9a3fbe852ed1abfe59e63eca1d8e2453a1060fadc622360d4f6bc40cbb8e326d -1 0xf765aa91e69fb3436969124c747b888e705d49e8150a63a545343ade5a425ac6 0x19235da122cf688b31101015a9f4c67ddd557f7139206641182187c308f608ed 0xb6e145b74eb1a016231483272fb622ffb68d3d7c 0x2537f24f5d73879d63799050aa0eaf5fce44bd670068aa2b1b997913859106b4 -1 0xa2c13c62165475ed08b64524b7c9a8c1e6f7d4fd041c579eca29306c0ccae15b 0x3fab181d182a0f0d9768d75bbb8461f2a9a6b3416212e8b91209680e29c5a31 0x24c09a812b6419ae0e929b95d562f635097d4590 0xf9113ed129138f590b498a572380efaa06b59e436689772534842d7837e092e8 -1 0x3dd17bdd0a94e61f79b21917b937bb45cac40ee88cb37a09c987ddd346ee551b 0x32017f92d89ed4ac0f4a235c5f6f41982faa4341076ac2dbfb29a7a8efd15e1b 0x41f0bbe07573e14944304c0a544c5dbe6f468cf9 0x7df3db64dad8bf775cd8e6e585a61065cc739ec914cde160b3aee6d0bcfeba72 -0 0x7ab5cbca681be515dce228b1fb30dd588e1fa9eaeee60a9c869a9e4d6a44da8e 0x6567506dacb0bdf3be1aa5ebd55bb97b159258d728d7f2e54034555648c434a8 0xf031dd3ef38f677b55e8c4a191c3b9e343c07758 0x76a21141c922911e735c493c8bac70d04c6c83af1793046cc74d417deb23c8ef -0 0x541aad8b51542ac5f71abb002099c2107dc0a87da05751675deb23f683fd26a8 0x51b3820e49ba8cb365fcffb97269a30b826b509eaebc05b03c37be93ffba06ed 0x9079caa7968d77ca87967ced769bb4fef312a834 0xd570c731edcc02bf4f06f3631de76b4e2427fb64f315e9ea94080125d4478818 -1 0x896ac1bcf80a4a2c503f92bb030f0db43aa545e8f44693955b4f577bc6df260a 0x65c170a802c5b98a4567dbbeff8ec95d55434eaad260c12f37582334cbe013de 0x792eafab3593fd79f01c8dd5282965dec1bba51f 0x2c9a7a5e841d0a432a3d09a657c0a465604467f4ed0a8bf1d34583d2f49245b8 -0 0x9cd74d9898571e0af4e013337231472e033d7b95f70523a10f7122eb4a63497 0x4494e798d8905e9662b48b99c89835a2166b070be8581ede50bec94cfaac332e 0xaa9a1ec22aef4fd5119eafda899a72ffa0cae258 0x5c378afcde7290d00b044893da06469e9c2181a1558598a85830c3bae8de121f -0 0xca04356a33bf7351027ecc535e3e08537abdd333f2907a98e7d16a2e4408997 0x6871c6fdd8152913909322eab21e55baa51ec4bddf161b0e7d71251da17e3b9e 0x4976a4a02f38326660d17bf34b431dc6e2eb2327 0xe814b149e4d1a7404f17678f8a845795364f99fb830b9db51a84421ae4891f17 -1 0xd390febaf6781e5ddaddc823f1791c133b6818588e4d071248e7c3418977c2b5 0xbd2a753d9c86388a052044df07193bdafce4d5dd36e4a4e3973ebbdf0a7bb91 0x4976a4a02f38326660d17bf34b431dc6e2eb2327 0xc20c2be74014e4d9032c422635038ec1ee0925b2e2da0b7922f5f3c0d2d3ce25 -1 0x54c0524f19276d1404c067e69f7288ee5eee955ad12226daec56d74b7894405a 0x4335aa0002e02ddabea351271f791f0a55f69119a88a5dd64048bd7c241c57ce 0x28c6c06298d514db089934071355e5743bf21d60 0x59c08d63ebe74a3ac3c3d2dd65e813ece338b4df7878d5842732a24b3bc886fb -0 0x3f5bd3f07b802df407ac00f150b6b091f45a877c4dbb65c9d4ffacda8cadd858 0x4b02042d475f722e862608ebd4625dde1fe5b6c18a09025d61694e6e1a986ea6 0x28c6c06298d514db089934071355e5743bf21d60 0x2d81d7671ecfd4830d97fb7f2fad04440062a3cff4f10bfe7fb2f458fdc758fb -0 0x4a704b00ae04e370b365d5d1f7d54f5b4554428bac0db7f24cb2d8e52b66a045 0x705197257bc2464a40381a5a6e062cce897e621013ea10c9647bafe1156ac2a2 0x28c6c06298d514db089934071355e5743bf21d60 0x368efdc35f07630059054c541f0cc8c259d57c2de9dd57fb3b72083f2fd1ca0b -0 0xee6ee3b45d0bfb27c6c424bfe3e268b5c88c0c0a09863005e907f22cc9935aa6 0x5c5ff76d39ffc6483116642b4b9d4ce851fd9a30f3a6c7ab963c1e2e151d82f8 0x9696f59e4d72e237be84ffd425dcad154bf96976 0x9252f22653436777ec2df3e6f5d532d11cf7c4e1084bd4e86c0821cc2ebc719e -1 0x81da46ac5a2c6a97e4c58a5e1081b6d68f97971bbd27a22cc3499c31fb557ded 0x140b455d2d09f1af1fea8777b828662b3b348265a5f9b336b4edc149434967dc 0x9696f59e4d72e237be84ffd425dcad154bf96976 0x2d03a34ba34a3ca1a8c8ba3cee10f0ca128c36f211b7e50b8728651fc8544d39 -0 0x60064f428d0d60a5bd28057f4b86e82c0d5592b3bdae2feea0d79881e5f72fb5 0x774b1055a8f27c9307bbe7eaaf9029bbb7e920acd9c0038b0646eb0538ef38fa 0x56eddb7aa87536c09ccc2793473599fd21a8b17f 0x0432c2c29c6bfa4242054e26254776f91678f21c99e672eddeccd3b9b2f92729 -1 0xc33b4f64a2183316ad21136cb72cf4f2260a864561cde658fd8a6ab5764a2f8b 0x59f25f6bcd7643bb349495b8816db070cad1776d6d6e18b0b119fbf9d8e4d001 0x56eddb7aa87536c09ccc2793473599fd21a8b17f 0x086ce311a8a9090542543571cab974bdfbc6c44abda76c8828b02672335da789 -0 0xa758e894173ce8be91f4d5544a7ba339744bfa95b535162a03acb61f5a9ea09a 0x39edb3cda1abb60a2ebd59636d9375ae08776745cb1a962eda45048fc1bd234e 0x56eddb7aa87536c09ccc2793473599fd21a8b17f 0xcf40ff9251650690129f50bc19a5a395ecb7d9b1bff94d16b14d759394f428e7 -1 0x50e249764da0ce92ad0e832b544d7526729eacfc43f3011fa6f555cbb6d394ce 0x52d85c3e2d5fc6505078b3200676e8efa8ef1626720938ec52ec3cac9f44ad33 0x21a31ee1afc51d94c2efccaa2092ad1028285549 0x584f942852d1ce266b8159c971f552e5b1692809b0fb98489e3605811b7f5de2 -0 0x673b134b030bc26cd02e4cea1ddd63effbdf0a178c9cacc932c2440042e1e18b 0x2aa60ee96d3dc050a0558fde204f482a85cb246ca431416b9ce9d18290a213af 0x21a31ee1afc51d94c2efccaa2092ad1028285549 0x978cbde7348b61241687919e376b531e1e9ab62eccd5c90c6fe2a8a0226e3689 -0 0xd626eabfbd7555bbbfde2f763b342a3145e85407efe2d2616f5138f816b73d11 0x217cb61fdf4d4a342cccfe81da91ed5fee89bd7e0d66218564c5cee47cbb6050 0xdfd5293d8e347dfe59e90efd55b2956a1343963d 0xe364db52cea6b264fd6f311bd700f91aa300194d4972f8f33cbd1dadcd5093af -0 0xe311926be6a3abbf18ea2d8b71559b60679acba9026b6a2870e1bbac1467f91e 0x21c747f249093f5772501f380b56b42e96a8ddf77bb592f377b9bfea06d9e0e2 0xdfd5293d8e347dfe59e90efd55b2956a1343963d 0xb56f149f71adaaf2674917db32c1cd864214518c58cf5574703733f924e873a1 -1 0xd4b5e0226fe10e85df2ce70a16a1ca5422bcbf83a685e6da2be48bc388c932dd 0x256ca3b5e0f3c0b422f441bed3ae5f851347990adfb2d11cf79879f54bad2cf8 0xdfd5293d8e347dfe59e90efd55b2956a1343963d 0x1d5ffce90110bd94c5d7810642e8283e721e33aa987d570b1593b04ae17b8377 -0 0xd50421f2321a69714cd7a52ff57c4c3482ca01a94eee507afe06828c4e47898 0x27e919a35fdc99ceb109873286aaeeb3e90aee201211a14496192cb80e8906f9 0xe6ab9e371e39d1daf921f24cd83ae3c837d2cce5 0x785488a8196174e5efb61add20c39c19887fa1cbf6c2c4e6f2ff9db79b966c52 -1 0x71e9f2b77a94f63614bac8249564393fcf3b3531ccf23a232b3be77ccaf1f18a 0x445c4e2eba9856f71c6c7b6f5eb81e1b451c39086458ac88f931667a1705de5c 0x5804869f1e8a5b99f2eab8c6b1943bd0dd5b26f3 0x340b702ff1d5feb24988a865d19143b47854f8526c04bf427be42e7bafb37fc9 -0 0x742855759e28bd15e07562aa6f35ff93538daf448ada687416fed7844e793658 0x73fec36e58ada180a2bb4a8847142e8ed88047d485d926a226bb8fc2feb1c804 0x1d05754e9cd39e987a34343cc862a82370942e93 0x2b0b92eab8fff875b52a21071b2ce8dc23d56652ffad308a0ff14719e4dd81b9 -1 0xe05dc5b2eadf7292c2c3c14f97e08daef9dd1aa499ad11a235d77ef4d03956a3 0x119e1653354da4b22fb38cdb11fe3ad1d18d8d174812448a6f8dd412f7ebf812 0xe41ee97cfb75f1646d143aee40fcb4991450aad0 0x2dff8c6bbec665b3bcc66782635d9192025aa733a09e7c2dbe10008e15317c08 -1 0xb1d0d41adea5daf645b5e0600f2e451aae67b2eaa191d2208db210f6a6fc61a9 0x1dd9aee6dd6cfea5c8dea1b93f0cb55c97f036c0b91fd0b167a479c72a8e84d1 0x5e746b94aa1fbf9af9559c6e04a93ef0a7abd0de 0x95366c33a8a3012c6273656ed6954e28f790943c0fdb2fcdd58290b00e853af5 -1 0x76d1a4d73ed92b786f848998c7dc8643aed6d80700faedfdf1c7c54fb8af0775 0x59f7addf6dc96f924714bb1727513d2d546ed11913087be3240f7a91b87d1d4a 0x170b4cadf7deaa017b1f595de5ec7591f7a686ea 0xb69182c459c9e8d84abaec3af791abeec972544eb880845b361e43daf36aa66b -0 0xb32e62641c4428e8d24e65ade6b2046b2deb890b887a89334ed8118f6f4f38d6 0x3b088d3fd2d2842f1a16da028cbff9d1f5014ee35f914e665538ac4c4936b548 0x285b3bc1f46d2bf1142966a5e1c4834b86b82aba 0xbc9b62e2e020145c9fe7933a0de0d6112fadab5f8a6bf701f5c360709668f743 -1 0x1dac69e7c23884811a95371d7b91e65ed6a364cbb5eee706bb560858759b1206 0x7a1b11dcc4f7219f8a8ed4d72357b66d9794fe4beab2902f5049e4e9ab64037b 0x5ae41ec3d27c0d14809be1786f35aaad447643af 0x9b21f4d49fd6e579933afb48b6535fd55ba2060a123bbd0263657622cbfe696f -0 0x51a7b36b6d1b7fc9d2cf6eacc16aa98bfd9d36a40d06f390cc2887dd3b064c19 0xbe87f07c87c4ae834004a8dfd4ed9e3e08b7a639aebe4f3235f745a05071f74 0xc6d7425c44ed9ce936578f8c150b6e589f9b0b92 0x793900f4ac8f983513c4fdc6f8603fb8dec6a21965cd8c7f64771c167327976c -1 0x5965e82f900e7f98922584a7aaab65615c69494054f9a0dcbbc50502c463d13f 0x23217a916260a082687453297be97454bc64e5d1617d9ff9973db5485f7fb235 0xeb2629a2734e272bcc07bda959863f316f4bd4cf 0x0386907e53874176bcc54754145fd0e8602730f9ac1ab6e680a4acd6ad584b65 -0 0x73b358681787d5541d791f3e97f851ccb6cf55b91e2c5640b52b4f3ebcf95666 0x1375414789a136c47ee9df880858d5f729b8da5b6776db925687ab58dad50880 0x95a9bd206ae52c4ba8eecfc93d18eacdd41c88cc 0x438abe80d5baf46affeca09ee17b6f85ffa3a8c438520c8a805ca95173d09fc1 -1 0xc42bea9052ad930f8041eaa138d9062a57ea4cfc53c109d429fa9fc10d01790c 0x758222e7ef5f17699e36737b1a1bd8d2870185cc80d42a7caf0b189238eebf34 0x95a9bd206ae52c4ba8eecfc93d18eacdd41c88cc 0xf8dcd114a2a0961f9614764ad17a1cc1b0d22106dd3275fa8d62a20a3cf6e0cd -0 0x1b42517479fa75ee42fe8b1f26dea68fde5f0d8777d32ccf94357c94e4a2b90d 0x4f82ffafaadbba64bc338890ad1f24c278dfe6cc445efa4e7a55b6625f905056 0x95a9bd206ae52c4ba8eecfc93d18eacdd41c88cc 0x164372f5e578564fbe521627f408f8ebddc6310ef689dbbfdf4d7d3c7e65bd4b -1 0xf4894537eabe5b3c19638fffa3416049469a3a216c8e5a97668c035cfc9e07d1 0x28b06efbe60e625e1be9cd81448a9b240b93a76657c1a18844d368c617ba882 0x2f043b4bb857a7f4b6831219184dac3105aca34d 0xdb1e4681868be2072d639150c9cff48b4e7883fa6c2c6665768389e5fa4f469d -0 0x480de57d4582c3a33c16f1049e8261a0b27df1d9e34a77e41c9d45fef01e2142 0x4fb836362b300da267c0273193445df1ed68fe28327d87acc2a22e583e64749e 0x7830c87c02e56aff27fa8ab1241711331fa86f43 0xe967340f3203ff60407a16976795d14c3fce0447a68f4b98ba98d4176057afcd -0 0xf80a9f48dfbcf60ffc4fba1c3a820bee256006608db5267fe8ea3d38949ecbfa 0x58ea47140e36a6754e2674bf5f13f444ebb9efcc076aafc9b925d531e14b456c 0x7830c87c02e56aff27fa8ab1241711331fa86f43 0xae9506abfb4b1aa41effa3510687329b80e824241e7e60e18c7bb3a2768f151e -0 0x816e21a58cca55cb134caf496c8c7bcc247d63a74ceef9bcfc505cd4382fd20f 0x18e9867681a483785254bc2bc23c0a6ec5fe7ab98fffd7bab2ba2f69edc59ceb 0x7c195d981abfdc3ddecd2ca0fed0958430488e34 0x1c416922452e82a5c2910d7b481923a0d3fea94856707acdbbe88842401b7473 -1 0x99f8c14bf31ec945e4bdb7af86b1d584c3263e0304aaaca78a804d5db56fcbb5 0x2e2958ece32f5999aedcf12d20a16d52dafc4296744985fd171958d95d948bb7 0x7c195d981abfdc3ddecd2ca0fed0958430488e34 0x3cd70e64bba999d4c64ecfdca7257b59d3aa8c6f034bf6adfe8ee5088c17cdd0 -1 0x221b8aa1c94cef0192f7fe4499d18e2404d463e98d4840006c606b36cc5ab5db 0x3e26c8ee8ed31948c4fd1dde9721279647ad4e17238deb46fc668feb47582d6e 0x9396d062fef353765721fa3f700fe858703a4a48 0x03b4189ff4b99e8378f60d10e10ad47bdee0e9b56828162291c60ec3ff6b74bf -1 0x28c8e1fff48f440d92b877725d28e5d31ddbefc59412caa2559d07fb74dbd4dc 0x32833c2b615db914646a55b3d16802901476fb2f1c78a73bb4d98dfc8521db63 0x760418292d007fd98e392ee3750876c27a6460fb 0xa3562fdde603f1da197b6824b951d8f4bb70b839129333b18b6f71897a67bf30 -0 0xc906182e3c40e1f5d259dbb4cea62d2ef3fec32efed97cd307a68e38bfc1761f 0x39e57fc10bbec73cc8521dd1d2db3b86d2e9b0f03cc73fc2ee0b5b6a3df28180 0x747197638a7af760e221636405c747aab7952cc6 0x7e689bb1704555c3dc0416989cfc372199b5dcf14819a66809c1a8e2dea8cec8 -1 0xed0248a764b72ccfb9549c1d17c855d8c810e25c829bc78f81bb22ff96f899d1 0x487912ba2a9979735b05ccdf0a777fba98923139e1a1b5cccc1068640b202a6 0x5b8972964bf9076eef6610e453a014516529a52b 0x778fb142afd5ef84a7ddb1f3d71b68d20e33b2e3243d7f4f47199897ab02c495 -1 0xf2b668b356cbdfc191da4079d9823b27dae5c1f3597a70d8bbf8db5256540539 0x2f5c858f4f81da7ed09f134fb95016e487cd2f4aa2a2da1f3076f46888981505 0xe6c6ba7ea35c1f200e72056f1467b188eb441ea5 0x5a34e826e965d0c9e7afa46f61ca73e97efb3f02d294a45e263be4029a2d3d65 -1 0xaa08c519409dfdbca88be959445ee38d7577c3de9674a6db64a8beec7449264c 0x4c85250f383d7ac2af72dc1f0d6ed5de9ada483eb896c49d32c2d56a8f0c84b1 0xff214c36ac0673bc49268ff1913b11e93534c86c 0xfee2ac113b09f4b1e9b33be3ebb4b227f2d2a0b6fde20b794aa834abb8348833 -1 0x98ffea8800969c9916a6214e763ade3d6d0cc30984d42330c8c131f9464fbd16 0x7a15dcfbddbf3c64817dbcd7d4e2c61d73d2ee4792f5e89103e9b27f4c36e7bb 0x0637d40e523c2dd75a9bee55967b7b18e2cc6ac8 0x520396bd99ef0e44ca80ec8ccd1c86a32d47f1c4fda146b0666475d5372af9a4 -1 0x611d611e426f6b2d4992dd556472bedab585481fd74f90081c40c5f18e16611a 0x2f32e37f67a5edd8e8a0da6675c13859d9944ea17f35e3e5815a997f06cce35b 0x68e0389f5678f1f15346a136d3e3096a84040c9c 0x4eee7476b26f9a3b565ad5f63edf4ed9f02c0463227c46a831a915584e4c2b6e -0 0x893a0acacaa60ff5364228c38f5a555773c0aa819538a6c64e9684162b567263 0x4e43e2381e6829acc6e3f017899f2c0f9b82e0e6672dacc38e4399889796df46 0x18e7c0e8a28822b390b7e076eb712c0850409c41 0x39e094c665cecbb18a113d1ccfc64976f4cd9887ec5463d8403bafcc77b55fce -1 0xeaa0f379c110a5ab9ccc71a5660230ba3be968a67de2d810efce78920da14066 0x699aa12379d9f2292bb619bfe2e713041bd49bfb02b85d67e05df54b76d66a2f 0xf795bc11cb62785c31f3e638aca0091b02b051fb 0xd632206bd8dffccc98d5a4b9ebbb612d63c2dbf05eff858324b931aca4c201bc -0 0x3405d2887bf37cf4270a98517595c78c3100e158cdf262ef59a3c4c1017ede93 0x66ac9b238933dd3072333f178e5b292ed7e18e68646d064038849b91d7cb62c 0xd0702fd5da78f3ce9267753d77d0da9f17043c24 0x664d7d927bdefc8bd1151c907124bb817c257246747f703f3de8a7365caea912 -0 0x27915f3c65833e9e80794d5342d39ca391ee459f654c49d8e84fff9c831dc50 0x4f3472eba8a1a164b982b17a37906a3e89e4e97dac88d93e51b63aecb88ee7ba 0x8edaa40f4b511ced61d2006e591d2b165807c3f7 0x9bc40c99ca374fc638d17e7c82d3b0f2d04b8ae9fac6865437b5b0708bb8567b -1 0xea0b758241ff151595d091982295c276316f47f17f871a2590a2628b2016c40b 0x23c56e6a0226e175d6751e36f2e2d59f3846c5fe17ddbc1d4a4b2f89676e1b43 0x4425abad97059fd35ae14c9e4d8ca8ccdfa16cd3 0x18f6e255eb1c86612447f6821769389df7f348829489a10f940b0c06fb30be2e -0 0x3695c2a9ca1a52204a47a3576963990541cc402e1515b21c9835260e4f6954a7 0x797890b5905545293eb8428ec6e46cbcdc9da057c4e7791229f9188772c8d057 0x50525410d59beadf26d271f9d693d1f4191e5a04 0xc0e8063a935706d67cb5d9c9cb99daca1413d00c6248df3f04238fa4d4cf08eb -0 0xba1400e2353ebfa00d5b24c1b41a16751d979e7442dfa163a25d6c4e9c6d51d8 0x6c38c1250a3394029822fa3cdb43e24fdb0bb4324d5bed1291170a348fd24955 0x4d29b7f953ba471fb650fc5842127b05e35949b5 0x17198f8a656bcc2511d33b20db5c6ad0c22c8a9d67ae7c5622096f779dd4abbb -0 0xacc2bedb2fb80896b078301ad3b4cc677200fdcb5bf08674742c2a89c7e9dfde 0x630b75ca131a42236fd0fc94e1c1e69a8fdbc7cd93fe924aba6642791e4947c8 0xf959ff8366171a9e19d142340896cd94e1aa87ea 0xacd9925b4a9f9ee88ec57fc159881c18ea86e357b90c0240ab1d6bd5fe86e850 -0 0xb6179293816a9bd1889393b88c34d466d43ffc96771ecf0fe4ab7233446236fd 0x65b1acf754fa586c454495a479023b2d901b202044813a652ba664c5245acb2f 0xb8c26e86f38e22356d2d16c875d38289b6905021 0x0b97a1ed7e0d454011bcd52be2c016519ece9db2df56800acc626ce39cea9233 -1 0xcf67b4dd5b9d926004d1abf2fa23ed3f0e914423c231a4ae2dd08e19a3e9e4d5 0x24ee89ce5d32a50a4f890b44839b738feaaa59ac2508f6438b8aeeeb8be61363 0xc6554650ec0e3e48ea68b3bee277c552ae0debd7 0xcf807523ad7785086404c6a753d9aa332c761a36b89644f4caf9c465d348cdc7 -1 0x374aaca7f94e7e4d62b984b492a06df25968944ca9c250f10169a3628d05b0f9 0x15177b91e2404caf1bc42858b20e38e33bd99371f61814d01b686d6466d015be 0x6d0bce74c9375731d41d59ead889d5637bed4af0 0x97fb69fa87acc3c0b0950c22ff5d2adaa87f4d1d46026018938f266809c69a04 -0 0xeb8ff1cd76391a8ae07237568c08dac28d4e3bdc29575ad191bb8d335bbe2ed4 0x312ed03ddf43c67bacb693434da730d42b8929faf6c06a4204688f158f45dbea 0x68e3c86ba31081d59373df5f32dd0086939a36ed 0xcbd0757cbe0d6762392fbffcd0291d0c653f0470e3a28f30381c6d42ae594220 -0 0x2eab5ed09657a381c33b279b1670be03708b1e77ac91370087b426ee9aade920 0x5fc053a70338a0c868f11b2351b26d9be087172a77979fe0533c2053bd1df74c 0x8268d3d9bcd233db97641001e0a5f1c6785c3a1a 0xd4ab95a7d77b2859aaf8b8674608460c8e53732d2beba89d7fe76466292c4980 -1 0xabfe7fd3bfcef4f049c6a11e0717b22fba93a9bdf375132a3f2d4ecf82c999b4 0x52658fa3ca3d2a527ebf071c78051671545f0d987084b46460fabe57d9367404 0x3eafb74f0fb78383e4e4bcffff6ee4a9fc3f8c73 0x892d21e91838d7d29f4841129cf9a86539e9b2fece80cbde027070be1ded88ae -0 0x2b4a7137d0b31a7ead72ed979ae69d1b4841334900194bc381dd5f71b6a2c337 0x4c393d7e881888cc50f195dba68cbc78f2ff55b3ae0a91e195b77f582cac3d2e 0x48a591f904d0266d32d3ae188504e2a7910b703e 0x97ccfaa3728c749711a1eb28fb888860cf38e67711dea979cf8b91cc1d999f35 -0 0xbd6f6a6af08d750e28f99357f0dfe768de9e8ed1772f9ed1e312980e1a830167 0x17e56aa8e9630383c197d6282404b659c10e2889ee50bf301e12629420484bba 0xd413fb3e1d268eb37eeb38de04734343ecf6c512 0x626eb6781f01e2a71fefb336122ff174e6f079b721bc47dfb6489a1eac87f35c -0 0x7e42fb76826c7f00952ef47f200d5f5519fbc4c78e7f8b958f585306379a1a34 0x738cd052fc0152c03dac09f5b117ec6a1c21d92a2d2e636ac12a05536ecc44a9 0x261318280a2593780fc0b49463d2065bc4b9acea 0x2b6a207376c1f17c13d8e4da40ed4b2e60e1e8734125275ba89866a5abefdede -1 0xad10c20fbaf33d13bb5fe184a340fb29f3d32a83c375adedc4d5178929472f4d 0x7f1c763ce7e89e090da9ec44153759833dfcbd2990e0beda598f0e041dbbba45 0x0109480dfabae54463568ce807b6818ee156f84a 0x457a1e31e350640cb9d4a8709d91a874fefbe6ed69984c87d72dad406f510ed1 -0 0x2aeae7d1d3bc76fd6f02f1234e5a4cd5a78f3f9ed2ca6f6664e0c6bd821f55c 0x19250127f033b2cf9783099f65801b3edce8bf6d26b32fbb5e44abba2d37e9e1 0x455ce87ee8207a3f8771cc3df3d80807e098ae9b 0x22f009e48382685fa1ed6ec3287b17fa144bee9c04c13c504101c9eb2cd1a1d7 -0 0x86d9311b4a2c1bce624d2a88e626614514fe3ba58dd656899f4fe5e6a170b37b 0x6dd4305274e769c830758afe3a56ee4745e4528501d635c48dfb3f80b3398214 0x6b1baa2a2343f50f422e9e7038826e703c584dc3 0xfd6b690eb2fd74672721123d5ae7cafc6cf053626e39f530571c74d0a5d7d666 -0 0x4f4e9705b7c7fdc08af4869b151154ea8f011ec61297ac1c419a2229985c7501 0x33fe5b95279c277bb2cb42dd9524453a8bf4c3600ccfceee3ba01557022e8514 0x5c7cf7b750b74b91212e97c4edb502b13ef7c603 0x8adebd9c90f7c9f54c9e28b17010732f84ecf9cad9c97d042c229572015cddd2 -0 0x3a105f1f5e1dcae92a1d5462222aaeabe96d71f02746692d946b2e092cb40292 0x724bea7cf27436bec762f4928cac3c738d0addc9e68a0ea1edb45a2fc7e99bb3 0xff90f956c9a7d52ac21c37fe7a34801849887f19 0x425245f8953a77bd17f6a99e85de70472a58fd712c2cd062661febfe4eef0f6b -0 0xeb3165ba04a9df88da13aa967733573a9cdb76836b29e5565f4fdd1c10a555da 0x3387d1afba42b8659a13f020271deb5712b6c3146acf6f06e5fdfacaeafac00b 0xabfed9eaae37dbc55c03dbe890b64e59b965141d 0xc08a357bb6684da5fd835fec9b978f4b0d447492012ddfc5b02177f79362b432 -1 0x7ee780ccabdde306b172ff8e62ec05bcbc741e4fa8d5057bfc172d18b4121ece 0x3401ab66a0b0531b209239bf6ea6438aa5c0c7621d443c87f4ae50fc867c672b 0xbe7ab77ae4126496e193c97aaf83ab9cda87fc26 0xe557ee4e9aaf6a265f8572722719032b27a3dbf20519e7fd932db9310cf0ff4d -0 0x282e2f0d2acbcbb5397705187713d73f3f320afc6e7e12992551ba2b844ba4ba 0x262117d4a997afd5f1e2bb8d2438e091e1f6e9f9e792e424e58bf98a3e438bf7 0x4a58bb7ec2b8064c4a03abc7c52d9d8a6b0116ab 0x4ee60a3d8de3688398227eab55b80b4ad52ee0429be1aaaec1075f07af01f26b -0 0x35e88824f5d5e0019afb1dc818b338ef707fd32487126d089743a94e526a72dc 0x1f9a7cbe5ad46a1ba8d14ca47893b890ada28f4f69530b538d7535c9ca450fe1 0xa34df27ba953cdde360364eaa1b011e98a449174 0x3fe021424adf83aa8e582435a962724eaf11e264d463dffbbb1d5a7e96041da1 -1 0xe5437ebfd6f54a4580506a80e9baf1399546e270c1965daa1b317a3ae119c532 0xf486022026b018521fadf86ddbb73da9556fbce3e41ab6ac4982d23aba34732 0x59d9099ab334d4a3f19a6e125c427912c68fc32b 0xbed8dc0ed9fabdbd5168148daf1218f025a14ace2ffc3e8d8cc24a9a0f6e2643 -1 0x11378e51ed9404c97fa5c1a6d241a55c8cfb09202abd30380abeb8f7fd7c8f07 0x72867b97b9ce0562f5c6b0ee3a844e042fab36a56e36c35e040ff29122355b1f 0x4559ca770e7f95fce15bc54c8d09abdd3b5c660c 0x2224f14bcbc55c2a2de9a1c5a4daecb269745286056d28e61c10e5a745cc94f0 -0 0xacb3fa89cdea2bceef0f27eb974a4be19b33bce137d9e5b5efcc98ef67661726 0x515491ffd2a473f6d3323a318818f2c9df9cd553032922bfe9227daa2e303768 0xa838b09ae1b2223298d1dc43dce715d06aacd47f 0x7a345cb9dae9806b45d6b3067bae813643a5d455f5c20f2e475d6898e3f804fc -0 0x35fab5e947d0fffab73351208b12ad003cb62172763113dd181016ab8297cbd8 0x3c6a548de3e59210c32f3d896fb149f18a7d6ca27a3d101a087e9ece3536d0a6 0x971e954dfc651a4b1743b7132fde87f6dcbe502e 0xa1c0b30b92991df606a0f37303ed0ecfbd3c23239cca4146e0aab00d907476c3 -0 0xbeb835e9af305824af71fef83f68da275750bda01bc9247f3f1ae946a35b0ed9 0x4f075ca8be453f38b035958699dac32d8370de3adb284a5d743253a6c8f1116a 0xf6926d15fc0ee0113ac4840e7d881d92cf193a7d 0xc5b5a0064d6b4e78407e1087a55d81456d914dd106d8bfb4d5d5791e30181a04 -1 0x257ca4a4fb774fa12d04ce2cbe4f7c2560a5d93bbd6b0dfae377907bb91d0b5a 0x541f5c5d044a15390ee23b9f4ae66810b38c3e7678f09ea8736709b4a05328b3 0x17be3026e13c693e72ba8cceb3adb589ed36f14e 0x612648064356c01dcc3dbcc6f8e8be1d80b1206ba4341003f2d122b0d673479a -0 0x3bd7e74261648e61873edca54585ffc1b7dfc0ed11217bc032e3f5159bfb4817 0x79dd87b940b8552f48849cfa433223943faafe7aba5af8f778c645cace8fe409 0x5425324987996df91143b257c4e54a129fd6e85b 0xc533049e9303ccc8dd3b7e38c45db85ad01dfecc3784a1e1b59b54bd8c3c701a -1 0x98c4a283642a6840580b138e65fdba451c87f9bd925329e83744263fd7be5048 0x69410c8d7f022f129f862f029083194c720a955b18970b5cd1a8a83ce172dff6 0x158d9cefd58c505021c54528feeb14ef73c9abff 0x15669ae7e934f1144b36117c84b02db899cffa206710ba72614820121fac67a9 -0 0xfae698f64c9b17dc1ea1c28055c28789fd5857c8dce25e46502e68694aae6c85 0x635303afde839cd5a566b6493a0d068f4796e57c238c35db7bfc64a9d950ebe4 0xfe52a5d0a116efce195baba279758964172e83ed 0x2526f94f656aea49757e6d11eca88a0f102752eebf43da5988b619959f9fde8e -1 0x4982c820b96c2a6fb89724db1df3a0acfae4fd7bd5cfca1d88e40d77f6c5ae9e 0x4e4481b9cd42bb55fd00bebe0b6b90ad468cc02c29ed0ca1a84fe8738e2067fd 0x8d1f185fbf60bcacaf783d8f6436e117d1493658 0x3a14ca8d74432637ec0e4e5f24d0c61e54a82746fd12f146ebd9c7507ec08fef -1 0xbf64b639128b416fbd70c247b7a8e33183f7cf186a1dcef142ae0c288d8a1e5a 0x64f71c1dd604e64c6881e8fb3783cab7b9c8f80db9307337b26429cc19096060 0xeb280aacafb6dc0b0f811f3e2c1291ddfaaff76e 0x93ffd8a9781f73bbf3d9849bf05b40571456d01e47fdc015a70ec6d0a53d8b7f -1 0x7a0879264b7b0aaba53f632acd1c3dde1f03eab3b4adaf2086afbd4f1a26fdb9 0x4d2d10cfe5fd159c64bfdb72b9c39d576fe71ec7d1020741066d853138c896df 0xdec977d8d5f2c79018fc185ba5341f8cba15f0d6 0x97f1fe90d4298fd74c44458f70938a990ad00befce1fed9c9fde7334f8f2e59c -0 0x3dd1e43bb8c1f5c634ab3b4c0c09da6fac71fc65ceebdcf825779ba9fa96dad7 0xe09348612309ac2f310bc0cd0d84f8fdbf67b3cedb93608792259257fe1af98 0xfeed5cf7d996ab0cacb4b0baf2450f6c51b1efde 0x5564e87cdfbd1d4d91051523f79d029604462b3c0a326c99ae2cf1920d3969be -1 0xdf54d1d5e32037affe7401bebe5d24aec562c37b13bba5feaab5b77826c27c38 0x528086fb0042ec2e80aec346fa0b6f08a879c962208e6dd227303ae3c9abaafc 0x927940b4fe41d9fe519f9580a29a351e57203dc7 0xfec469c2a340cc83511598aceb236cb647bd3a47440ee7e8bd8d002ce3b3f6b8 -1 0x5077e7de2d1fd106ade42889ed4bfe3495da0768ce7db5ef58d0211a9458a646 0xaa9b688acd7b6ab5b4b1c089045ce03e22490cd2254278a38f61618bbae820d 0xfe512fa3651ff2289172b14fded9d6975ad9d96e 0xadd8c860fbb1dcb130d9398500809d625601123c8bdf0f9f37cdc04f5478eb77 -1 0xcc606a4b8339906e3aba6ca08c0eb4c0864ba8fe458cf34fc84a95293cba96e 0x22449b2384a73d51d3559f7d93034096727dfb8eb76623e8b10b1850f11414ea 0x120609da75cf68f9aacf4d7e8b627eb9186ba27b 0xbdc844e89608de09ec2b1bce2c8d370e17a394ed6a5148b38b6511fc62c630a2 -1 0xecf21e5f54d766a37377ddef3c805bad94e1de49486ee0a8267e36dffbd824ac 0xb61dd021b9fc6b7d39ccb56c66e48d1670b264169f9e68dd245ab1c50a62af4 0x6c0fc6ccd718f8d58c3033c13a5afa3adb10456f 0x3eb16ea21e33eb3fe986727dab3ad306cb27feaa6fb42aefbb00e66694154795 -0 0xc9f7eb02af669bb4b793edbaf3b0e7c8f131d459f94e71d7cf715991e67aa165 0x54b2deb2c57eeaed6c93a8313775cd55ba346ff11d89e91fa12c26f1cc45970e 0x8ec10af9662dc17432717d72ce8b62f4ac24f218 0x7303a277360590a8a25a495153748fcd4db789f9bcf4d73bc303b4ea02b1fee4 -1 0x226c7a8bebaaecd3304d01ca9df5a9b485fa31fbc44e5c9168d8eeff7cdbcdfc 0x6c170b6fcf4b8d2fdf17569d332f0a8cc52aceb4a7389458ed1606a7948d5e48 0x550d8a88ce3e8154d28233ad9a27945058b8bfe0 0xb04b8fc72c305357f84fb647136b5d85f0e2101d43e3e5bd0eea98519f5d1b9e -0 0x8ab2815963748344b4aeaaac472c048145b4f5e1cc86093638300cae9bda1a23 0x83da77b10ffe076980296ed4276b1b81cd58a15f7c573cf83586e6139deb93e 0x945a21e3277e6aabda145da4cbabbf6d592fbce4 0x889dd7f6de4e9c49153c728d0b9d293bf27d69d2ba4463beee85ce75e4732edd -1 0xea57e0ee8bc336c781a5ab966976188c16ef0fa5a8f36f858d11add5343c8ee 0x459d6f341d6231c1197f4af6c413c469d97d61425c0a17454ef6bb18db2ff703 0x599357d348a8fa302ced7d6b99d532d95457b543 0xed26da3f378bc480599b79a5fb45f054290abfd91cb463e193988aa78a133a86 -1 0xf0b422543404ad03d959f34c890d5de1e08e25ca7b7ab02159aebc6a0e83486f 0x4dfa3945f699962e264b18fae4da81bde6ba40091b952199f9f365b0bff00e3f 0x0b0669b9a9f43a2967a428f838191e8c5b84d3bc 0xb673f86a1928f94c69834fb94b522e18a9424022c0ca00d487a5a6af26a56d13 -0 0x84cba050dfb80413562659c50431c99eb10a345d87e555d092aa0a9bc911a37f 0x3bc0e3ca54d03b706d7ca51bd20590b4c020e1335865e8c945a8558cee5fc7e2 0xb223a6a0b9a4877429f984243c904325aaed59d7 0x40bfd52c11577ec77d87258121035b41aefeaa1da5e7752421d5cb51b640bddf -0 0x1cd25acc3cc1aa3a47007f5442118baef3d61f6f30ba4672ad01f3fe2c389081 0x3149344942e7dd5525f676f9032e2d7a3bc3e154c3ca0469ed77df3639385307 0x1b56eb67f280add7cfe89727aca1134274443a39 0x6f534d1d9bf2218cf30617dd1e0293de6f84ef58390e73579f98bf7d5f947d44 -0 0xc308adac5cd7459f5aba700720966697f3b4ea36a4d9414e11d6e72e24571a6 0x74915e161c7b94d5844c22f3c6a34b3ad49a945180794ce94eb3d3410f45093a 0xab639feb2463513a9ee703cfa33f916bbe7408b7 0x2fffc85af8c55e07853ecc59522361f58eaa7063a10fd0f89205b62ac5cc7df5 -1 0xb55aeea98ea3bbef39431d8cc8a21309e288db69b9cb87685f82f9a3badf84e 0x740b80528ceb16bb4fa20ea0327fe93eb6a37580bfbd149981a7d00728ff1b36 0x7b28cc1860b9fb47cf7f3f000564bf6deacc953b 0xb51689bd8af058131fee38840f92da123b41d9dbc4b7ff43186a0c9368a4af2b -1 0x95d2923d538780533d6db5fb1112fdb426f1d4f16399d2a732d4e140eff611a 0x37987b15715cfd43f44e4395b6f449bce0de642330a9785fb48b4f00c7f4ca7e 0xaa917265aa6903d94a63c1cbc38312e19c11a053 0x78205715444565c45daab6b0c0787ca35b5219e3e0ce0bd4445ca421ce407997 -0 0x1ed4e98c251bbcceaf2a0e967cc854cfe4d92fe978909891054042779c5461b0 0x556626dcb3e0081e9e7152af9a0da2aaab65fe584c718b2bb1fc8c78c52ec167 0xd59f6c5882f2279097e401938d4c6796c07c7b9e 0x23a88397f97ef6f4000c7a666e7a803c8733ed4d19a2156f0f3c6093321e5fe8 -1 0x6450a2b80accb717e3a9c219caa01c86177ebb8d4bb84b9529c1335eb74fceb4 0x31966d6ca31437a33710998adb1c1e0c3c0d5cbf7c1524ece60f3c404df70b5f 0xac10ca20fe0977ea9f448e73f6b670d9ffd42ebc 0x674136946178355f8ec71797957e066bd246cba36a6d8f7dd5a0ea56eaa509ce -0 0xc10537417a178682e6e351a2eb7f1b971d37f7d9376ee2697c08b0e723079e67 0x4edc34693d7dff3adf57b018e87d929903e1eaea0f2500f52afed8b1e25efea2 0x32b53c2434f03884164f6cdc2dd7508b31f558d0 0xeccfc571b6b9a9a61f78e03bc5292971e96e542c1da09ab9d1a8af0cc4643413 -0 0xa0b659da4e9bebb27acb959197979e51cb56b63cf4324ef981d5bd01f815c0fb 0xb05f93b0cb57b04aff64501bc3ab1f84a7b25a1b4956b86729bf88964ed934 0xe33f06b81ddb8042a93648b4c13f9cbce8a04c42 0x76e03dd437fef2b02edf4a786afd1a24b06cbe73e7d21f85faeffdd26a4be022 -1 0x97341ea7db9c1541fdb2193bf0180e7515bf91215f4368ea17cd6e88358266be 0x3a4c5d0715f86221d1aeb7a0bec2a4fc5c0087a0e65c232149f8fdee7ab7bb93 0xcec616376b1da143d9f51738d4ca5ac96a5cecd8 0x12f61e7256fe5514b5139e8b6c24d5d2553555fd0a8fabf660da4305f9cefd76 -1 0xe0024310417f142d87d3b3443330c0b025aa927b307804f5db6a359cdbbfd478 0x3046a8a2c6ef41026d8dabb1d3804fe8b36338029df6de0b6fee303fb272b211 0x653f99f5cb0723e919b6dd7ca0bf9253b963b06d 0x4d2f79577e6e2cff93ebf1f0607039bebf0a24a88cc4a406dcdfb0f8c0216ef7 -1 0xfca536181c563f910b2593a75a68759a1cbe9e17add9e5350e5a9043bf2f6177 0x72967ecbebb5062aaae304aecefd33e585769c95785463f7494e0c685b22576b 0x7f9fa6f0fdf344c7176776febddc15d4740f5540 0x5cef49c7e6514cafec83cba5f7293e56fa077a92fa1164c60878e36579e70fe9 -0 0xd1169af593cf12684f1f1dc5ec0099210cf6eba379622ab27d54db6afeb0cbb2 0x7ea3c6458ce7d2f454d79f7a951872d4baf1236050c142f42448cca41c4dd65 0x50de7b9f1e46f80becbf9ccc1de9730c0fbb17ba 0x6b23f37c6bd54ed9304788fd2617d2775a21dfbd19bfb06177c9068194ab9608 -1 0x228682fd3644c4f2a2464fd9179b1489602485b84cac0cc434bb13be6f52e750 0x4443018948d31e38c24074103e882cf6628facdfbfc0f1bbbd3b73a7abd1b8c4 0x7a9adb31ec1623e463138dd4ce88df7e791c6f03 0x8a33ea11489e13b66d6fabbb2abfdc6f13273fbb9d95a4d936cc073f3b370473 -0 0x68b4d46ba8c97044fccabbcedc53bbf362f85dac7d5b6f20087909bf428cd977 0x1e6a77282107ca56253584a6577d937107c13c914fe96b00a49e66ac06a8a878 0xc17e64a2b177468f6d4c9b556b63d110499112f0 0x4782e3d06c981933650a9aeb4034d47557099cd5bb82cff7563837517982171d -0 0xadeae9e3caefa9e5220a88447eeb24837f2e8d7d3b9f4b80f105cf8e055ad663 0x3728bf1007a5f106d50004df752b5bc611046734225bffa10d4553530c360b70 0x74dec05e5b894b0efec69cdf6316971802a2f9a1 0x27d57b0a0c8f8a6c784d860f42f7eee5bd459d7ef0e76676bfb41279bc59b4be -0 0xe25df026f631d49fec33a23fba5c81e63b14b7255dfda8abd1faf24603460935 0x63e42f2844b2ed1a81738ccaa006b4c74465d360d529cd94df16774d8e38931b 0xe128efc01e4244ff423cfd6cd41e1cc56bd6866f 0x84013bea6d8f9df22d66fe7959145c0629e7367c1b951ce7ac198c2496a69c84 -0 0xa1784d0efa4a3075f07968e3c0969e064b986336a9c80a95cfbe4e314b13ddec 0x456bcd8e76c21c691658ed4c28158173c1f69b35178c2ed8c2a602b76cdfbede 0x983873529f95132bd1812a3b52c98fb271d2f679 0xac1c41d319b7e8f7aecd0d6130e8c94b9f748333bbfa03036aa69ba4376dfad5 -0 0x6526f92963f2338eb771ad90fb772d11904d4d4befa98b8c272c6a0abfab081e 0x5aec457455ba8d5aeadf17a688ca73754680ea1f6265c34ddf6718c85ff1e1b0 0x19e34d09c2664d4f0829b1431ea73dac1b2bea93 0xc61a5fc29b169a36e990142a63b49823dd06fabbbbf54a4f52dd25ff443ed640 -0 0xa026fb5c2ea92a4bced092ece32b06ad2664eca004ba355bfc9686b442131862 0x4dd3e552d74fb306c7e1a8f1c6c4f041d8bbe50fff482389e7959ebd90d67259 0xe697fa7a3f3165caae7458a7e7437fcf80a327b2 0xbc1705ec12a7475ace7e60c33bfa6a64fff88c538675d302ce603dd572f2f14d -1 0xf2a1cf25ff00c08820ff9030f63ad96aa1e6d2f89ba9a270953610a7f5e9ac27 0x14c87ef1845068dc7d81686b4bf201676d48fe2359a05785c40bb674873673ab 0x6faea455ea5309259cdfb076caaf779488ddf8de 0xc7f21e2ddb3c14b1b29e355050dab2eddb82e1e8306ed184e277193a53256043 -0 0x9f97613b227a9f5c66d7c4c44897aef59bf482c72434dac864b48089906f4372 0xb35e44f4d594816de88c2e9c48662134b69892690ae7c844dfa35c73e6bb7a4 0xd6f440196f5060e81a943fa5110508c8430b31f2 0x8d6ad1adfadd98aaf2365632ff00dd9bd479b687f3ff43d16de4e0ce67c90bf2 -1 0xb34b1d4a28568a653ac8c1695dbb0f8da387fec9700985879beb2a0871eac428 0x7aa14d38f04dfd090c3d688f4847d0f55c2a8785719c63ca12702c3b2c755ed8 0xa6a688f107851131f0e1dce493ebbebfaf99203e 0x874c23e08d44be9a421c4c1131448c5877015d9ba1b76dbd94dabd6809ae0bdb -0 0xc513f6281e4c95bca3e17a3ff8eaef844b09b17f7d7fd24a2637e81136aecd1d 0x75810f150e589d54765f58a44263fc7b26cc791bb88e771777aead7823327431 0xf61a659713d29221646b451d2c675f657e33c88c 0x1cf1502b1f131cf5eb85243f25aac443dbb2c8727c9e4d718ca614012da4f14d -1 0xacb42d7d82bf160d188dda513982a48c9eb055c84a700bbe425b96ad5e1244e7 0x47cdb51f4a5b8fba9f4cdbd5b4ebcf42438fcd9f2ac996cefca27745140802c6 0x710bda329b2a6224e4b44833de30f38e7f81d564 0xdd0aa6a391179f21e01e5670e46b6664d1e23869a25b68e94bfc203148c8363c -0 0x10077281c6b1283c4f8f7b3058aff92c72e5694d9cc53f1767d8977a50c4408c 0x3a02b1f7a35f12e0233f307489037fa3dbcb0aac33f23291a659068a0c15295d 0x22a98f59ded87c4143cf26323b0bd779580ead02 0xbd137a0fc25ca845d0863454dfbf05a78d8f364d821d569f27fc85dd7aaf6ff1 -1 0x58c87c54c33e54e868d9f6eaab464787256e5d46db9f7fa550ff6daa3f0d25e0 0x7b716d06c4163062b503e32650faaca47ee01f3ec269d62cbd9c9d6cd37f0968 0x9b2c4b8c833278b71789999a3d808b1bc0995fcb 0xfdc089847347bca14dd6a782cc102755a398f711f213d9b50548f1e33a66793f -0 0x6c3f7f4cc50cb15e4d5b1454088e860fcf3484bea53979597056238bee8d2eca 0x354f75da6626ded0a649d6749a6e6f570a353504e4cf86878397771993397cc3 0x55fe002aeff02f77364de339a1292923a15844b8 0x9d1e9fda1dbec9bb273fdc32b4b3f93a478861d0e4a4f44f059efaccc4ca3aa2 -1 0xcbe9c14778b0b3204ba7a286bda1efd94eb79f00141fe807168954aaf2bc8887 0x7ddc9f6c4d6be095ad846a2d1e12196fbd31f144bbbdb672c7471e8a0c64ce3a 0x299c7265388216f6baf12c04bfaae0391c2b1be5 0x6a247771ba60f3e5b1ff3a95ca6ce256a75a7c8b4c2cc74fa02541458730bf39 -1 0xae6d5ee5e33792e97504b10f2a11e5e0945fe6e540ba0cb530ab49a3b0a6aed7 0xcf7f67a2f5a6a8297b80ad4214879ed6b8b6b0d5003afa6676bc62010aa152e 0x6dfc34609a05bc22319fa4cce1d1e2929548c0d7 0x33460c004ebe3b3c87b07a5228f1a6b163eb970181ad59ff11f8d03b729298e0 -1 0x77853702c849e381674e839ff6779d66ded67a7cfc325cec9dd8b93d577f1d5 0x7809c39b7692e2fa010a78ba9d521155cb6151b316daf15098684dcd3973cc72 0x4069d8a3de3a72eca86ca5e0a4b94619085e7362 0xb5e51e980067f75f75981e80b4b2d60da80dedf8fbcbadce9ae871ea02ea3c89 -1 0x7f8c8449f22a576d8868bf3e8bbe14dad8de838b4e45ff320fe4fc794051fe59 0x1ba41d48005b10b79602ee801ede56845ea5b700aef13dc2dfe93812672ef053 0x6887246668a3b87f54deb3b94ba47a6f63f32985 0xaad2bb9310cf9aea16caa84141dfcd3de424b7cbeba41d20a319b3c35342c2b1 diff --git a/evm/src/cpu/kernel/tests/ecc/mod.rs b/evm/src/cpu/kernel/tests/ecc/mod.rs deleted file mode 100644 index 19bfc89608..0000000000 --- a/evm/src/cpu/kernel/tests/ecc/mod.rs +++ /dev/null @@ -1,2 +0,0 @@ -mod curve_ops; -mod ecrecover; diff --git a/evm/src/cpu/kernel/tests/ecc/secp_glv_test_data b/evm/src/cpu/kernel/tests/ecc/secp_glv_test_data deleted file mode 100644 index eeddd62b83..0000000000 --- a/evm/src/cpu/kernel/tests/ecc/secp_glv_test_data +++ /dev/null @@ -1,1048 +0,0 @@ -// Sage code to reproduce this: -// ```sage -// p = 115792089237316195423570985008687907853269984665640564039457584007908834671663 -// F = GF(p) -// E = EllipticCurve(F, [0, 7]) -// q = E.order() -// SF = GF(q) -// -// P = E.random_point() -// s = 37718080363155996902926221483475020450927657555482586988616620542887997980018 -// beta = 55594575648329892869085402983802832744385952214688224221778511981742606582254 -// -// a1 = 64502973549206556628585045361533709077 -// a2 = 367917413016453100223835821029139468248 -// b2 = 64502973549206556628585045361533709077 -// b1 = -303414439467246543595250775667605759171 -// -// g1 = -303414439467246543595250775667605759172 -// g2 = 64502973549206556628585045361533709077 -// -// def decomp(k): -// c1 = (g2 * k) >> 256 -// c2 = -(-(g1 * k) >> 256) -// -// q1 = c1 * b1 -// q2 = c2 * b2 -// -// k2 = q2 - q1 -// k2L = (s*k2)%q -// k1 = k - k2L -// return k1, -k2 -// -// f = open('out', 'w') -// for i in range(1000): -// k = randint(0, 1<<256) % q -// k1, k2 = decomp(k) -// if k2 < 0: -// f.write(f"{k} 1 {k1} {-k2}\n") -// else: -// f.write(f"{k} 0 {k1} {k2}\n") -// assert k1 > 0 -// assert k1 < 1<<129 -// assert abs(k2) < 1<<129 -// assert (k1 - s*k2)%q == k -// -// f.close() -// ``` -// -107686458338979513480781602362120102289984183046072577606170007916778439289747 0 356346894760760276087626226488432151004 217318197015539988822336610002398511790 -97731722947559024681716452282219957975263978740712958876927310887143319903906 0 112952311639597105943171331608306471017 175336324915113800172956243369347117300 -2257829552013235716068488356709347701442172630826500503717521931809955398781 1 217177198954269660712428636031296017582 3684030775039237366050299655648599135 -71761682687641178423116382761747336210578685609908626585985077055172279137544 0 411613887075019707474159017744114450590 151273920832553029973546975684718652297 -62783928497728404736644220003419467199424172530427306334104012091526950581001 0 356354992720035849196985968820610194620 121830846826914942895951448813855579471 -112971472393035011922242209868007500713878640043238016872448018125944618781583 0 264487018368704977724165996943173512042 285484700390970001296784595154826996438 -25461175730825076518388883710792204517183536466495211664518207534042643023271 0 53545034099897480198264594975145531554 165190004103626257367815278381722433459 -10962584108805305863094865199814437137956130063005282662939859589523585772615 0 90483095476203826306018406018219770404 5326811612449241559045288462600857043 -21408645369894329120094779746078410565876089108909007382205008045148662398111 0 169498534374881290135975052358458371275 199886353275111787414759613295836178129 -65326375044696264566560466301481064601793419054459415922031817773354408022228 0 326889546721088012701270218031953215910 26583831855696219665477220232194327011 -111842137291305858378969699712312320844113500301818822648488609509780224870030 0 358588530025521890293873553071904842301 88674112578391012970148365669818035400 -48388182292356997229143390949095736048040642837574748490699810267691249078960 0 191116952754346254899628671681107582298 3408390702158000891839529313245505366 -49911865742480051061735560563065284927074022126277784335249746631933669970897 0 264037823145107342980854497957288112985 145855430071763322302379346046587506549 -88011064228057586998752667343704087902618094280685377517902958647570583123745 0 290085543470595515239894653753370693430 14756770119558000118490886433198818485 -30009968535060400275055240120220617898678094191724689489436884141916706936534 0 211620448108618886279172652130665812535 74467405322271372584718259590825243476 -34092438719895845022868954519742157397608392841511147838641931896689655705253 0 253712681046270797953577480659601778665 66858007125234224691217453473504358854 -19933194854798030957468286196052665333686276181935348426681986462367228827670 0 375367433699417734388966846244889936297 153372293450489296720756152887743704611 -32787073799415355718997863631125631233718703175697269759886364921392938882062 0 32891808855102024456953515253011980368 77940487930511577869859814604957376151 -47161791275725104506288614798750474473280618024790840884854100012964742065946 1 312347252717255682891067286523421318301 21856946250000738457657820811270992835 -58396576252135286293850441649962814493101241331772452868792542593467258981246 0 386435860687283118326199191789962070616 255307079693023397139205720942342135557 -115060515468385408144672212905490573998274019736758361938753096758293685607743 0 262798188520125902195962934507858841959 189803084283929572864130171271092212858 -19779012972836662453985156894338304952374603293381723464387692605961521693557 0 171081274587860547547912949102174979013 57465589301127450463945502034367865282 -59557764191509441867598013645714777503349852305403580697469336648469031101694 0 429701868031669440868051107540793792442 177795303910926751081426844989960403303 -16019578563607143196328852982379858266649546080168856864469298112235597680474 0 98958663551074463176660687631490644568 233393791878168160719378568078865021477 -10562725777839522399058666198047373981313723669074850829621258512867268073802 0 292926780624317082485256650443783091710 170012541910497166675603099940072757057 -84254931149527559985613453333063169649668630660679537074894341142629900907576 0 132837232740090251375656071644472384961 244976582628543094928301908837538413276 -20380321447429541046345292124123014967993322597369899508073271459317646942626 0 111539426712964967017058439075348544721 136457255271890938279674096934490549597 -35823478843930347084388595466123917813382623935222519582824342772355368930668 0 344747824596064962262223971586512093242 51297481552000860172020127988198453167 -80241848325182036157993488624805524857219782665695992444750535276735583413862 0 82340229918369821712300343919820498725 63733637513653433109167300290555281634 -97226356911065213675760229768195495128204471731783944444577985090257197910378 0 446014776705927330915460883244932821691 177469707620482546783366938995769886978 -109428260880714527563984277495597265036651066654038657919872567580138165291774 0 161672361239146061712035067011012533028 135318658267642259767200100178501163101 -2456794270872000782363234481512922390542878827204431899833426565233895023893 0 74828733009148785536127298517662120591 179295736453864396519345103177285033687 -110358259814550367489159660516984924641020557067772775167486584593266233675942 0 138136909202792061850367051759964362547 264843241982079857099222090528590000425 -45020250230141050051522559508238120581888241267457937696474728271972253722265 0 87549999760912063842087076828777369676 238515148236919925661625570698391472724 -95065683369763634417612024676489081265800406235065297734312257621781169765813 0 118370857981563183490914121076784546191 326659433929093684815387239002458454431 -69584751392302470219889523867615373496183607643011599446665472330683539767819 1 377919218162491144365821268230495796416 17705788605085926950263754377896912006 -76415630284491267089238244223629171147644120761858316199029811577615719231449 0 267622097681648402314140457745168493587 89588280990502222245207445170640720753 -65364085707349281956236549866501748823856136841940266620950177684430018843445 0 132267725211117920683502313183506048518 264214091460596903951215959616574011471 -68496349228346023078504695033699882360944999476909408396270127390352298425491 0 191993299428900172162222144049340318833 79634457289786421733400673100175598545 -102993915200052545800426448078657787436216212063164501066260753636143148124940 0 163440127586444525288823079326270664890 325506850940071318900779564616253601267 -52741671333983024545651352953613405692257890552619354868798426411597863112154 0 133590669472473250569301044874251397694 237372562462678299696726017426468829440 -42639987468269725754102300157336909309545563953519496854334708256248948394766 0 431063745053160358927691763847782968808 193669788629057692406011889207843014678 -29206368839571441042561819182046811696223127479198968497360791862630672671515 0 277986923316053516002841054408403183641 59592687435443357148382971479680131059 -71973220179522107822101404659171226257144464633003514672612098121557338672548 0 322909954267474945791248655897066141536 293050217180619359512277537010235537383 -56189834032086453332601369686267448852455834917612092225939516574071065332626 0 332660145724338149855163033301023693251 12611492445534493307445430497075200035 -31982793788179558790671330796787049422460889252209689229489001432296602499953 0 269464330447411793712601526912009659097 167182666821688542355385880931284236234 -16518078972553593549758733820107997479660283577033904866692689456727784786478 0 304102879054138054435565170351520810045 142905791587513981498092170520643879699 -94244716909336223464503837369998701109892007583988212494377056030355472895376 0 467093138757680915509388829449293013646 226426884035766381418834144446771642547 -44467883430830968001822170634058366419732129331210332931260658447763801150864 0 281703191174596317562742425945281032238 95931914823602058485208452447767234443 -60757843444627208177611775662180748251067331633733354506962740528567550678786 0 364792843578455602540859258722930806013 22985918465963329342631241716188503937 -84104433821828104212024577481718029429333421426779064758944750873197256369894 0 194568855013271786800809508380541745446 229446727694933983025749486384962695170 -108248973610767750691070182098073572949318237420294605687534705238530770145606 0 234790458844778294547046820000183347960 136853423736681350580492611886974941498 -34786748041297346844402381070612885237669631090846858820446664948156258332298 0 129736897365921587142334978346099758200 107959792757944633156449214295086334266 -102810527058268355991029023336552190810340318709366271113520137917014391654159 0 148985653000104585855012217007602848810 285556390393026559166136104430077303381 -107236246924500784286686156332239333699163162126136960941861933347432937834765 0 313200289458568331799816761858395780373 142680872231228032149222767938200767657 -85553968400939667567930200707730584737604794801667126532720383360162315234514 0 307472696532882796737703457423188514874 296914695978283876709758037260643553508 -82837814572589462755293438031137912897564739078397083645207882986761988791535 0 405681676908352708549992171820572503559 64874756718813142564650981326069701866 -14834821979711174342347418586239866307795518884311084112398157923083605490093 0 218906139321825148960327027014716059865 5398134016072562185525333168620524647 -67348245348505927914271664564446811443588683749779783570350111017143847898097 0 254609381839337906765057986784175733591 270406925366933860203965644997129234345 -2063429500958983634064267943275200028101999214514376275082775637608230047487 0 285864921863374935451402978288991111210 140974939702532814318715017185194082867 -43625545265751642319530548668823021113923533296212745434154635093925340318646 0 125478893142043257031943264609007785461 37430901158365833149937667891377811071 -60254767192676745108319277057026673966649840682353512960220473255788137185527 0 85569735097631560223833443532550979934 34248462751654285214565728640379369301 -22601862891817703523530064842405371545632680395612261401387375143186171365012 0 283966364359137844268584710239840721584 170741157684288371503271360770647850109 -36688882390308047125609554909707677384136557823091781950850198703673629328949 0 304937505424244255406772251632073662854 107941815984703440592696953275956588043 -33208816598042721195745544971211794044038312604167126475397073583741011379950 0 257404336173099263206930483012004812962 170164618789543610213365586260734182170 -39297649570333858765003888694639533352497515176239825056560515607741259731075 0 156145052967030386105499135884582210078 54497667467930899753813922299913172250 -54637872245524887881032600305350015290272875899972729610331439185620118773290 0 395077376010241740810432918864166035177 93852844258976704940002931907949151024 -88477016900610413158940577652743317396447829713610837687077702531128464718461 0 323324411142508508530456441228668291478 211151247246769617452166123756966142392 -41598936008198731079884859239223639848304990290666848641634620437372496446222 0 85805582579665251120480456720466090942 143694931912132722751347446727602834816 -373480321144091356922533540606283894942988247604407185340481756647747484585 0 345549321492139170474742394376382095527 71251793039915354846447941102663431084 -84258609088809671502152097635250182843416245478956553930721477471568942918630 0 359958445115437616146884546791900422760 209622554133411960664551020684164294079 -9440446501513893859379538380329446864351560840221628307260846615526215927592 0 339246878875613927684268691787103865751 110409799457409467134833722481337492812 -55925186015874123052867495961134073970363053110642834575553633177237020070937 0 281806784121012042937659611423662380249 35752974295355739414008327687425901013 -14313518312862202971090156290618992104192763570936898894813659282869959208403 0 172509775212271055239057363437171917737 59754434248169448120987066734387889569 -111268754146758837697264983055593223063084625726338412602745581213589619484669 0 148588766757522357474370807946949472808 183406433701379055960416600165388394509 -33583005638673182091493970585896796225218364310267915560147416484149113721070 0 269477523980104579175731301759168643949 9676709873142520048074747075857741191 -62097300932243039207983132599103561090744852675653078622645608620927335304774 0 362208007634632770907526194795846985085 125485932487517280707796055413738475504 -69470136884318670533235450273081862983478556458391822259275447541346132086775 0 310210316710143552841177917772786585488 159613051942327765254896657661971890408 -55554003436990105290716930775529027270038014504123775431060453476565014226861 0 198391601153947071608821549634517134760 270804420573327015379180992719114487262 -63521986644990571683711131485684886420035901156096079339255962619956100319834 0 362368363525137175376647673230424566061 125768744712639967948794763559892058734 -39440924532772377254918215550310495861094652949498307275772521934026985851631 0 414440413855403119148203784033017710604 106720348967568700157952776507351152697 -113650350794964295667693497007295227479992987161195416203529076544156258245391 0 343190891658990042243000059774980232540 189993165912278571614396125540525755774 -12060978044921297112545705497869188349722438667919780638052952059493726821175 0 276069257613135208945773030655414028504 136285308043821734911594367112649257958 -105789307135807612086098817909267525375954832198992605847542954772931099584768 0 433325692578475708153991436382791427019 129921641458780719273520811559813133899 -69433632214344479101211792095644966808721160926046498793260353342027682868057 0 322509369037623913505107743632239544075 113299268149946372520910291713402743904 -24460402077968983409763057622899795447251649366692157671392145935347337291340 0 377175009018645852452875383590598444502 189664810756168184247801967219877824466 -13105151318101002473679798160027174567013844662394185145706518743566167126478 0 323031433307377102344922565088285052842 252869998470404916934473703725896742636 -108857916118591629460855844580279511079247120430501133673969373400115772057125 1 426082041095436570749164513448724776222 1344996918599353003175194108411055268 -30899793031967542499393325401869717204968022446691456422484518182039754464155 0 41189065439231721965660637070014940974 74657786728707478548459140791844785156 -42660487964938323261980840451036707322486281830165866447724589559779889415976 0 245870233345930804561144731219490223224 127141851294877882025178836436796455630 -37387140132555614810821730754277949363835605068841039899738621980294997933895 0 150159182755561417060435659522370429791 81581054221512957112735258396165241956 -17159447254990270892119166147401308949163847794289817104630361802056282161232 0 178479656888104473931660197150990396438 267664410606094914100059386520135392190 -83456707800243832322540744996978769631335456434082303223204532562382353057651 0 189539581116876000304501442051787974114 162910289043751013042300136827979906800 -113368421840773273729985473673927531323544016485117672517168688889432454633908 0 154358647219745178004669717477745117496 307142436563599095163767756819125424615 -20869713211088908516610321654109922950750719114597192027196125805185700198151 0 163910418799610197682168483144539230176 269759729726322927219190687653596003404 -26735315184114124272334548425279443508385712213611146968009696504465911588206 0 205240627494169192287993034411152245884 55210888999056597595042722926199789722 -76797233958219684103435366228834420519498314052856011503922550071298714493968 0 353752913925531198606092538070475073285 100999184689090208645863968218391875151 -11501316262162300375979127025292112839206756428095011600235204382430772976348 0 195671623720846234345100097909164659134 259549311467580394168940695171794399335 -5499954749584490909339566957350502760759610806298213247834888213930980529510 0 209970326288894062270149213135164632202 275990158587359783835324624759442792678 -53847515309899500393679932310704128764673276395570498453241526064973054637402 0 386748687160004843705523391715572288230 183566373845857071957970382941286627183 -94398654494023851108752608167055715860772634239165124544357529124948024842340 0 318202463785473336931564575125916415816 215994684981510630809277694393380501973 -36656493266386369358485910842591170308555076019463367278838084994120459557571 0 308392141620030032329036878262287747065 64988565224703418797277861698620670809 -75480014152354054865761886712676991351270344326843864004260186153405983133998 0 372437256584161244703639260690957361080 140504990402702255500316200785438278833 -67845944893478136372397715294465752305976041976019929831679688643550119531129 0 197110320955908842776146885729560089629 288003601122109895835307983914370681478 -76194119006688802604288385379861769162591789626501159400751522647724594545567 0 232558586344143021136166563949968790726 242936528625421354837084801661531293926 -66263326507660643835841406515807849024321176870372435186922902565826928481575 0 363141205821968169207217125362702694057 24124123552981932184055754629505844469 -100510734743907488806160588666365988971386897327222149443147607306346120261973 0 146736382026094522592000203597444045683 251130708647348225763809270898929689802 -106838670139740114119336784417179584792902530057009714546831487361012906555206 0 156729733027065941832300837780302104252 314861685206513924841930242904808419007 -33543180143488561525058529457587069373805642245465749999484886718779422530027 0 302636364615690574441985222636910148420 258201795009911603182967969270428344982 -42376293550195555517070764212355171491212649845139146053182718419396563879086 0 214505598767744465807795931495247614301 220250312117221124128132161319846219342 -41708315326527927606530605609929967186544623196878484244947991822616843065461 0 422452959016497408790412858352857214388 193203881470148065100005062751331770200 -68512452037079184245084712141521930742510675547646233864503804508664757066257 0 404116759055926990018715495649759339336 211724799995620267979461639457416986532 -104278993513583527216365596218140828406818577821077366637253515736225107924080 0 219309700960175345765354469995710958723 41957493761365642465468141776438224115 -23637687988062074535536836626460736022932610867290146670504972195502765686749 0 411466320159322219953604506914875629030 144850037182536950770779086952733885072 -34454085065583771863220809391041817105488111965216058846489348716533968860820 0 89959921400489954802373905038318511088 120246207887238084347671651848073672275 -83553466658358116983877563026067672426658017002912831240063725191815978852290 0 285297639590115733445449398893921571018 16618371484094867032452824560460987383 -106198016004554220782885861301842171203986404151380864747699232902842796851626 0 82665368441597391846158743996519206499 158699660772547503142947674726622999636 -2412046251728349490904636523731547054707439872777184064590980716301678379955 0 156029064792326411997735878049914303030 218327007734106160900186455975212329478 -85549827248433465299692130794783213012323775338788528838269829150138773070298 0 400798738417935822187015281301838737917 126255752295172999358790232265876709022 -56352906677674206650190885055609903018155000067480028198287796592433882235873 0 279904281291796913379742004083696154037 263833140725893713509007441691993020269 -81826269121952853408314729261928669609030833610338260737908228645747312338832 0 134892863149796872258368488750128817992 162517329111328234573209639422681668758 -56192008211982036059885991452268511541572369650877121131529085746842798763033 0 122089862950970893509061696914554705584 58982273009957731101030239303057896571 -72969593427223901509521127044123018193637515344888377582668090558118196608574 0 132240554445150133654143114818269875107 189669618181584005553841464996459584285 -18328339301450858873090279430757744015200259200501814832168986949584625725490 0 359202512377664498590475216792029932971 123257610887559928378144140918120429530 -60638789934299733936784399627375548216969992414721042760121400070452307937624 0 114153834385596405328713011002635197965 252208745458521911410440985341855391000 -39302655386201146230203589603929357089209031319943145241601153862248390961598 0 245881750656469107620797822329785123154 59493301861461980289711225197270903538 -69396760039125483326058793292015824350124552955244762939941142697368970814268 0 351157470476796464652698194217452216874 21643874324289592596755357037707639110 -20535950781569867376563125582768411086661820770085237838146059637004394828911 0 431953114624320033151147002488328164121 245815169393118219952697522361411364932 -95121134607611326587738731974176168869837605985253199468365088889980426998940 0 267010157077067600510381420530670486662 183036785513882089881706100332512907168 -19629727298714885008735622662701818401578464489410057243094275872510923397981 0 220358951735665276554304676012010710476 254145395943712100158581493904225904910 -69671638667537117488131073889392566761401068871481382531070263314464613860678 0 69056235331427993483760583800081151105 124754089428314407649437400438936726289 -28993459126274780495107896804579658024211301127568437350377718845634520894713 0 298455815268012824135884557287574759551 4794090264119311332396989692765353504 -89761943469243289476283906798675689866679823313433228732020830561517478388824 0 399463084252418649889895101742496902247 245564026403136720960406465193122249679 -109621469860163359145663670457995339397120167407940051359444037531682453172545 0 187706625031856063108595783789212967818 45267692027740481755416519834423823344 -89533059741796556701309514685872486857355849436478824201757288604908496315520 0 96145768181638766238564699773883789513 202859337082096288446273484607087706525 -7052142626234127131278711767465087469620224499263816620236823031378038261583 0 44684112013554671633482441103257848950 108786762018060784431611146634573775133 -76372277700927543926434312039671137469190189818239218068171440307970896950403 1 398384683894498832929840186777610581837 15060027996217390549566490505935444867 -57452572127789947239197063776344530705110919010085403933059675941259414747176 0 408415118116495990283414083492667118445 19229766959546016444656260010354720097 -41074937408067080469651391810021338217110614605478547192515247788168770147453 0 110829011585924686654593902114597734686 14514710357218698528567906570472249737 -39565873390410328712511580521194688755520392853001546259091627361794011718290 0 147931211474428516348954052223008014957 2588686350403333618370043585490009986 -9826678039325364490473689190515508401563329435284668997320086698867856934255 0 195797482441694993396111250000283635857 154021363903785179735743928631177139756 -47938676311893291269849706683448233314183144557151810435959258051065283751283 0 112924845918034404651101981769484556558 77045379775970796699414848534633760591 -71280459448672541213810878643784450624893365773407140136482510584158209506372 0 412415320742932991425965119325100414895 205398485939974504492701585811034096583 -56136494246493873092362864296885437030888105729827194451785041791252590886555 0 78271412631416603230407001933789238649 156539486922688533421810125234614178561 -97220457038178489409044356585078630069994270515711296427064275102646138023197 0 401677981147679741428515429286157573795 234901169159723393706688755534272933512 -9936686929793661024205298602943782206842448991340446358953916652771898493785 0 166682409278865922763927516477134526839 239939588260149385681946633859540110130 -73158125280390226328901439047101480593831683011232038025208679646122436209708 0 322252110430085864632835552835789590145 60608131422872334079399203192201475401 -75596514392433941652126887357147719521411447674408113482569870058884772895033 0 427813700056627402616435280397998944735 258925339245893692194870314468013162915 -92104326898045663311563598015572331332221632606001369655192275731634661716112 0 252475817205242971313185174077361301842 174574447298800844157595944527795475139 -115648415624298922529299626265007807924889984318586766673914644144735596839791 0 334035635946906900319782684662104390328 256222817555844913316965571302356597159 -68528965075314528868241019864294759209065875611047065352248370959089715748312 0 354249326587048369706079780379656990841 9071609176030518254552653890532698679 -6493720826777272010219754767878621856847833056483968151344682344527356401216 0 64690257836628859433491183382415517022 270553441017767597919733526573570548335 -74737977389066359520246737039956224501630934516588353461735475942440073505099 0 360722839308287381989237886713337233304 166365158168343739025019532972824801674 -38641809621060324783204452968806356511108081265403385317083815872191515260014 0 233285441155530910933312261438140720116 299072699675056268654299289065111200066 -113241536051480593921132180009716394974001276244270387047659027113495058805273 0 200094400389145243570747324794273688297 207565658324395748922212794711812384196 -46374949107912558987654406526413966453479234253965515811883186349068538659838 0 276535711503275908044142150450954657673 33488856278112708449059869370284955165 -48708364512462655022183777800085424406100552839256300979576485613708305348367 0 368673357190852255015466191911008530182 258458976139480343642907561687340601100 -58869771928646734995023223900369996889213611540105781588570072958329420491352 0 411733062035113837895936835540976533185 207325122073538485869564778454019659921 -13039874849372162693811090207647407157421912552340943237957446384961246230064 0 393467039660542937313068351274195467751 226387756467557126878258701523160727843 -70708709078413839327827592321009800838513525105589134781912260550211615101411 0 159043565849294663527112552234310939292 107186750345985662761735768868999797689 -111449249851085345373519329115394426512320426814411922923678842772841815203101 0 384430572339810087022687951908007631113 294436832047561625049851639322195119209 -95212522140045499358195003386605924239706903286944070930612552309939573361388 0 360805494026108653222812742046739183697 44862166059004280846249627164412641709 -76311362581257297595862774964350279200160099323972425271945563196205835969094 0 303495255639381138175053652058926850240 147946062066742741097451151008734845717 -16590523621523829769736593743756664853868516862373709939503106609882913004158 0 208261604824176268699340201077875676198 255261112577065668550437811354614953137 -97787882548901035642194649701428196976089279109645493340915956472244481600994 0 457193015607441853999894851510410094474 162904773835346057042994116462157841191 -114663704823400572069278633380201655908495654121725667785579346463920283409296 0 381271948388930168696016063222370669246 293816564276425888233725092499868077187 -32985426751861889171403733787250464591926680611683109721051757428207468166329 0 312327761779950991192207269050114559296 133372034223061973875210230339337366902 -103989099299736521783342108002543609878541574647480035010516899214401264986340 0 278122146841053418984055387878358497002 189872418767479637050157932551944381490 -3527133595506876107097506069805339889787471681957627449340931450676004364 1 266954934219050095529858292805700730612 38769145246993091471242421809643171689 -13293370375084288077583501982003508466678165982077681581390924288013707959719 0 281885492115153704108213224890658215436 144277596950497586325414740907485872954 -63450296552934118426272732881796529680506909960273359652483834825952267048457 0 147570686581787226235768457833119577223 189369491567100560972625008125086070690 -45972899145387151825246815392258217600518994758068477649815755739062352487430 0 275265603445678589526962279084078148213 140946103067560437062669985558435954882 -82330656483096018106836576401633239841977324384788059967721359041151169815702 0 305881519407200485164507576246510546748 129621832635451677012234904332380345053 -55730540626150645624256897294914682332980222970065671326473234966747543161399 0 223108849385083607428776806817565846229 91886705720723966022110420721142811017 -44549283782336095066238452716458632750509605976491086604093617185616609321588 0 367179127610181365772433399828597662586 254057959420006776575046104480279539067 -100245925008730237050671134987594848308169345183310656690160154645245942241248 0 375950782405668918317371559504373899546 16046462567449396240191147277777771289 -10646908943433990942023973332754302884629815533731958102349973386479579029167 0 254576667978949556928421957844750313357 130094179138678853803864965597631880479 -103587304434638432495116769991849042633391884154267399888847343227656731796230 0 188636289974654588804230034660890169670 42835283162122713714204269814294488832 -88354376167066575993348277160366047478718348008589317514260427740583590451767 0 333977769362414711117489325103889529860 3039337832526263682474120172101096144 -59024305636736502771300237642590340767743143372457469824671155661780118717445 0 312405637581568286052804871278773694398 160192164323873130549045293350751787533 -94120295846078920748954808534779025685722969743180247429061130027478550319817 0 415471766457515594715891531916663958370 72670682074673920288480111642618209111 -8159873138309217669080563866862964228785616840459204112884786799068353284236 0 264991790935708430339066599317919617361 22186738361411121555499974304801333848 -52719321052610279439415421995994876571564786532533683635082504687258579273492 0 391346845607595753595173305494480742811 44754223666222313665665544158661768114 -23755533938295840513568664280226440163233215948299092080129184330360754953103 0 126719629975820571690779749155191070733 6389752298441695314896424171518775881 -96041133724811678016498890729613160116243727246941689453686995264339094021783 0 425822421677633660508611736482147594514 133047033613216157013477363845438358287 -111550678004130900090137027475230635587623042441677972782459359411079562306194 0 439245439173329448889757715348494611404 170547327020930585965723247980207024812 -85597295507862849961520626818755736043255108881084765891998148676628130912592 0 314326011873035433055974318642554714459 184775567756723335978182565985407909717 -63480653689230567298356544478524785649072832967243691165871284141601742632144 0 408722207132465102620636657062028496599 133160836742033690019711025263407999322 -44128672467597561191063169412197191961681390379875897788090765542488600527723 0 388656933322648960404871060071110162021 27441283370309064724330502099862559979 -8508168076264790501177931721057377688711926058288101824626891346613540505202 0 404286789837665582775443868595396044126 122346768973913406811218054026773702701 -106138572241320038775844273503860569608390121556314749223216383807422451655797 0 142237978982088505094108225079735033134 196690530501022213144755982978643732447 -43242866282711402637861502494953456358491333350480131990239757677029074861028 0 164528650577110257446447365373467264375 69529445183422487554587394669912649153 -112757530902040184842315569368145208175378565850819401172996496297225879953673 0 431753026705079743168820087910862804978 171446391194555038630041205692488894695 -105370198210309305921020745804531137540622814092452001704306473766507128918211 0 96743192445993597195497518326029957073 128431084865230553348905670748476837325 -104696139954594227678267100930747649019126739746322431324669657411673392405729 0 371114422415470899973510609151617775668 123824986235892760467532351579450350107 -93887601427911491343622362187827573957195345757605647775636857588041850102494 0 337802397297045196235328163014820584993 199124546356947105361199869113271186440 -107566187693841972947110349437562490379403282900606391209936526732763903904522 0 280736928421498656548959168024476183206 190049362461427786821423962153775906685 -31136751478910238154400899764515824065197387432736527368249369326460064947118 0 107399523982468840494612649863871260742 56410518457592487419420889965632838804 -56085124019652481219857414373429854459680925869409274562445683838554277494699 0 84348085779658897693801402118758543257 266040289206282920073203689492605138400 -30581042392824183602384576500718663933419623974779695766817030251757303169378 0 394133738549190533731105542895445560195 2813545682008475161500710815072240873 -36220236068556817262838964064076042342893357704707404324970547132228521525254 0 178188709195959854724236317232609063559 255707234378619851501256260421725779502 -112434276493587271472876075314059077287514641175730815492471783212962304168963 0 387495785974986086219064678923071259674 316907330728237894331689604690945877659 -11568073584361057247705195448394696933530703750840333081588998384508055500850 0 255866225708373412565255901699280098841 224086658880774463604250658186796700768 -109127419757921833288978970948289662700822926624037530496607146146689132040710 0 285151843891186109392507652727112597226 92480153893169040901975788746955864017 -14651521271637868938198478150536313531898240759147126493139865661725396730639 0 156327089176794614758406687860249017970 191624082951416090097328713786075341935 -109610374189911464765469224410154821510183303978592254019157577206396010287534 0 203585910497860057711674500265693895639 285249710760659889328501524875525663944 -51527676522803236930081596798334337350633361708843276761212592065670384674905 0 268622388889864814655586371595714830878 271595526673508040605382666744039859277 -1171561817458399942248327408211263040193791518965458842212747217520781261863 0 49642267426232879385892903148237315772 25710226016428389584834573811218212767 -45238871166405028891296625815246887199664448746683992497957496697058194488294 0 388255770540696813057349031611046593739 151109306525479818288354427038520625102 -92538574916351891311609746747904116961427084979531477349179305741514235924205 0 191715153152090426513276595524662764262 87883962510531162921264330071977338752 -82796983592157291269526822075699992955026773050894333679430340939279131767342 0 278013205622022726598518699889707522076 297207735574200586318221814490845202389 -9980358829727683725219447364329120067324289170793360443286836576787847289891 0 91883116418050897368964424182464003179 182026432494666805687713489327319528886 -32899223288309294997321603186616975396638809127021105430584146095357594607011 0 391627127641067825359673840469633154819 105277937933364037132497221798542775681 -53276321418805536619402405060113547508177908554209184046566553261164403995594 0 437538891606232624612412966993451908818 253182703670448114292465674285391467310 -109349736141463266351262031011368750981220399964923963494692927726279569699119 0 306277880622527683383403994562080967546 61022036133647203457338007139905050550 -20615273748313120861371820958997675993396413501334326648438991518155953991832 0 217301439330647643057286625711368300958 159327456733627018843857026283919464437 -33389450328090883869556738038494628837495618257244161038057046079198919708244 0 108008891101912251717133883167808184794 203436851827263450989042116492822588268 -114154061361610110381464776869990282533268457219949406763958219121322885313848 0 157106555012329336571264748701781970019 348801244243997075098575442744234903173 -27774975674653116608292685356278567206603207845642983586277988130489418816536 1 253850978211435384390617370288024385775 19180144465940813841545399078697924283 -28787896695223368398740698847136455312760760370654783934819917521763993627013 0 226704885046832951022780177660004379655 164336558145751931136349085388232541508 -77797617712116032494837477064436159977131414225458798982872485561960009325230 0 113468220815808998860630478125707277612 297404524110586511539415554962278178629 -95734172177327343073093690859093848055221936922529463305465280873526099635024 0 390761854138908223483044245193810273196 299896964997534231260188185913508392202 -22473462270801729576657558660397300694288462490552860851003142933286545112702 0 308041764812962657074768537293251251223 166759699720181689103121236648854763833 -27075403632520717661445934873318854816899714309606236288900451976696999780499 0 410675962916521829041397387665369631680 89118054148437237189951219291465281083 -69179945454776190017629484727375755450632756082374692251488963934581562570575 0 296890011864318086634110305485257750604 217028254752595552648214809539943852512 -80672737875447305255225367393465898238665100228915358964973691220803983440817 1 410187632064935788357771551705418770379 15399599527953549684467376434829745196 -90267054773102523225314257045166698192729025397846775924790517541330649065473 0 112291240474550678866704576973303209313 199108203116889412438719620880152571891 -68832774023071456473637730076207717297551492236360217083019234618613898535155 0 189716908750150013705158152022957514032 284407128938961874551846376703083392257 -100617437689910315233444683671782492140838626250652434665017789578560786652025 0 271652800942490239036690328842494102964 271166537949720206644521887095638989351 -4704374881025350133822559153369843785313635704114606558131754380306129043576 1 319167195191720551856092201868931817199 48473673198928130061786748137867092410 -92856117454743736297214360959540958275297835771176054738565658885795071735751 0 117528869031500495598253941478072164509 299970525644086871574807718679590948838 -24391918712144420531111620200927801930543116475868508950814262607138193431947 0 366223830270768982344606294088232694827 191299002864363316251113487331137399715 -75564716910762322240328061134743607609549062446828819450247110181628288730858 0 316735449175174805705951733619757221310 274793457516266512640323670230090782016 -17069738965035422871878972525473314350932732642012356673452809359409666126394 0 96862300860567391931567018084252386180 194433301241845512241428751412928658172 -97244290271257456723705546897188280253927149069569972116881403303761734275409 0 415524337650474535684649931317057784859 235974258839048944180017313629326090415 -68279559178717885765572373556932571905373046310306071354863872692489278400364 0 254141011574931048298817999293844820288 132213086613461580579188339617230313392 -87537703441315585749623637015475318648379787139837364690523067500578205556212 0 340992231944883893794785039659663662962 67683862710956318989936328024545289251 -27806406326384355365854222422840692260580644133687326261741254980514158721133 0 83003908393309256341038799007395584421 84715445610494674338764148842260501999 -53473609963631164134571789889626998126296004647738624664118960093233400273126 1 361794401556898802885917574361279878116 11387145600983334436849624643319028285 -97853767302100788186976280625365651514045145484903172443840987271612524518421 0 463706292565990545336667677507393767130 223495595862146138011893871102183131531 -53545667113681551615084037715229869153114230243976427420523744603507905547576 0 179570911601491813094499312364405649517 83147465731817059043608248167165294694 -15992876104139990804712946633841357279003207106514593275657500171814228156948 0 130550567458574063290551791350560840266 260038898510224185420294064673990120433 -57891170934756576285960149062588086617155826692560868728697620669992665747218 0 354988344829305432663405179029191420939 79883983179415007189936958647305334447 -108507016381054457692788215618375336404311919861012250846327012240253285546506 0 142005969044858707066140370944447852902 258139457767245621593068393747778895359 -34054347371554773373316818139758914762484654455017095377167885054770920401297 0 375634625106018473736138025994705678825 247291419939099559153217697039287295928 -59597629896714670379572532145184643039705475644413319419129167341318603216882 0 176108689029100630868857627599050548440 68107086413453068272790430668000974162 -42315030619816620809852301724683326915644126187220499709568878515089662315379 0 144903314194145041834218440879322076708 189116136178919054900050272715586706282 -56834411481304415843522130950086922421619362050592573716679350526832322000965 0 380252389749196881158091075930843200507 236812928260057185841647870707647721060 -11867207783764866737987093105195201296327750856029932701176927416062704741517 0 244284781775889891027956723833212431534 41650495023990117453079585787684460124 -35315539890117624738055760639807858560004132841046765837168897648389233536675 0 164823624511608340311176257061845358376 155961175827524867513133721686007187611 -3344530483563804661884175505002990873580272838449859025682593843381445618749 0 339859211689612342056950279571010826088 256700023325155898427371831005639332444 -22691371900184277198978827912618527724562609013621485112788235041394516871934 0 283127754258342790431519993137979102828 200737757764073198952380023629923878910 -79166272776749813097399224670455928084825582739455623988159894875782140845837 0 104315741649374408457606816844173588554 156323031756678840620454085108998460538 -56677058757066627144778712395480371260434450240932691397322756917028586525307 0 129929659047550361053089998578592019994 66833904592763194883320468396366148861 -90687971780719617056564314366438961434540371836327216986843015134277084620801 0 335713453426586521528312996125362985221 266252023815787543502342141606387312565 -36751784448339212037213029825997446417147646985336574701632283573722517343857 0 333049532604297401020589849245996781843 179751292726401592437449330046256160602 -111065674725828913383252595260151362301104598454368531025314618798811650009211 0 187138549475004608977836188729650750148 223492885439666524887198056200454812102 -107613826009996711881626698602320589157343872850812328108281310638551732647433 0 174196840374911263355665130107700501709 216812060883092074159737292394717247874 -97520717981582986610224983010595972807045403077566498673988211011818439321030 0 112536730720610162525110474273809258217 60544940081127947114448792136348067287 -26767016443386334144068893869107110443678162458964981860625418541819643649623 0 433707108703394757683854518218065592329 253389158346706890987543715759017722925 -19745577366471177348802795218172366381313919336946160581461958308390099210157 0 127572574276687689891908216657394293260 68683048905492198910801919864009724231 -87030630902514749320579030412538277230773625548975384275447568862658504078428 0 60513015556377249753968673222436277756 57520918186392943868561216803559313232 -67403064376974762083843218995221256072647274866220739731113668300403733162095 0 250240341477039879062823463745817420236 109880742872719503024945580513140210814 -88604783189623484649937365868308441267582371786558144474682694276017297324050 0 245115663586574502316334000160610484225 64867186214115567745124734928831143066 -107587952779282975972779691364078055729609634197262528133469048378034890474945 0 305311571731845649405521306988089829138 47797138626619611328298088064547990447 -81007479598469834788738917285048235764879585010594516381183259077126512265851 0 178568901987452689221856466437671296859 290870889952503925029339827014516531524 -103942025879762871662597723363570657797302094566714381634901334031627161259626 0 333917617694251558093962249268498474413 186670201686913279417639435123177270645 -97045702472617009864845827245083516948396038564998709616505532898528886907578 0 450392927533291686012863464835127564472 156327574346536786871262371723702051238 -109085446571378964942039988870696908827672567588306321185711107431326221431404 0 273049594425224660146058694196938358141 304966597324214901944267592957457288591 -67448657189661408366311882784607010321214413657223210579844447291238069827517 0 223863768422919417364150052448185822661 305200237504588556987081893470100128125 -61393889256004662054393003338727535429045302421015987061736346023494321138359 0 139642924730896618443633222952905927132 24033198059151249236312549769566980936 -8715806587046228670100976915774116762176066239416043450356253405992727140374 0 167657474215549422489992093597878800494 128026819086591320356377808920257025688 -14060658874146412233268151448104245707350901245208108859691030831287852364423 0 173044282121100270795277278194300694120 101650221583689538683584947425285408493 -35225253115645440466241496916483435932928514791860818212619726873315449869552 0 242551618718528126834239181606507674664 238708035903968304869195046468972430202 -23233697089724457977726507086931313865507512571300354437181990411973185102586 0 153574766049011547512070084365625403679 197644661747207386576810181898765414303 -95854802733295220445401176703129257979904419786304780741487907271434003999042 0 221002538074363918844998528367097103700 217364558192770902162595356050779805386 -20236914476494018322390790508611193496705670789092850990279762648257634492978 0 139781861532401280337441786419235818713 55769131816665875911034863627494930753 -31144727217393170677109142556098410147096548725643930810750442677367778673504 0 360397055341832956780593321214377035117 229271358233860232947307451894621896646 -52848817354371605521125169394037981136943251189338590336091525627014496041866 0 299409694808639423169004770945503479275 124051199146467131804689593741332887096 -19741999897234716176027921070391126105729673520674483248917647325405678617186 0 195917543098688075931678258959917870957 148983678340481785007133011141451535075 -65186794784873365720168005611085300394188228730188268238653132245602307223050 0 312516362827147471575752182981559920600 223486706573969708309902137077296117581 -72651221410476954877641403699478237101078768481444610275242048578024433953683 0 446643755841579740093164783154756897757 190542215644287544721219888315486297593 -81452621420321559163530915654058069229553508999787466488719982111390050085688 0 91723257236904013224277156068114739464 97986541700674684470058469923563380594 -98114794561930846401585184299110122698043355389677478453731525242013566461291 0 119620097629672448507834226576223222879 98257441974619149958732884924349692241 -65092365420388180353983031354569613905635378956369503636200907939627874893585 0 195572609084996478102781590835720345218 293361034443044462521402627570900595153 -110148237012030542248977227522026312678430723828092199672004130758096241708475 0 162395984242112140417773676434814790529 279246569702567301096107735348611991252 -104933770737046776371710229929443919017256094313130555957749040457626034902652 0 351847248085991617517387859168004833714 153696619721981517166435756112501440904 -83575258934090314911410833136424360540451023551251819116340800037009918013064 0 199298866261109788468905294886024754229 141264777838271494607398318903400275981 -21982970512024105983093366420465810710211548215695715678124204877504320134202 0 90158547548423856420351417213779843896 63721308293894342579810761854730129493 -26808519663604875623045178783955672034103358206123550799135443660101079143318 0 195621826964255769778371165610053400559 289803777136831383581941096298703780296 -67239563196063681058696748279784515075571858257601106514282947421860966692404 0 161654811196005087795084300190146930915 117084264602809389981198277192855483039 -75663214383075831846998228879121847639478615434448352303046991409253284417795 0 148470932993440643902855529678985075043 98485018938818847347119031550307015125 -10621550517447982702503384602629762526995711943121643672033092918244519339685 0 365468073904445110844019672350047053875 201152634849584446496735222072693723046 -39229767314758376122402156414374562096163917674603761813062937460939307894124 0 348908297119684232234903092252388275132 239934985920735636040783494659502037354 -45495865392833497071754303494759832282081722446593528739399291470273486234552 0 312110388795101002877346899093726176169 192825679983450652236203772354949123371 -79670892905531085419913521935270631700250613651663770195728323499024530660873 0 210162370697217234421215703273070531188 306661763725046281286237434294494453369 -57056541014408286191704504965255228231251710571951332051794335629460906071087 0 229052872606918140739769355192410595038 104295116597138801438511495605935453418 -66489689895324104511841368968615553664063611682577226781108448613160958924201 0 238714773885308457296436990778600061265 125662083510384262149277702909846353581 -19349960800007918960284071220267576512063472875403953805581369560340702225823 0 257577893292649278672615754861042172977 279391650566064181342968875768574150392 -3770428481696521695629637228764834585351588681161806266945220713042533081372 0 258450694855479302866984563703827585137 90313277051068148510335860580316427090 -16655972652212658524463703360167721559918595782166223099282033915750450634747 0 81431785526151253337716301700025230736 211899811907795372513723606620533662682 -15281261424015088373447545160415443806667695200490919712558645069526538251642 0 148585836256956469096173074348490272839 113424748040469605075531348358738139495 -21183029428838089598253690175301223224817605936088691207691660255016665943268 0 367060752524512353549718413498687946998 56038973271675173053409043913844406554 -44115837842825448434549949698971153727817154009211720076302692326226875201072 0 105535877913609561555778969605702677070 300844973979534346807051177071161853634 -78626327798504642984962645891937758066838862558506382338972235645638971174856 0 246165090119111545612927156646896385235 288677534587881032681246041105690796961 -32526769424985383942363243247107228518936860340074454290958474458143472747346 0 375988943561208757689727145153563547758 10647241992119623222307833070046655469 -26596047925884207160144942573264084262121866760597878600686419125712929074955 0 391194367272001125511506972928061681173 185156507180242014924612668541966890820 -10949458318698722084252765648689769937608906280707526590838295900667580749872 0 127898397058044503652873494754606540308 46676927492687614494429007683603752090 -75184508958478729844952482971037946616826084228175436560488375335772573876751 0 175309963118677505049511762573350288585 275054624955694171155929459886735937868 -97600460072181753064839054791721345443851631118606954916263583270693056643053 0 173966795124746722274255686047893934613 303492989541788391733397826948913520251 -58115611490193754297947555010642570114117580581063748055913447216152881084357 0 258268569924055209490839969739329420300 77043583040863117548193574554572392591 -85124180393272905674915895558753296355842801342314284641824664301011394328803 0 320835982456193763627823729044206973704 270782301780965196307389272723517897257 -102595957646687955122836421386805497109907817596423189310814391456427203919651 0 265943019063605750786866684403729444001 232403226746343395823331947852924002898 -26954293366450377880871890468501758986583997109251630007288149160104473772815 0 357527395391405219209861949305162610172 69273280564708665908132122495504797431 -107673762321871862689059836281272445958378427849739910268210366204063642153125 0 381333688453210199235170123177305488914 253566769985225334229081551742023353388 -2570827043287894223445313410527861125027345783339384554262531031550039089624 0 102276432201981604739955738927783151785 194459983447765234230981257872572776019 -64453762035452472328485255457946983070304288166410353704568097425667239697112 0 75282156502701009381083553219898820748 221110973823590274568584000031069581065 -53014028355904453624047429228965378200584519197563621350051599011411329466072 0 101717764127038845316154659074359409224 74140189965437417028291885941704737827 -93649369363969857206746345484923818053818402172900245534166978995388028644990 0 379141370903111375224920202253396861619 114666578072558715000687143417006338052 -46718290806381695498803458419997739539647250783079629691308147261958398634111 0 118030142133865350956764805221650615211 85523947396671194209442422976080736768 -50102811083770537176486468930592548716563783547187309146472688586744875983992 0 355916093106751144903087503777221970719 161881081744259601269266863676470165403 -102126936896750865753682634175161279974642264535237798516064599252467295788903 0 225487820838050029442282561131157857170 121029265991836280506932224877269267235 -73336428268460229968389815320071684211629119689484427210985793274986198963017 0 163234570233663145266544410965654166106 302015411525368225865768337360671325832 -52223815472254225185035199066604959031863310541526425429840237864106277253783 0 386408598333924184119072238368372098044 146144518520017711132131583837589962675 -65717103451629307801017952964793798981525522282159046218949060849254759711352 0 75415877314585113274886280591648887691 106184462095920188580280485498688220535 -20965627569147404438871545189520920538630257067785837611959919126629266840986 0 254374814982339379953677291193842281811 197402344816223577300681183117286787855 -38614027734800104453053543208698935335451220618619530903573321856072097084841 0 231317981656504437841554829369736295978 283216907503636797036029728982374938917 -115177264500695842216266088290866194903201106452459915024795908326694645594165 0 443895921491118835030184876644808146107 282561279654298762021618786702522392582 -76432165085513422033999283852341910293539361404939993937579377734828329948682 0 351911701215885359178312570999694010794 183104601290172555418214284121554975863 -91898805803407156978511089451294491218938267573054915025623562102191747231440 0 204720505723755238155100441734779542748 64488561835186737724838310286426097626 -60167047172623434786932240761881609761323879307553009306758784701499423813753 0 191071213235230912916909526857908979571 25431402129725525388787218508992699716 -99008851708131347166474228806886444392979327756180663239597130492070063950191 0 188186868556594691893314444832966042671 91413166356694945391683782994700922343 -37162392069291919774367435762908927629673117170839583803395903518964084632829 0 305192194391793702065848450681584266886 63791378121801402865198612282033180199 -90761653875218596870771925495100503285267160789899754390060712335425617233165 0 213968446878519878383695697547837858005 44242735973518711841913680713481115497 -106508517836487849202297598649896352474024856280345186373673774458679869816886 0 110233599740521035272124801672929637979 240185726969900384630099114396711616057 -86767363576052643973574784810585838172057379484701103810520227865587077440719 0 134133927555660412462248765942698580859 225263802015785030367033025556685628254 -86288787795019852809558738385542665195774423438956224531504072877088598640519 0 359051606353910557570442014535402106620 158794399369137264814225399108720671753 -23325318434750646932583037475350318468527745122097168835363089791450133964208 0 56783801070032041852455496726417738642 216640028534859642285663550149199382669 -8882993177171056292881197151120616949156998889255643332108552754407862491613 0 64664670041320660742759718433065761842 207793673970147999331050208045211921709 -56784551382436173319670882307183698551497681646724137356540528783082507561570 1 340892521698081650483241020763078220547 4376091791147313809274764932422927033 -103655921530802330921736126527297404297312133515071015082662759096968700483219 0 395600540180587795207905049220813255226 112449101348775375228038057868833592886 -108834121572330844660460785977135461125979244380633483038746348580214572493901 0 359759298402859010036267971625689054008 316592607460051296404092364302217766197 -34367752295176310918849708037452320330865770228308018069119488172058512006522 0 170722273810370559705134521189597077691 290286600369346569711684789834921233189 -106323973657583189988676842093914127511005107664496858821451873284655474824724 0 432254175722259006518728444176490289180 298667442826272252363241382700237490124 -77047279031648853248039444323422732910534388560283245485779420058103728647060 0 87091238395411236863479952403877359332 227554549653532519207613668897293012005 -29164966927635254730462914585221686560437994051060066064782357539280963430281 0 125214793497117814694133665139140656808 18191755178671066657296974570787587159 -100871325706559405808750766798584109699311653300053048286892990766993526112676 0 261402323670616826621516795517292195510 291457235237668242384611700369159805191 -25341764543975020045484922060278498627443818472196863697872592264745968486088 0 304697595354882817395232053588095237352 122382318555347061704443376325281787439 -93122348016998855258683148577513390276710973590756380055098877001403425060853 0 395482620264009489906707850350242571217 14479282257231624711583363325003034963 -33133343550129014814380530406447981458815179807125451181297453997511954438529 0 276134812657542808927548602024536555897 80668155120192242413395190965648358882 -89625209938935029032397592704302183090443412036595538596161717613487454056674 0 213301313158948342376343914240823556871 147207374826196912135640063700880365096 -56152072043954799410212582661348949272421816777123574354875604116161057930596 0 428296874216973005737375623891111270670 105366445481902223570020786193741365868 -49508546006256596608782086604979245508055904190917842657563205907600118564063 0 355159816943398752269668389288569968736 22202916433113948895343068026368153715 -32924962443801255988005807801243686938787054750257294376605603357433413352780 1 222703777814167956871248237281047413838 7903875573541315669235593039689134286 -74864036252412673320720691104472709483695220925662955333251554199480540358196 0 62520755952116417853291233891379303544 112348845691504252809857891108656187385 -44555000793169076652023294937256241010064572173303379968906513874141919265006 0 356657091052998327674557614397399272991 213583091115644069877218576366600930420 -55020272950497323892153468326136909818697821493271141559567768392770706164958 0 152603318714789091245903245929310847115 160638614513486283924666618038421023809 -42801148554637377306432994885371676807714756396721687353467891354871628720825 0 87036494798591887097533900866188318294 169085512516472840448734275080054840165 -15961640531482230402985184996205104621106705938515189707268469572950484347412 0 121270084695350616928284378685429962774 27866526319634631496867636651717974721 -40323387382237525548667872586840553323332771592782639446555505901645954607131 0 229621504432506313171947905141174535711 136341963267689811074957222770565109172 -91636426773415205178703712836493118069562775834604946065775455441516945028105 0 192779283444198354917307811729537263748 102609021898887121286837104787311569022 -23952253728092363526302449601461467480728906066765520931029631158343979390352 0 184497025751719664620493359678973489127 209740247184245572683525359691574647321 -84385833182369313991650137685328182071794024611335168152611495792032273756803 0 438554849212697966269652187808382992945 158363992383668149756742685012061768779 -49930895804218851133192981583975288308721482851596279898309465976790873544608 0 157429214579696008859192128376654241135 97471858925503070238403324249368863241 -5014451648835867989289243887980638089111519057834078477725381874192412262422 1 262052636132062185233877894590668206675 38619602836076605869022943235214163617 -81644396119528266082585643299841965032272010962589398227685592362758977096371 0 264710246796889215486805782733470318298 39562067146174296591721641734749883439 -6844240981972212373633473706945454773183091067491888888056063303790113524839 0 76503923908868235319175219431276533887 73324868930953322340927627903152810488 -113483801185522361607572341114147933826060120434115562418652334719852055239493 0 239106492814113346987033672767307139418 225627640566715477031144920233950201785 -81405335245930405058358852324145855725688040981240440792362736820823311152129 0 214688725142424259957718391133547490546 56809735000289657154045179864107608774 -20642490804878140308818971512760451133484990257518513677882457897908816961868 0 185268268201761755328927498713347423838 125414360766042813299936944572595608368 -44557163535792683564777736441487996038561674684882365578665875863856112197606 0 205630139898143916098464630675899389908 193750920604675830202484002901683363858 -115278353912757645328890155606912213333094722032668590266128760539333292930992 0 338594576331151144193843032648316358479 117953680074683378381622619747598508476 -51209499219244761382775822933065726837670000230677476802997008495655477297142 0 404386680014662011607714121166934267573 165498309141408806192944486421978695442 -9567965049196464596612584779631578047961932694866862058976575676468200416077 1 208113747360217067421446161214919357638 21811166641162858620890089362538470107 -47501488374181683826554902914693414244472273686766627851069882645385510906844 0 295394859582268287365680388517587135899 259589452637284502528659877868040399068 -115727772950750806331497074997046625963230863558536653302128035507477206595536 0 348396452466659528450001469692290083082 127789879253433728194222428682848791639 -51027368772174211512668718809044413396271280912726563615788715161859782410533 0 354362376759939442621588711100516483783 21611253834236862554952408811660549829 -25105878725042329609299329436350834616134417648174490684236182258786537539157 0 246152323280759151857278893775495381493 260641107100361248041892764272352672339 -85898853059450862092636163577155349614430804084119292648302715943400786388725 0 176618971440936648812018857872907270123 308223900231312961297370100928299023959 -84122485180295307795134547401946757664268665105795214024273206749624045166034 0 114356497472911625633020500171282625959 302716711127860419385471309616837717265 -7879689483444819349552076588079959739472312490953665956519160835120759994962 0 145807179719617056975662532883908114925 227007828503585525126886698075379896997 -36453550928374327683383610762479851341313174506781760870336389199846369070098 0 346131018282738152232585165432981969571 255644333849677733070070189532639492552 -71727706037840101844190931945305912544213288619315870793450913552282715150691 0 362200932311303941753536381684595511282 147667317453444191459809979785902320176 -74380323058428798898714957384418986757484788616195293653049391036025593375874 0 252371476905161635656338914080144374530 18863853000792395540130186099909732298 -40656260367348285111541826776373606575352690215253121543778508979033811577626 1 339116163891667166196911610029734524065 13445782746241833186287597150652059912 -41038169348874997562729726189699304129159030993705315910774415088768050603331 0 166286850737512129403317485621076511732 231551055015109340103130071440275990598 -35453996121288003579067361729766867564550248854127344511569296604013437115872 0 352880810979135225420919651607085956522 141817075546195874862001194961469844917 -59307692411778000109438805346380281933067080712752805391606417558806747406113 0 87916431017539545835327619216401375467 133157274287499120763575215430253316815 -1719874047982963587912996899426193506200401116547797632908281925036770571356 0 306352223637219349491203878091814820824 163699730971862873996463387321198192908 -113769319475258097198604794372521838545464847209028555938513424334462922110743 0 269279825668491238190491421250392418253 291527923921481633291715142259202709288 -99690494789517180557157894527007716859821978357972001969795079848661464095055 0 173394825216935602171649853463992503767 324056741816239857416928405738420879162 -100262570929243863575743455429664707952932948180684175364562392810842002330899 0 285462592154447153221855078620235403610 191154038773441489260626243490611264857 -55338905403404148425566884294180213074467327966796631243795135319846771288138 0 245376693844791641689743743095263972420 75382408104192905969582133490626841900 -44629600213957694410524664832214523966479800022656941929191730151627884796366 1 395930816788569562069791172641177847136 9005568385118306713552632284282013672 -31738448221138075212519824575971956162724305551546609480359617523492446601297 0 224931024019221378968219344163942649449 264110601641078970191376310859096054530 -107791940995456777797436364445372941158188985812524136036192316550195787843859 0 128027600738870863405909810559507074993 215995082102652841307609503583879134660 -26140936920699054369877009445850291897186807778418314382589865064374177448361 0 164988420752281807926568311360879703983 105966961875736976805722785866836769547 -75531295543497868067114205027559358983254141035410487295582035979223457768146 0 148400442982066307608721072701345681970 182736759942413011253540093923476380514 -97234034660732674985842629144468950395861662666180223813440437680562073216369 0 289494070196529110790074916599162968691 18907718973690620412654339448460739009 -27621475956222638170230750207543476233608733925167330051543407426007294887365 0 355568908773213958207898506771055577267 246151396518516832735924166642474565065 -30749286524315100331705045403623098841231039186663782347623818181538081994408 0 385833098554812891799774225573730654999 203811281870602054635814011641165762592 -22599504861630977042137304681022012220432367005990022013727718677053680390501 0 298536991807845529843125530923503901290 5002705537714231965370242063293815888 -9644285581499559007385492647807405905468401136129174872424139725648550388011 0 41379260300332768477450440632143240381 149757849909351817002723983326890813701 -79784575380065916796336674651106662409589255580410606860192042657781070215099 0 210805563554233631363020258390196398259 153479311438203322145231619886782242851 -109834105808285333715772579996445952200730791225540277994728689375436156492534 0 191412505890247669890582981140222131595 331424981110373640814488894871060943906 -39182629844391906537221329941437074232446514168357190320810438837086934879478 0 78943366716835314900927887985748435540 193241100487752545170890153073012601895 -63547704406928919599057086922039280316244978103291718398382539715504446446450 0 321449013088412991188080860867780677294 149893652848837665217938050660592856648 -78722467367080824485171519214462740340898666017713858637432722788620947272853 0 95563703734265791844331278053162962618 253588856652056338450182347761163437346 -5322707845739853746910672768681011093247176616835822531189233937314438577272 0 159458635720413664903281651718642563281 252327711982909790327247463560794995044 -60126673911492257457036851265242771755753107147934000134861715177507091926741 0 378821743046106382087442320447779464283 272776134557454564113774590583178442907 -93154976017644256420088969384064641549293701302930781273250361171766697631038 0 231826226580083142648600762593944346657 210814685911251089404442213916216036237 -21356618620851939784401439525854921513524128522520019276288253589846720851515 0 270940194558707207914461038002537041978 262036204453116316580271530149041758779 -56297686180616227993826723603571740356864215706803296653440220188328411271784 0 148220342246216938378041721101709342204 234442906150326303124104279840848841262 -94935685469764623325290044211964105634025713779154922689132815992661571807053 0 378607314884068198625138632506759275579 155252455567985522155313310075456397502 -91329203251471192055457792733492809881915503375411845889129888172348167227513 0 284017399406523130621420721063793371029 250998388573010673106489204041281541354 -11207496406972806856442570559820555577081336352595596876918775178773023241278 0 230156497339319594265686723285622912471 117157470483899769696195985348001517010 -83175870895796706191199265326171740461931881505745954057428782929889292461693 0 160342581538550327444404105299752887002 150738001195954517788737609842260671965 -97476656096907894268079393919386499124008904887457205563331674803117628008045 0 62005759719808570184941917642926058421 67972248227269500064589990157800960981 -88011175900007877102283744659116300610050194686122126786244397492058495618123 0 83723701382753793273581334068913519993 143535995058731834354949181265824439074 -68511120902451265046606661652110236756970487570540924463551735261329291456731 0 80624787906411209560963362195523331013 119802525893839176918367390638310023071 -49338809410014019930709919528457362587351916979551042455795308692778761852955 0 355786534348377680722335799794846261900 165943692288053164755664734668051032268 -13860762726997297462079775497008723659556298082947106804634672762466342846330 0 206349661057361467509823013107472496122 69663284159562761334353823855474606638 -89072153540891670886763249665404124707564881025455289892332019096682886167121 0 350624455123260732961213556521903929836 45506953939106465369002516184214158495 -96365215392718189993065796130961112928741561723584501939857728104126899493612 0 390558648756689458750852900188605175710 48053864815320171133249562404021221559 -3378163908284305214516617456703914296085675966725297690525995225669719823524 0 244144949134294306946605804084137004196 120672310931645743872686604544069075503 -15119847777337401487863409094394855147816797483491774698861340029070934091065 0 101486503158745920342464304111330743035 166597344509127962426536660503527268667 -28750229545304109256719450091973100039174852155583148105283310740793933847601 0 313964879999050690898365084770755635409 17388501199629747212265902492448654177 -54316386516879954955143602983713047494423057372833903183801650661915217751937 0 390684650378197476623740337039959457592 130515502026059635809494301258817572688 -113325163019662746430357569533362431611217578674838380118214542409188394686561 0 337004403245714389765573285229339776302 268920747518322513250045769665563023706 -109790267739285060198456758238161152260014442777436413392751338094520263382458 0 410420539000701774986927520962145803397 161902591648095608810407307928784491507 -17323700323856648100589269944005779297004596813964871206126621947343226677420 0 343999917849124256268242615333285753499 104626795763962583704062133367264067812 -99625161184518603425286848992428498031935487157670087511976504999264748258562 0 447091715465281946404919143057625805819 147233496201419630907143412696672827663 -19767217821257916435819256389938276894668020029365959975851301773808477639765 0 276317197176808790107904813523192826176 20293314203553827021349219813031543851 -33288306255189154748355610827198716697714256681539990095654965427210336360825 0 411353885215647178267308664689140456599 72694595118213582336700026903886603764 -4825307244185329682300154304518342726890201503647695419883006017192047396947 0 192854390745491167218179334467760723607 52876907112410305059670131107289062239 -15059135847794636108922587178069497236588072875426787466528215741854135422441 0 161550459447706461009767962082843869415 272698956712257632810309242569797145150 -100350119253238111848930011718842214268516453707364771735380826624609149631957 0 332001726528692831346778571051011095870 28459486378077711489526613312482001504 -93683729367923247529548543563463066947202052949428732819227573428218706611437 0 434940704775381732088982690380125925074 145316724620785135674364360509352460873 -31988955533830065578118048126775667446371586144237182188930190337540406824726 0 350904939293610421403142212140726348128 168988299059209013541319173412713572258 -111658720667881941422499943986545252060149624690661325821653730829615245939090 0 356916906603731329222240958899012598545 108086257776845416328675455639393636876 -6664534735248848901748678068202083816469285425155608687193581443250704204943 0 226202511278956774693771325571788149947 269592790787167163773094391501083088913 -34482295467967172119970148457167396550362083701617023831786130535869442135246 0 181700281651850872088693804117697098919 305113108614595234746277629365607280453 -109731748438053456086073341352408336449756468969385189500811679496747519805057 0 189363180594420756250068520400009823968 47116030835988404095365472217296637686 -4805725073773920565627223189323061730397028701795149845048194394593234208347 0 202693990977694803725425587569960305014 142478206985210105362933128293363320894 -50854711555938338298642042679831145526543224019417985864613750748875277544383 0 317057991373791913817475638670005867425 144890762501261358154803816194148314134 -93402360775194005883449571282624973317668751546651753916285541360430077597558 0 260658386832050362494958271723003073829 291790575041754075343143464195468360842 -110915012940916190892896711713533780701650763638677102900269197299393143643511 0 463953670574065640574098254215769615676 216655554621050423229048504197979816791 -4588802006528376570410714416265629726873705112124517613552812238249349917639 0 85776510463033730978874275350059827430 144982292893618097586200903961488963396 -13342135581600564673308182521064586516727663579595706251320257789163263744720 0 191435384993643380482556708815999462151 128837894638733372034484928982745524114 -31664375973200218301884442627588554345427575526248869372888349361216745266568 0 337087523888571369345728919567182556934 274102765506885030244891309543662293216 -27517330187922365387954535169979960044463196732896186343057675700262552705995 0 294090152048656955672670760880349630566 245481408538868931281631706027742971432 -69195559085311141220586099119437836855345732205889535051344895372156143493679 0 384150996535821894437411180854422956547 38607357231448963462539911393931415973 -64661885612355790683473477264995832759693384773428626750635194213308169397167 0 387961337912653145874332214941163300178 227476114132226191947425472596035666964 -102087512765186308264509014151299537991994691241460508792922865824877809361464 0 177612010980338159397100068519971031551 130473442200268919269235434079422209757 -105316782509275296438880624286793317431421576660362869484979609413421081438042 0 488639085875349333087228008277377291136 296580076488125169467648395512258117707 -62347575040618224022379683412076325322138665645525801051886659477295914433173 0 182692386081009394243753951868527224098 23502803107977267828033679909886854250 -1355729387922619962827298288249526855297198348130536407553863282143079365037 0 31321773689191716596588419573354170657 55805413947938339287833275560672587305 -2493572742746721530961960666930840089337285219095701611866416589167364098942 0 124536367567514105110282119677007611697 293173975574284837907022806893758512269 -109764204455491437309502086855300465228232484889061045920888512591793278944085 0 368073835731265170424757637853992497660 78744788960418752756719748463738600487 -61704336118289686460383183588071469565979262957045526567212398059695465704237 0 420893934630725537310841252325648882099 209904629379106200715410506344244865339 -100017244055424184521738206191431880848333393586174899207100863084561572240871 0 444616051391645874926332488154855265884 201914970284451290138040501434735278871 -75946829954892236434479367855297795036432394139418080946975129603309886373579 0 74841895220960337488755563937704136231 46317010462904574608707166858795555106 -459749964063109813516518306269083580585166401183748043820875282452005399017 0 99272165093983248737654230512511036238 127075595885065953166216194028356009200 -16336072435757528007930469153051357462914215695232596295640295555811956938105 1 277521070635226386662549321063152236532 5829276597247552805840654353501736861 -2991947677479483464221121216361073034264714510000931451738437439578460244318 1 131520562277157366268375959544046811388 12882091562952216315914896664208877557 -28264618999578134491045235062229091611675509505111014353383828913234459339132 0 271806192731236850299252879119617843681 15247504410696281993971358150571052521 -47738075636155378121368665709361816292316607056347699937288801681294171120567 0 176875775603542367561667239496533797451 203936350932614007196253420759753703924 -92093948214472521539248604224823775884163645166633430401890374319439806330521 0 370669153989950674079082243082348875733 277846901946468410635204147878066734300 -70996688707750892957975721551826448178256748357240191619265927898410903919772 0 433041366945333195947629476181233308654 160204506815234492754619410381807169405 -9918910283306704172668561140979813208666979393627720825459067360468433745403 0 90945818380155875689704339709110590984 224935911367335061840719017295225175663 -30527884009727748136052537048161024981352797748179418500303530280326317592119 0 234487769736867575931321267186246678016 26768352602970656473669062291868867213 -44580485104296149069292626388335049997316521092452398561214291432896731385977 0 375446209586781356986399493054004062224 120232365026272644674002298111796325777 -66953060921252975506916941738884981737749497791184370376583965839700643957861 0 255776916181114386515859118967458075105 129126010268513536882955392328404407061 -79615845873844340481449061692143090207527973886053041009384112340499585480929 0 266637865615987209261698178369963849530 264803800022276097659568427782226681795 -96753084884998997037627618701481927961030660720146862744051811197456786485024 0 375420482591755821325330836679224199602 251290230891810449606280513648626819986 -82109497444191113522349688323935053761395758004739728998015759227144487247185 0 285630914794354171983638649373487347628 175265594616096233272280073956344836051 -41360175903619953768296966660239255998122629620981954855809251811741903379107 0 295886550111595569133074880373530082294 138977398502656435077344069575322617810 -104893005334848300475488141609086607733911671881136035192488032759425458748049 0 402818797684029998830063718929199253805 142144716170574726595229225317802121716 -82204896591079174050484222551881529273634052820263479200460617596729942076226 0 150143293872973824605668855682471833131 269344926453083409420126213255347357292 -112319432158757354985947023444809975333941585130344203855362578054435141905797 0 302772041523865504650085912503177218926 305631340373347262972098178447343574195 -76357025804461380479485840026517121982310871834962706900593145346525174604677 0 300994088768453379299583100927759309277 175729205585396435499147194695960922836 -92701368725603321870477550715675103141096602865268133694318628547269593571787 0 127455090903125178886115303418818946348 158600200429914580130875694024466749933 -30366570691769796982876120321511691088583346786487366789681683572885047322416 0 97864486336195757261374795222430117242 157548945296808283403082235784697656218 -82827535489871339105390846239741419695472886767162961465214201098192979324676 0 135515964095688238117782863237758876159 77986666142713762986485825217720139225 -88201568407787582468633282284290894891262928424364369572410269670502154524059 0 231643220301371175810318981984598045462 101038547484748728329627647279276397219 -89890231174678100470861032021512297371068994737038622501343728899111503205368 0 163657499519499529738087234643643053027 334867309182802483821659479821267369588 -99143940399542535485926882175711688290467131655787106287176333090132199798361 0 323595042245657184386559393572558161278 90896228615594768695709623256958861679 -68652457726470810797054041683538825810459893183861348389112229455272085403220 0 385276219601046184931060986054979943732 176534606246756265460726718977031208396 -113019181577238971206061976769723137889011667503179029986089064097478224818439 0 228061753272126180169954071876821609661 151068210531336838906791636084900495746 -99961552203080381421963872924035714904078318350676344127263639343532606232484 0 127490123986424026229510520151256605526 98069383460288897058819973462695432334 -44096864616939528108157377585899304128258791801829746866432815031336295899825 0 389150996375995637699913045875344505675 80833917397102770121007991410012885873 -35664583367629513423634398043596461918365363763258554696841607525412220379271 0 414026484209468716852064338937873863718 118142288470327059235520095225234420422 -92096324096205374859858623233994377375534109550306030792609114836085665144436 0 290163208464608869810796024523470431458 111104603095616085969435688138740006025 -107606922167558841029985625987774137156563930178830677833604573522055564981132 0 191464891356049351264615676229021211869 124427885465991183283616415778258546452 -105510904845819680158503837767413750629999954387819132257431443625212021028824 0 86786642102173649819544809871554759390 117790109367021635805526187648161165947 -5398585960352522728378574070927682328415753575205389566230423346770420703314 0 39637059636871892371815774737711355703 128924533649149842350999040593173907385 -66041797859056160994552888396449998923447150626888623558165696328564772702111 0 128471908157115025282489468281448230420 168895753020183874952825659370860005632 -29030681398382064687053997403555639359499940938501513104867132703719525297836 0 126516290521697857497924558679626426461 241834344266193259666812223360066486000 -101210265692440511175776893682878407182849248083537725762992485088244276243393 0 317947873438645236264500221984442830631 314243165271306717394627999330142977717 -60777453606065916585172193602644551752747670096699784840249049283380207362280 0 205786569858492786628725953610938188330 122665030839531186031602677379014864365 -7831561338643043897186129384679068770905311821359874272993960143299919848023 0 283628191597583851257389282037740758903 1388168388747006517890713445012168457 -99460161590693020327165745545640702054494382319550225936764570100407625900159 0 371557484498267512156621553111362482878 276627812343284976102910361525028122188 -95294149675948540131232277121591987735687837930211194306745729363392655291724 0 403632299294837968549679470779455563201 84663610069996136592876718232264299749 -54591824719805369762006767475661998377959391653248896414170843491332900784436 0 204243986230697768354598323159362622424 264045149207039798457444793792838782101 -58669266342349309623227276291085718940622836695668402850132211636716249505058 0 356227619239859734199279135905703448294 176114844039539097880245207281439323879 -45791520394318792265185973845473005203308474345186045575148760580387205816712 0 290613758286262058390341082124563425114 190070708086372775234165242152115415793 -6140152154482115974992132192169048256917183784811897187890196297654820303342 0 45032738987432359348721776751137449108 164843215373171149273393542995934292383 -78698045666200483654952978966866005287864603318633340468291781008294141138777 0 324127962403987158227569958242559200045 86496278591532442136596806795767705693 -12056194848471113762007341171230198683501851805387562543935496285874604285929 0 143672048950984076728047680991634573991 256449886264700068979593436531109754571 -56381737799364298751700887057521089740137936353711930816208243632048627251281 0 269398453158762442505165475487560658463 173325066198857405501808985634532463021 -103130475613504946652182329656645774924873591731544239085947045024897491327553 0 380156535565480773497885168783453669647 228570364072038864497115213009521912571 -27902085695334907428799703674633951142730656473424703073346197154332439349448 0 344704217856955730234422138044604020732 145700488479355450125255141168283845247 -16135636924573011751643704097424547692178875191440927020623722441189944018061 1 196942905380271763837716958871912287371 19029788967191373672926579338201910014 -66075322469376679768901578718596836239362466403415490155841260805467114101692 0 161594168895270243506521943286796455562 158078615882870342408874445435584259841 -57022047053781076563463155651519251603508009652669524144016493530877281078085 0 309001557801096534081419607221947811036 45344393972446008897404514545464722812 -50796168741464189605666384066380929776192092045233464308685330881437032244498 0 68722178303617733321838947738083101455 95835088132611489795123421384040938586 -17598527837484307856817548238134448914802708685356112143155071602225858508692 0 304478213612589432229736130168319993836 31302229470981611824629273251179524619 -86718557405134110246729448706577056471395077434656749472678377341587128639207 0 200826123578921082846686780106939510859 195792670257685579693444070336103325572 -43743332333040801164138604378355929925867438656913962175103999863584985883706 0 147757333823301115442934983885930185248 13819620241655022262490162523171409494 -68194228258318122992280377369686145609651246243399673223493090392101631090793 0 330712859378733748653517369519679675547 121402925029605332401434700324261219268 -71505516810374947083709397449720862323528995471220226846675545235935223968340 0 259831184801153346577924113037258583678 229485533872527939451310348548808222760 -101303958796886260834292279866151019800540009767677010337504991892944692825254 0 377340770077239404480490688865139140578 180315115923450904700123316721695225589 -91925311182152028946939545443869971479886807452617039542385108028429077560793 0 101225331091215524224331639781996120647 42731704605444039215989232893236156332 -18943811171533268379045499024248548508389892902824309457007990736616158884520 0 242280948424852596525942793832865938922 226277285172429567847255153266398394457 -55178196116111238630237200094942869266838050572740095198495498594808345525443 0 363489291303669805186073615060486052361 93192668558919463564288080874822620030 -50237499124723031362474304798219495567735510441240632258782740761732058848557 0 362342996548046694871672989702763650550 106891417784922056656175713377569886491 -99397494671491197784810661569750657908848924761527724871300830437497952614984 0 198474248901893667543176891550628412047 66236381645845317989184659482643376295 -72691786566856705892171680324993397517494414172734655964670394431740422232357 0 246301740756889526731883383037933918941 125813603802680153644864691722404928564 -86378076272727588836014001002970290871766286594647378985965065764533670071062 0 365937739812248148536883556388440946370 100223372851123112042623412855533989152 -59728386893814294562210965373310665555061290634021845590678216705226305778232 0 169307513630088670606173987225219053557 116504761778312784178095212098058284502 -9325120897557892202114844264231528322413916576997678857913183862408522250075 0 282089943998229341515870368487332319419 251943640539880048996859085801801098829 -47249104223605214367942618421904154782425193375091701925157173216308684489672 0 129315836039178656492356705848932264652 78497932815695639146584151284843424805 -97108794853350977799623456264139342808167055538825748243341377953580083597049 0 333150787617359717266785333190277356286 110792954702785442909118164019539701831 -44196848447624709884455550565170945784526107780691932277445576710293179397370 0 265468586735833741128063257808142923551 12187210571525825110700130092089938090 -55613875049520117795169013029269928220625934959452153825034379234678672393381 0 449928736368741019094477763393271051663 221461831357293183794304597552124918881 -86283337995711931825280412486268661283095429909230262696190201394596239330421 0 248003976917075220914202962968692564955 25488320581740967697339587943741218135 -78206229071551277989656436006516043758727808973623259310388412170619057999958 0 356761354171995671176421056965368365982 22437153988102747964727476587415865796 -3537534252135498895878659681106539374719330478573289764671206613223143901927 1 338303374454461998860732834670326281345 13127119464645935655934373024150151792 -38594155566061472101611440766611361908089583663045352992496381163410770257322 0 166974231465525019216689647666848265176 222614564178057168999940966689179222073 -13555036123393484750912589388924856161721815349756512548767394415532553732924 0 235368875680428756603496662519485436862 252509703218402651967764646501178215992 -14799914772537120584773130202948749902432607140632260415080806155223089474334 0 167889582051601968412785477800549591034 280257847109832268567178528844527703704 -14009458104930518771645693700324602025728674342840342399445998539398790535689 0 102955643769091953077251206466241634783 73610128182624115435584077103776211692 -48881104197357167625505311491301026815514808423406720694770620803854394988866 0 80880417112116112298446770545201707033 61614430678446780586211875817108539161 -93896626323855541683519550061275472757994874341301799902539430365457366511920 0 84348626531567851462863476211843772702 106518183048480891058160478061151494453 -25008442207128059649033685897582377985987786735992595044703675681441369388795 0 384953149772527368018103355726470953396 160509468033657678825397061944799942052 -4147577668406408103664523230004261974800983399250650719325864856645546982751 0 300477052071190186617946337192346861241 144531158690314730215929351524035431538 -86149689369700488121484094581877256229047142467062227866470139798644728176788 0 476538687921444640611325636796374521674 277478240826400828017643243159666685852 -9517911495207339657723060865229113044563052320883592837746574409123633741220 0 181465702062042860027945132503369633999 25200587029858759061685657948964702791 -39747766644731866787679521372686786927996487787392826880938033511650172198178 0 239645781930494284412145055547285378798 170081568353992213748313060783621827612 -102362842011167433283302118613928647450524177451764718395526847828298109448727 0 109566711224115823608840901607723560052 75597236948626764875042024583618393371 -59500306682240907701437681774982748330305767033736051318196148861216028607296 0 223057623308850897607694537729948232328 150176426874848330365790693907638489298 -100201560157205314025965374556898625046107360501445138700992532223824362602417 0 341265024006865736854330927637475099224 216975673540100455221069431363730436366 -65681774504318094564498618894178951908119458930736000244035621776315567522899 0 264034867392452998852672088695467064590 282180963354092784653758255225591498956 -87309179064271470719481658696257458107737546027786534346287858315068632295596 0 124981066617937058114407597864989798879 54581154051886176277791516615972366682 -1776176530594653553958127019133845098893499561924516369157197219761485537660 0 222658518891480379036125088818554114854 101679553310940070843798260097235187272 -54337798901368702675533089056595311264880959913324600742919065926446000676649 0 437983988910502852823180767874974720693 189144644807700326684069217964613425608 -24424698445192353050453896884231068532038804036261513965899781138111481157479 0 229181298092006890914268287049541979359 54638288020485402270989253469415069875 -114243347268273075089111137800690143413175978587577975372650760470482778409669 0 278110660080029406964667363074242330697 335278116185561974345465602797469703861 -88224738381078036163164096668100908003065812471157287915819867887216256415156 0 225188005202274725303309085389790285872 186487200902004628453625593385852094846 -16817059675278602477179883426533386716301738657186326761231116111494911448012 0 109839833575239125767317699927415498042 191515990761044450344744804925231820300 -71909929297780137116033813992175322012322475236028263704088572426629474751990 0 81480910899150858692217390117877971270 190289157817162653835687928039743343944 -26328193708332695145889944807805565150336387984962399880526719726023256697270 0 134339020431120841043467718725086743333 207133762335250094713450812767300484673 -25408409477591338272814844681257731301730204705112569578131055946784976660113 0 407122038075289451069731001231560106577 79060280821517982645107103173539158963 -55410243529636787176596225731012145135430534562663858754864297210695236448567 0 322123338735550160426757950457948793446 118912082328126001764300013944482331434 -91380965174416027837313181380227598667574357782567786019877653116310687258464 0 168127434350998627092975407829376852386 310932428079562834251233970200649147497 -64166964642273259635080339843015402477608670685604653466583285374808271093494 0 141398202619975485550768547415629649784 97570137941674333737482597698392757547 -76966141101145567072385927755768005845352148690856228722511610510751086576716 0 287309039071847939347226932310853473845 168958298682521800538527799428571169549 -98568265914508174999896304689082280768446068917342819793180464640851297171318 0 232580124543424579314409361039265584199 49722764222740520973071546985504933510 -23502511001983048474552700672136275471146442915161289907100236972502787516562 0 271733257680388500687786776532451074649 94536122366079014798489980963915579484 -111447300979657585620871577629521832701610203701537330818530547614570995260806 0 366017970285388591698324114895186952800 92544681693971767903018090439662941939 -76367464158097450429574283526189920968593363679286267310051712125362302182458 0 183670025726852430524719767578700118249 58430109390448344507882656092560309783 -109886362476478094266373594262038718276650561235618375703229937596791227370184 0 137881605731540703095739213813674863686 128193184291917143803389963463084027312 -85444079062576012123051512421298901146368902476961816269477450430266868662599 0 214401201600361643990936863282361794348 279375456261393668107818697946400492354 -112187036989065392147457888205837777417432009501839290012710327376503032380396 0 150834861757846852759991693385890459793 215613210786935090026606284026882991040 -4297395442790342502480130821306111769674190192384677975087808666751924294160 1 66313158483275745117238639169152209990 2712623184680199258551547258422651922 -50107745145777419460794591038065001148464039071099655473969798681364663610765 0 246156234891746857231394380206614696173 15766308816101177581049279394052665498 -110584438202876442134728408013858883535000313716352291814451550495753728033897 0 194734681853947969663733708893427278200 235914068910493873208405205260751665001 -79774053708652854025708748763907215928421410593396074241536292569545435450476 0 128863821184260900697296774817475863371 115479618589216025725728378454952441742 -23508031315566212518864128403908274634864810799989283661833358600592302375961 1 132325220348619946650986428470260852347 3854417264559997869510694754445974765 -20823971995427935063826552140114232037888091073678105814897114037705119523202 0 127394155376441186311437997988873891922 103046409682402113536889651232093632229 -73182944641903295303155905644995826213734337306847047801733317245610613524715 0 403014356495481840184685422811118356811 224919660630779795191585039327871104926 -72045221287328638352240897253368757919326416648008649020315229561126953606170 0 337899591771009162135679905427628044594 278435260031440196024688908975489761558 -812332291316628048340952340400473022992521483473041394576757608106798598072 1 331531565091496889060523919044259900885 43228695951802270352996130113607463311 -19567730435044825448670751060602160804923896981345115101301856046871268806574 0 141906502330830374861460371585176688845 132923110974258078701264632790431079697 -101080006342886361346737325723055238440572260627196247662507490302189786617131 0 132539407129934581417321025757348032589 216959487401066407800336538835180351901 -24123865599802110467042655409550189618843658248996112001914845202417775524348 0 189865666861129551494374349059249162123 83162131453821237050459323144066115810 -71827941954769159652210308976050841072751631227039910009942637085668370882339 0 220389419717923928057622027181560814070 206832997831245332693187053571705646319 -28770685224694581260963039727849646093886116433664077772150238819344893220211 0 98615983618257427345383377527801635312 116490173749735042464543222059531166925 -30207401842194314203445309211398819694200140497569772910711610649030495534638 0 100251959849458698931939809999801516840 114222438470115288217303911470715595027 -69248191784814809788866677436667944751581739584749237492917154802215662473345 0 169321607360098448410370863697165777028 74381968054122326736171878094268386610 -67325655771150374597516422524527502619270872536959707681109162670085113843114 0 57364970871936065724782719231183041969 123382656362353646559422771427618863995 -49548039690222482473180240474416500958858218904408478288911095290955453483717 0 421812494583855167959598606037923500654 199928128743829636596493164259867392533 -65858783301168160253899007651302867559889949037996529761868327252994962399450 0 101500924298805373613068303284569907607 81418848037533937744608233362630317835 -36013442553122965536070217742698873074324702081057769797160661612950489365299 0 384292932919382244413070846448887114444 244732844194896384338159212135987764332 -21150635357872194831609814645564949375597466787295589928883300915834143724387 0 146778414851604234798487799289601640152 152036572567712401714140406419080532474 -50694726682313018116750449534285218763439495179216367302599589226884040543012 0 103212808463689816999762432919899243490 19349761097269183348932402215443525911 -3885502946740578594146851634928202121691482441068105233880496109282768526724 0 278891364690162055915844752818083343983 69502249506180413098403210068492791652 -66839094055757810884617354634651045613648704755658550945269724750447651717392 0 217197338299891170197719394303939567005 168519445080408348336437930003471726420 -70324618174496674883486544204162121922292782343118780082412865308770395521569 0 392874224827544512634107941106913624159 209291763848185010497843091333736197246 -7682667475215288328135519199861733003023336944236567754210403407260343290448 0 167070412432683110502165231066760969871 290231998536255587679273978731821299397 -59570320365661280552623915315153332726697124036042554399743053319696267720670 0 340326302213525173232353939968296375260 76019911137205949615781499183448485936 -28553968454404261510457401253392467350803319486569476808331501838005386037137 0 252464753317732720443895126836915521838 66370851270462261518441180355656216768 -80849619059445685825156692253322680143369763137123456925694957986577007968135 0 314081460590161579105665992153925663364 80738461991961132803197747402065181790 -90980158894075014113713456366920450776994648894808696574685437143543587137964 0 289118344657137430025336637491307586992 205950018601780352097696871152964674117 -14090391523715668949892048672255815746608656739854809332947242429053269196222 0 155408419193065367540214760802284805509 281708199235176651895437353982366779090 -18310529492412753761493068890642875711390046571029534937312325290576218321776 0 377040710385925897694056777776585125064 211029757801728780943807376298605535931 -94621245962774778216112400569396944255616712906511712028168149228862291454935 0 403775467043132924657769302109994641092 47379298771035040598601847274791343678 -23461157919588375821594566632580563601067398909149047120299230704437410950758 0 104832909359430315038188475177652230467 161186546628694091798450293080404569918 -27639333372781366387449421149642391641843911239185371157945368224339376212394 0 386717594309322920546756136596675346706 209383848702493283829120188508839990304 -88318527389036219560015512236930484119862805721953617977158723060273805520885 0 424721550799428185208235295001567692938 40812002072394156647825080334717686968 -102674520119721936614177238794461376842631939627315701334170541368366569778638 0 469900639208936817647851466746216554210 285056330443631620221595654745660742321 -58250328356461824615410744207340887353249213194441100488664508850778166606026 0 254645317026876918910561943311780969159 42796882837266473430649511398978468895 -86471203138744821122393895485731179098242854384647379292131403460503327248545 0 391127254517068983551496891376033599366 96002290414248464193523405440430066383 -112638179992518841626506191670073459854843307489207890679077229959841902442681 0 96172138002126714484828768554138604461 92812797359549556867153387010126382874 -21939325582071430014625527251713394098345950378060920051914107027662807371717 0 366210047293069963394107128921062547042 205713673187365310452072249759066404120 -74508119341225157200407933179224272321441783660508219067617424275805019707779 0 225114927365015153502587241872907162633 151589293108058335033772682556408697069 -15348310375170218689970383155596583504935808203691298400674305456870261749939 0 174543572810967823929852108668556465651 183563935171926623066651388618495272443 -11279277196179967704824595265123996397248345871677295378998120428344896448617 0 367806030756726113034134931774701191646 152018874866310372562758460823782718519 -16941536347697385954279434224237978905694184976110732138805059136769667134292 0 74263431761143796329446534023379253120 36982977370447855780803989672069227078 -100154593848286086250815406099342773491003942614168461251293789050494026188527 0 97114829259531324402024901200037892111 196159059816485162753853922690537642019 -107477265976015581961602104167687766720321875813032283246213630102111083735279 0 209848022571575679113227047278984230845 73234640703422497548011109234459002614 -12973196860047661071796553904887029960800349265978379823059273671067240718242 0 232641047928970686657398351750080389906 162676545294383019982782446596046995713 -97650312072463682355284221039603200148053254762403262843541152626917973072752 0 429396041144419417005758309839405336183 278712248116847115703401743980893769909 -77711858475028801212999646978547648651721096534666077392856609512752036499706 0 386037315565330426599158286795431640507 240913052819049208111721336639375786307 -53451679758225551206564479385403055490646259444233783559000067077365730759346 0 87970507171364682856394310509890277403 141118870847496248239690585809547715950 -28701400514183884533908442807053270288370329831951364792245399544567551612280 0 338074587408805776702852279218519029890 106426913017728453856103422997877968238 -55319823865976025463155988336541561838224751371757302813494608978298010813029 0 422817719177274664261953540309339750087 212745774052331416640794776788705155066 -73643678869349854879469332195289435944370345519143664200847243277687954808898 0 114392301660398310504820358560630531571 31224568780210599707834629691877662979 -100167644269637618397479251097692111717594412420096304874659765396922133824112 0 385645339468412935612173493466310323948 14160460012640216219442496569391006180 -21974717529865382130440561538673625926884657445805314993011011741592370245140 0 306448263481668048703713743542754836482 159125096870149421323040189461534562828 -7410028173011832003865863544984776897445953187568708583738230634578160696254 0 263845010734416239182377788100569726898 152099643831574833871967540155008605336 -3640274783374585632282756593129957910885579782832994205929593722538690562434 1 350308207530513784258876847090894628792 36797830043518769747890859525201279523 -98631858405027183977032534221315952691924397146404152845426101309992758387245 0 313638743362907184955936907526968650062 282427597529406337143245081284783270648 -51933338488937027580310148576133792193662951275388064159057709815978179354855 0 91185968703014400544186992905908912907 149988151821817171562384776198058983526 -8581832570657185220567156699696042488630947552978981183413532429710567428367 0 84214329170815414745640569172903364628 291089197525675055940546776087203546740 -11424823446268602560146214960926420825682298247903554634974856478595497419687 0 321492236083476939652082904662881887321 109064773252684787947824411590783652261 -99109924018248998416132362194931586306976767551384145955578408535688830443990 0 125172622949407418038833650860790681131 108837116444043262349584408069971645758 -110730767445750159515974727696147210130041629759758173848629088699648911963266 0 331211266562451646803987321909167430353 119554374002282703275428098784580248921 -74916931393802791940145875920520869826147941009600977643574132830746795747455 0 225394560414171963228326868297517711325 48585353911581721903284716816058558705 -12355006545423041620147136104074979782728735051691020222917477202748281361214 0 173267149133011072994865539695998803314 252685887384249589187696545406927106754 -25765138965348049705241388282475967758815664990574485951800838895434940588463 0 133975526067569218892439994225431860158 246861746951492107448306022703033616475 -12051341169856696102846028899433165588932739919311175440041568035646389953821 0 125724950374770419599254114966779165786 69852789110431623082299116619704767193 -101983355393737812749600438366309075831006439063790405434819944174067219127429 0 317184272209169691288003908786459557118 305145352000096632534349758009188869716 -87563203867741542724188001963023387274145142676314615563597610417835100205362 0 303750273412939672418349263114400551488 124104591661188764086021432815671952694 -29617492587427611217912148339766542383664280398379389808902958642701407017915 0 290565056532287106071890679074927915165 228846512174229169734869361402164523948 -37759669087027552453265301300196764771397260752205682788243173111823945873726 0 405199957706485135297606183075778178644 89094478538767697125429585922642047094 -103012564424087750444360849716532844735645411403789984485411207163427479024408 0 269129397613334079515932388723783228269 280051290846259761672659834989175319402 -75729303840399213446566650932875641977173714266512048226624894760677697634559 0 216463109481840006028771171581054511573 163984580682789089213861554067365433930 -25729810370315808584163165956870170061181211477839954187588770219046655371334 0 269276699528853231612170681392402880579 105350051471187917098339624472648028360 -99869723536778280047928394876914306643976363620116612374939510781160458953711 0 245097521678993754629135694536772718492 46199393882119520220689909475120689319 -84999849378403636835375686448281502317226991024052947991096876627515027629174 0 420977442673151095152008676996322188356 44375308823416959584766312649380215006 -88542230579858391200602806920605674067659027744260182089433356399174776842210 0 211285898328948772420404877379590305476 122557482670625008933414917125167410190 -19623641759243111734107831580250608959874238452190557810178371389585878408146 0 376867807414104903590319288002215204568 103088495313807848579981308454610166016 -90246264558603552062452615009299931915869008454340643469546620600793149063998 0 174528479843671289890982020490136787409 258844087118740671100135493373344644495 -34348419612938131099955974927853167375527338608416744110189930666519458569415 0 173965197434060171610333916562950000289 23771263213724920846516829514863928786 -3774193998088866880354620445642700145690911386511174898256690390407372116201 0 227795238194769162411492306624755079899 217154769492734248282589894355098832562 -83982075444891366433148451703690606865902622171147627973205413259248982728466 0 237324726908475737289266383990812625831 120104454591125559048996914949726818492 -66633208600057588235988682012712117420379412847155991080031395530406505349412 0 418616943617570304233495436476273189189 77614298656098609091634881970662819842 -97816835545896964843769127729141113968196779050216256957269301543170305140054 0 220170928629916562425166677115398274379 49423799545919666132137649009868060869 -50324056339579956860064965973472062287140400301458816053231629769408565412587 0 178004029570495904952627700328374277967 163411512573079409675911175826379271302 -114251264981945499314760280635795571848604780226536275794122963186504421931242 0 116847214116641631830318428729309589239 72353229886217356925001752068119260696 -4095922377655047322923663981179139457079537583233254016288439821179851274287 0 380910631455772280928347565620796327736 37948295202464634248706623690912295367 -52913529319658156212455985231686108542374370515800359595001084836696723079452 0 396342796193044356557266347739308131600 188602564617353519168192750300425253484 -17381811203058040619882996938159967940081365598949888475389061188591548137006 0 188932500933712247324503084771799566177 286690364026086261685406687627757563118 -93378024370454409285231146795641299293517725936001171330227313903097647606398 0 299562667832020754314963301664129724920 50408158120505731713597494991330998732 -38007595007682666689525991579815379739539349346364972463036834239255259976533 0 281025844037831930275357092822684257096 198895943655760203211976190648780128872 -5053799255699206297832452485921015363145081341123123403733250901554014400577 0 68421271335227423586897696433564986736 162255062998868383734993095558901452281 -75230689796265460558971523488104678014477622312500973341383177271681595457038 0 231153168679703280750251567464285084582 56322408738148612918529934812074200734 -16815340598448119589339532619214151667763217473384669452134025537791325365259 0 363125862020223974414319780044666396102 13000098040228386042814465585395638489 -102777176970931823204637605367239319925106475814325712039222026980910362071240 0 301412552625562582608651108064284297709 16259837467017794851653040157821965187 -113790292218158940072521078818959505816307163403286210665549496747071266579272 0 483508823459991514129308418789433905214 270850167542260016183306058458723277432 -102136359029077474825332399989421466625797875195442901888337833456385017194002 0 346195789316221694890288744832778330012 116751393338105282955134540338007916312 -67047331509698126590525352680305524003427577493957129352562944971081491842741 0 368105589072862457456365237001052516451 171250574248463614028387615569841490416 -88429015436031619019213009735437497395022675485561547302779650693851291323041 0 309213841236429212680420294120622960520 260048918826113599090387946663594218929 -27668120726240872019461813749957142471290617428493995216848556366637398758794 0 381183880398969056966663160136818933947 88376279795598207069979804812256660797 -4913641083226758890110947362152277823311660317205251684510591481262570952691 0 93522183110886676105561442639169363240 127990896795284814098748862686808901938 -8590853446468246394799643233311083495120708025086620403067513641904753469986 0 248980276743154940943174180960563176633 44080734943633126644864923938110232187 -98339664907965757549966452418160061140835855198201780679140899771850367128442 0 306183943066818652740654771773317152113 245906751015124382190738243360220106103 -33802208049952414598384232466670330503585698463021251135042119861097720022508 1 248307724168330786575526325172380961875 7638294125592454005017054746267126314 -55980323797395458656117971086868466460924340219510613027682873343577752177316 0 400359084552986301362273798493476862739 196530643687699985445700286922814828589 -57584542752766370122664595314996462222116062699417771013751590678583154586904 0 113994672264300891393315969712801547464 285561955949326022084065261319858565243 -114940051637288169180252737538057335339019746827214305685395095946737417231253 0 107305077542510781188751802551428412307 228314796617634959108420131382968261342 -111061301274179009460899852987390138085154032332807248097976874314421872039340 0 278664611092730228928864151408456037462 176343572654805702915459950209922402633 -62006033034297128480598264631423193903994984908308549203430774140663101514016 0 103419658389300283636379767482347468843 45943120464535087985779988172948104859 -11886726869362588406116498294665776430125443004545795604874908974966213175657 0 17788417310393617970565461101673058730 26579389295765997098038219224914752502 -39837909584117468994515082648996640296647698127144907419331582922284576857746 0 139948228632881329197790879083965868589 198962128283993906552682677112419158641 -110406229312233517187558312453560306813003539812252125026529742496668577355427 0 316013578051280022028732268621317113588 184669349506200843340058030671544135216 -92833014802295844690550408463260646371050330408510384694494977281886249323717 0 383443348457631681090609066087458586661 231593935974356515782021543144093196749 -90053170674203264199572594146349966928165257823169947665692707560356155250384 0 319707212644984513470107741136000455858 103144815245296808748457957960340718505 -37544302656645254650508135723079209596088112041484922814444267507096360721013 0 221664348967721174775960077274864234604 164553322674704800124137421169946981356 -40642688734474511208782378308471518520368606251005956884161330242110707170826 0 94082818187993022774058748075208786072 118256748155556232861506157493067214629 -15452994110037531339315787070441234012989023168538166002159233948710666912540 0 82682887634209238749059184281663960689 138446352759502137269675980257708548683 -61856678683918642262025578909738931707831021412334987580784609062080608920581 0 164772436346250304848832239977427438449 242313549875024224762139976621387061061 -17216366248238458454263606986259240890138499781670747664893415843870501957545 0 358361750634471079057784199341728445093 76529154342801107919495961369326405016 -970317079322200308104074699165705762777859179902050358532802551479715798945 1 265913809638255052869781448042759865596 14742383331434773952437548135600351695 -50615648027079633481817887811628975486578364133810763817478265696233331729875 0 239354881642705224265797915556884784540 195522123870549595746606384599767116001 -110696864900836160600533298128663064914650020130146848376102216132963976706794 0 222447030879414082177876650264071077323 190360186601393209517794342171228913918 -22341068297026024733249858687511911788450364332930721487846116185162309671401 0 178106611997434343078059156461514865172 151983502986376854980382950891427927254 -71045901644051380085784705507546409244661099108301208480217835532784768538049 0 410263837956719177357349744303919834852 163247684960647842711104129020296466344 -48683529946796413492959528919396333137505315339197874640269451885809210688556 0 184361604728401684031902959749218267003 304973206003594242459543357158117175210 -80888476553098450830522306745466805565784722357713834303223141197387723579881 0 78239857790838434441155131552686533268 128959132599881975238415151866358260384 -51851379734185017708754726992782810046464532024605454823628730113239772107200 0 76096521444951134494721982873837785911 171597182063103180344505146613904228390 -85681048438320998870625922658543384771606360832350484447431119365383659958383 0 220904828369012993466642414644432897152 19918107937484570282382287984892615142 -104425422497966673919060052484984244517344118900365389243765745283143182376190 0 388624472848898764724196715816565420240 146270020407810333121916409757229888657 -102616663267874457510631597630552755801055557302492990123067061311536466518381 0 243011260509222169934549268637126151043 171255529548195422707562024191945954163 -58570354407008440266823022781483917089010296771524936422348583476682869362393 0 148275060338393325646678855605158726735 279881770779749404488646783495054748522 -110188627086589139227024152804268341017916359760088325873092453486128121889657 0 417213708392565822126297532762876418678 137714842836520489740396208977213698332 -29701466179580565761862787588596357995974028996536663213148023528345816634832 0 369799770229771358858241804911386340037 88377182243265131732503796921604471108 -85829746163406514813602125757983123658749418935998739825889203157855968750286 0 213054444313211401989251561926703035458 136553374597693332037939923500610101245 -19116592590274040629048276053176779333345837105436986782889360144583539944829 0 177939323297073798350771206627022600503 104258270569147093832605971003612831080 -16088592043410392527398596241470511260866513716225160774691697301654582177689 0 62773438551394797186381509244296160302 136242309192578689055653255563127968838 -81087488329367567297149304907061109495632159497324613244315165192312985471300 0 261585593678970802095048069504958206150 18344781372753877599678129983348053125 -44370875350115935921709053008503374975727997269061799563237732569661276189966 0 87696417151694094103647630912019352561 87610379788192352056370559038116729703 -30545518247445277676175409409466459640486529813960467683153183465697451146324 0 136550045878787259175929273761207365300 26489438258397791726350254738149844003 -84692873782749862909843896057551917651791150937670311782287253806695267577867 0 201303658799104594455447348409071538149 114553852795752087477155206580858944562 -78160438773034816104485757517341876464053480423699420551043545158946125647330 0 212762386090142532991222549998244618231 187402156741302036129653199627411614152 -92237013736085486534630388279779220448414268075851652655646601178457372048645 0 138761954534192288130959026880638025383 171696113422438085980887336412414789822 -32543567835183441375187578988155628114602050011293910320195077358776847127267 0 431451549531244926796923188849532859327 255368553379199224326871679382941377135 -7870110480014336914827330123310162007173412779618252060238824664020396808395 0 291103478523168637636340156857349121623 211496450359683802865504135751410545567 -19879146747956185044853462900505427565887698594524838280949876276345237062325 1 212423488542144528396280658312022064999 1913517102279168215888102254788136153 -35072791174821106010960597663258919310680424763514823423893332156095092153430 0 140733176965746301645316634783103035048 276435374692207652816789316657969201900 -3636799662228051987357709819964885719876577205569415424767607443658441937520 0 45372634913228575794149989981778785304 21349480024399857003194671048173675127 -83617231155762008101002683358750292586392071144691787225901404111162623834235 0 170605285239278013377291962482936592342 51989206135489279821622090854218266222 -51352634709079615615519041938315860124487239443978690429072499647367819662378 0 281177528222539675176479822700137977301 178482411775103591423708940682757919147 -27188155743178101341475108977885509460827178452176989536393808829064720341786 1 377239208772149471013532978594169891107 22245027447522982665916094325882727434 -67374275679475821161224159185882922754218647224422117292048603699639279639881 0 293340639144579123838308385781473375013 138953890250240415163113679675065453886 -68610398976535205506660486339389582954363887044949067061741147260059983082774 0 412590969977799154655769019135015900396 225486476084191112002772813301303329344 -112102899606794978086928911534171013658628475474517685480241595632177744452281 0 251516712374755576836748153513995484312 205185246530018618506317286572432875796 -32343399207302182072247801289507640581166381323478563301133722745447271498091 0 168934919088611730410053958049624850408 189803626426678839401715906303317380612 -19619107322433222037003861376151409274788861223610661572418013570637755161464 0 363856613654290124422436537684887928591 78371701067939654748498346270974058971 -86210053712008681551840771974850181959283054749982916851811999731401463945066 0 287916280158321046501430427643403221365 126103119625227149700674121467174269933 -46082272645640685591794229729747308008510051678100121060098144805546977816195 0 326153801202885954978173961040935414527 195472358632339191553744511472278095781 -81628534913168814015222166933710740305886103857541053559673494140318102103128 0 376191036117642974761668478388969093170 119536095802056888340390954484525407565 -27648369390782481158660209612073732361572108340499175703283702250558399529449 0 293268741703162359828863701617715216830 50931819782712106764488245401373041981 -93657477748199222906213478703691728882893558859067753481897128184938925624844 0 402705512633992001720041320634727245691 165956193131012618838026778562539429279 -6525929643034117291034989337319482155151543350596334371075318091431458859362 0 277883373797686485338383048422818897708 126926459121607879599359383315954144833 -49990272916766332351621491194787485284891401467190167288081471929308847831174 0 374946734269150587480584221130149924936 165903213025793986170041929377420761698 -42159303116311726795345082901677733191678536062270140159445797701057274789282 0 428855176222482198384658915061039996179 170891238149990582885875883264324508421 -65618552636831661785872516242835617184370774177084104095809031062249527355675 0 171277069033299808037840321887702728005 280907617202719344632982502271229026549 -65291543430153768133864589916740008581237512001522762705135573907675918499617 0 356990419053478704414167599946630127491 237344686643890724212453374779826380675 -10010112367304986085473813054361650414090959558171834464030003164002515562104 0 151016554771586988481156132370910101543 256434714753692528097590844241598835520 -87402447737038005617716073919006505225367860323340151901337980272527485338657 0 374388464457083639345511210447081202268 37163617808277663784429364509541037462 -61254818088142240050558028088177611620669505214424764791924749741408787493841 0 245267320057483780180585351468167271324 215946789431143233312534243420847102176 -46608346812889398678537840647776506147949577420901277002253883589153480092386 0 409391177257865745337129140139395808842 129978308137680797552297552236963233150 -40529947393410893117225192819147583904449369477975450328632789009267563629341 0 143446476255270625569913647655315049047 211224915135649297760941317919552216723 -65577693561217952404953086161646651928460203697645556541840666215133855382198 0 293935903776005798883892679042272269834 203194341818629539980973091822224544007 -39816499629620479981308743349435818196736057294584616727492790110768973675752 0 352868208599887261855071677770806759176 88007412258199062242068727712841756279 -52497759989726918235828589914315545739381017440070757523339519532490775026470 0 120340354670950578273928442872213264958 42912402037538348895541031135951825942 -80160415097579566941346293825004970498416004153106840457711030545400727284035 0 232897147197410743530259491499312007548 159258091495630515806492505610705287896 -74591724894183426040713911199302011081088242858299464795687402403418812985013 0 187607606238303807859391651886224536820 22759524811240025832210647274343167783 -60634046001346032486285104458410155199148893551027455047155385995751198188833 0 346634028981719696464471762055213638178 84688380410581614070547910835194261736 -64416141553608911215182367027237180989871307823616842722183731497583921669386 0 128770923846100167923750095099503751179 258096627147624253600078140951681137203 -53701408549982703334348453822524579497586282870022009155882208170354518051429 0 94026096934499371479624973831012281239 318972871837885246242771493857138350779 -62266760348614871928053785552665560978798630189695377842457806462568904579388 0 108171909667698530756495447109516442055 70068600468697070234238502625161461127 -75570489346674803744824490198814758730155214257328179272174544411718074754486 0 194125421664951853292706760398041852070 160531198899739490332457604714501392277 -73539256582497473279864919859300082086959455173903079688797062452710488701045 0 197619681309554385960898777091350944826 113437966557044699849711500573507990584 -54835617485483570156824425407357656987319850397750755313930841650535183423376 0 193411487353150122851222366750490050473 146288370511850951237586856461292376486 -50316396146902912806455391608804944829356468492162643499444559825450469703422 0 441705537532349615470412593889353986498 201668713479140546876571608393552731667 -32508867278808409984319331457578725109182605765119274840200687284774578177381 0 215518228331853763115869048072899342362 239188113165339563950926165346561213294 -43816750570703907399988912062428196845932304412145214822714547618359529288411 0 442695212073531973821612497619395677933 209313606208772748141158749901549148121 -16107041463552930527083848118957090323931663149850881963849525010097745183091 0 104509116825839514008676761728554226998 37881262892700920059620528162639922941 -99883899501559850098685012455455033473213413114892111555219378485842071963767 0 420097551060185795912774052184514796024 248073526751475526887029386817118370050 -47866013519694521824950737982738200827332907343329386708153744895621299699112 0 91562682939504840438832432994816163064 198308108586594292769146484494509799697 -67252020601087137502700374223562250533943411727966346615591114686471270864872 0 345812246595120190169267251526649345235 19874870098287992771281523486071036762 -106102439876993475446033113865665086757661326454375115939052798009109259239705 0 302647554152950449637036505998389166349 146937675842288100045473672769479987523 -82604900490103051825176809378288626785350209370261084519886656021651310139567 0 119538227321891366386640139183339130613 161164175747157404069223094127035591066 -35059513782705869436487299084142452308098577670317862281528109843125588272697 0 344789700412841914224609735076293612297 34039391971731815963589939221884923297 -1532162964761207298493232097019726688300545292157004952147128643075092344277 0 102403204329319711965570717991225841274 115449871703149483724995841405367720520 -112901583233770290354935763246364939238659434357381238688197967722299425687599 0 292600433889017057931577545225260446897 200117943154986541640536981980394286431 -60074307812406739264973895109610475833338858366081189846659987007850489828141 0 104131523166357428660562848765671859976 43540308453253937000928265743732281912 -89051900200463115261567779245944070691196061184705599468214701432813016409539 0 417227661650759091450248142203777430708 108082704480082673342232333418809853380 -20547109510500121319098763136248883092267057909889855091215904233971812996603 0 232267672946499079279188377447371807311 23765277551502455299324384936539514213 -14594440503033367518707342646662924990035372611611749321026468188310998585547 0 249804227655770791931708451399696795761 184196661892054029987566184282322338833 -52466982668641938958207299098652403490029429633110026639024675295772445398002 0 407253389764968377574121281617540477125 250315620450113045056813156730841669940 -41668109937418530633760439529536653031965686412374614718908102909468490652050 0 176994268352802357655180912771844200834 234717576122359361449081941634127371943 -97948290061134181054960977828286444308120149591678834601293270046911898368065 0 194572859056595966820856104541103236839 98884203102255456244012958048416472896 -988686837846819224261620281339359468606887235561022312693486658190920245999 0 315743806425751456324439118453490560151 141259661648775445596937935769240490626 -12441503558170542276688535999723120435885658333397361267253942073706630839113 1 382336387513322030095707529611028589580 12281898100654059670465284537305963860 -94478470948344197365436080629460578316589964553070240180227735296233895011595 0 391130729792048802827870618736666617935 212840505023369592315299456515647710515 -49905912202605306998104647335914997900695713471578912544599327035652113342110 0 359972162351284088317931313665030720151 87965839670828797614380295841849108268 -61115267680117314297621770979624980775693264599292240148745734786798164280734 0 60030230495184011496205680007539223538 110960206930007615014187826950666426042 -79689488211389205551110887886314868356698614515118487664845716160111266114674 0 64721976899157021039149110158707008964 49643426831553217548556228059344586342 -110061893058307727424811964244705915331673130626496360738537133083759191718776 0 447593647063360822921670549433347172362 194989323677707644412491767398447636989 -109105273288760976286017284896529742376192825069882027251163541609878365140550 0 237077488457283916401115390882926322749 49437212660409697625787570690762317829 -106555527050667451037014509760960379272674969770752257057730810189248263887241 0 176625882997152335561882563727741143095 272187955283769467159655739569397073090 -29777473512160770468439590378242408545763159980426600785800541320032876564475 0 129662269173894839471373906593073825155 170710890659541699558198376172411671282 -7765376197227882802520905391694187862814094611394079210209589423192575311987 1 177402154934067546431620736692584833663 20185375803432370647665594714952789745 -44773069266242470981015692241236094202947894822527569449772604329682689336376 0 85391370035719927758312958769343750533 75673248097541893709593318875502349885 -72581543171469187650461984698033121499244572145578332080300231705957160849225 0 246179923045001011906566975901586246435 96626268377826505356999747031272398966 -94243076669252379163237103476094437627782009326877734019682139654128196327634 0 253401522599758410559467593334355409083 127299597946823896676028364491932503648 -16668294379240429959032294798977200647806249846074219403846034693805295714154 0 62456958940095654626581212328245602472 28596899590868678321091612471432264970 -103126752106242195199020000559165856424561733672057204865923127962069007486172 0 260981515574682867643391505969164763635 243006967824179347252632830780138869679 -106490124936750463164819685139671838440325560344030953131039263857021488217782 0 283761788871889434155286186983579003876 190698160486897034616728600049426595772 -10498135352132582786611801883273998067865274112115023368818813091832019986270 0 348524947962863364981370024319447642945 73288730709116263788571369485283332707 -39099319033777932088076131662757777746017133938635905245824520712637043616476 0 374593955892191706158881479505168106011 178582083282329638071070459583590605247 -80681029975796264065049743467903933633596328136790459796921220008680265949239 0 187486862440379639562901190065244217726 193327244359023990154006514788761269078 -114853851157818242093405428079587790951982761259070221300707133110628609162213 0 277457561861173715876968136051567352896 73104208098886130002508136533591177927 -11822184929442915408866255675998102986785069041487181471013501454863660776156 0 355049673587080330272116392915164008273 134377115638177903502066592541008882109 -39350140911073416337161583799045280357220426933288949579462122345991953456564 0 67100400439514393651792348888210926398 225931692712456111409360088888791890418 -94909673324756914361122416786697317158104553465119957913988115314160855671104 0 175458549739071978836498768372483234124 219900386149227454356047629792132150126 -81971061996093304865842378893625235212733678672851012650304665548469653355548 0 137081861416212358196953335985664199640 86263670574762664194122088966404909490 -3126572534395041627723576569825324273045794491923896695001497824936230437081 1 353910429294342922323394791393916044058 51454963170751671132097515840610630711 -72081207952783977077221023602806918406040186481121226596239547904710113416599 0 378903725944370134270550881374919286778 262445336640169671183919534551913154785 -93440292291178608179493262251559787571748719669179293506316391511109757736021 0 313561311967250896411354135457116551983 215033438903580834325163312749551876279 -111318362681674673153593481653134769531394082726090136355455525289146362552527 0 239698118127048476630297078125304117146 290075225998841813123425883210204158049 -16101888204943696638584672263586138834668198024549028230186841297885510985266 0 300668748362363178322606756706072791290 222892946606737902794349829725297423025 -80832596609752631521065593139374817100068380247408429404638791708528074700000 0 133506040778754135664736148383531994386 138242257205167372709323875041821213854 -98679094494153869811309794868401782182972931624747393101416830377625811507845 0 289088060552003132310563343220419883135 133012234916457582305340261211007513675 -50169262301390073953478011712142996128144453611896800768965242858432265625574 0 312371011149408777010231948994387542305 189162361493724151470119304062233849265 -94514454519325969469564705441293574760697113883216131791847352094020209640390 0 100519364146184107351779567909955124446 66357615459118287576006691091004172330 -67531951008340822553702463552424012381837846693916870606799078562697707788342 0 188572998261223564794949073375980422548 191121784770908979674537277774936620626 -13575902607946535970544257563204027075197215458782827754451934106044151580429 0 161457055015425775790307722099862778898 173981097243323772801076881865920205962 -29876094332527750519765177741580421602246098955819943600143019311581728880558 0 279589863013479225481481082016037256641 84905300259414745399852597324901796692 -84277802069989432692030613003515748983914073244645030694906803918065792777667 0 109180722392579432341766236761439575925 40366363780847943086742894191531238948 -39866361440412998359187589600229227640136087692519447439859013360860914964540 0 131919559772432446693586894345995207238 277829303199534515573150722173492823859 -64292620359806772458115923014780068902630750027207137974266666023757008050729 0 349496868167737461342961655656965407480 202859024444354712610923970561240646902 -30187838780028003157091695656870021824722380734740512761671923888483131473920 0 207301943557104800130695406699357800561 99136993766428598251252972280263030227 -2070595462734792723160604318127633817383993793929011395313372672504638879844 0 356596299588891828893554517103238438200 19265730252754533054786922587025143045 -49407227241188195171302179156824725361365001129610779099593108768995260333396 0 449709501359412277075892548259802066402 220655333901309183113715412512615639388 -11166525943377157506679219795292333162626473965133941849553231030023266786671 0 82103486178236231870502803952854557361 106016334807599699379085588312463128805 -85298305074545468727241233978926932453255528071274145193023442649433627675692 0 170251098930900220364950139061595431321 263039774453348105560647259251009340359 -75901225957608420489523679498906123416939874941722927932584140148568754853359 0 367775846664407067708409350808304983963 228250975488890622436769909679966897148 -19701411891869799528408919978261798635440380425317134317618775431253599221526 1 312606752680597586275388611948674601182 39034286976800766761195482309044592589 -54375510044233786964970524494381276583023144915774702848872137160199977916188 0 127193521201046990742860224113611374899 18306377472368142874631660065400841101 -58000612156893808155655089975929426146946496418925077926195850497504311723155 0 314825157710548743020563704844014702569 55300762332076609571236856030428700240 -19999324404036989468923312117690860525922773709242396535894614417483125743932 1 238080734463373089553738240239740555412 28461305981634003461640932991669784831 -51516159853838479277067167427588382532186087722784325313078513146797570167553 0 314801344839641919185533592980199020890 212256328608465067850361423357984506102 -57183546068135758522012103251726895336173043505336182078335754000574575467231 0 162338299609484508696078948647900992181 206425845635638305154233093391010893385 -91443461352497755829798526852930736786191070176623519271687784916250805908159 0 230687591401916901223664551300264299180 60701841790460552668876096333436364428 -98120812083107266861581780940611277011249508069711243562061659660398530190903 0 449591422077285883171898483927613790767 248822671127277985581056053156997756793 -46012966042078752026391723620185637105419040632809142369847686600235823397654 0 99096720962092064622788412010547144382 240696141361157163312134006658045356916 -4222562747910054060891600910701700304169888983205830397053718026879320387640 0 144205960184849623630726732768689376787 26377786274362308865113169266944794765 -52720494189195359225604397967278093197221165273317911810037857788532899999459 0 210291573378819564039776501532254596118 174702705543935354635553864804652879984 -24021465484619219469678455112207606958109855212752630071888061124387477204515 0 98460158805609870122050694819667353934 13574921525761739694695810678378447418 -34307676923414811002200539438128678525379935384479512610245626584334679463975 1 185308023325696852730728554153031309694 1097056076947150902881711890635323475 -21175871374237291017842274799621644603797203428126330560083532496389533173941 0 207286853357863593014167266982684077047 40813869432361353376869785000884491702 -13459999585086340722657553918862545350225088269519454710585749849446548112889 0 149481442423534024789167589213312537108 66681978331625266648147229429592498750 -98006113938452729535359575092554869922787397602358529268929184262546183624873 0 428728444736865355769913943318622712748 148869492186806888273857387326783739433 -47528856072620219702069253811123800357801560632194545884263935004681251059631 0 119059597212521599625270418332028284211 163490004413422121013315496207426856856 -108714832896683290701609486530127858117520560276032414412282906129601499260332 0 451202222790195604680462837648570550516 270019053322804025439233973189684469973 -79462372809786893134273677916525688295792480453177997771808619854363171627253 0 192825310727752590823678760216586954563 63350538063051437603473680107335954453 -28192999054305076467060702457324030093010792036314592040866192932190459196216 0 174228590609283584775657670521400143261 138000768655897741221773630208065568151 -91148189861059806132514650560332522791401895244020435536928627840903656937255 0 155752212091079617148563724251384126852 85348766128541144920846420369007111139 -12952106583287842368088550034659761329359593779840943855816132539265305886623 0 52536536308798930313091704379814117051 121598312728571729946784972555390974669 -99599125650825923596058736747218920211058505183409773137233044023071897859270 0 190313580021192799260391189679424971907 137034301677381599341398154549693060119 -54213229483704198151221891885659693044685337658120053270444531237650234430432 0 191318554188893564781121079315763145114 181165081772371883135514505208599382288 -85675065415901899768267092934296204355876954120595491766981138243471370348810 0 196781905567813754770820417205785797897 187098099964525599902673675272821246683 -76935086666426761610199020369573278156412200077183669197796529926717549110209 0 174246838661143436064831585954260685255 216025882377919386571502567055820910298 -79531192454898790432991137468573372293099138037367951337084588400061869105492 0 188782984432849478324835924003638873162 78588919249834990924984026356461909286 -50165926718913292752528289062030273738603589968406797862496165868833566166557 0 352276556899844231488934431422026112096 44838358788766100404412448305910336569 -44882526218729411513131816976423490169506273360215353662623940745174242840594 0 231842397262664816309278502166248904948 270523336660463114343833348639404077850 -100035679597028236835707127478011314041864663837121686780753683420775109272388 0 393143455892708549401065206656491483858 276696655690566981551543738710185621777 -73959966612699029235394391078193100198062525620332109277514833768045045403486 0 273803617198046646958274699952404518165 210795411962966529556902221887629735639 -5238422081436175454438877826765359851430630374181928241682138451417494184598 0 122007510245196893390537159914315585666 22169762500703093314030692642228642637 -56530256724553507843215897797247227752655268500451299030028972298199931818956 0 185623717303514651391293258893005592732 169095748555346172245088611687498952223 -71670697989874334693670094360099860029936995621036928038251317307253173319739 0 104342388520531920277874300055004145973 152360404138564318491549215758686490726 -111155921163392480431197276120439379314527815471416783992551184578062017104258 0 314503124305375588296930165064199968761 179387056406010468451139212587391650869 -20941777879531103392060212235088460061125893789140820773135800999238499575283 0 144716578139176287037699304717876197004 210637621097578522478180062399196354135 -113163045195117652826752847094645502621628399310186372304803466230439623583587 0 159017347359273297768280048280284134115 228826588028074272686972481059266022438 -27073207894178456242023452703942997494047716271596560348839169008235460338032 0 52211736874969123235775604143752822061 146421510972146283555572366217063160662 -20628184188586586924974657831112379702692250475394562228318756141314108736594 0 398342927139347972519056339728301869134 45024864261689159362396025373412172277 -4233850411253284637340378062795718277073970922159339283261453619912304012224 0 68487243553654198785781765602885102605 97901104338378330807848145700156942107 -54579321478108303102239379314743438295118356646494580865151945278726682736466 0 101359437549318377077251417908574134525 269041120051888261835920401402570213671 -42760672319971083360312308921249219099760780525278312880150241715918255569583 0 260131687385158692510775732612549929782 132280593386475439203869116786625944271 -30666221860142161716919402524724047716102151127690742502559963778309431674587 0 101739542058854388973465286505617531911 306446411723193461369695946212657335804 -2306250407875774185496590601413689851973021057384672688225239929829946030139 0 225598275572220839394555901254149777482 109088788933544115160054694054838214497 -67959249690605520921762484362717153209628568738287602088050070912944188281262 0 268376933758506314673037169295618724006 253681280627923142613472739033629427231 -50685433406780069268509238523925898092578703377310130493665095445219214935331 0 412425996186734700536065050137165278795 259909153275143442213010998482606665916 -57628064551068461196126043803225931714167369589748561338468425789484678170169 0 237403719360418672241294965986528146811 189451304114328954021292681437217612278 -97628785638714191736841792687673441096436035905124032228399202245170925583531 0 123244278848877628321313568863032993880 169315482298053447347078754904929763561 -108739969970833462514225898908657858031190116347433816706073475570201270198749 0 313962871644069216794780145794689373932 111541183731885563273695772009039161570 -90124302614594258183904851529059472999720774189085430509426488764372063937433 0 345532195400054055848060639544900607923 174348624289410666060615618816125997485 -62548566734740955657426827017094425891918419763478857243303770743060017976872 0 51531779281034126650468629897880780259 46520395855116137868110371618743279103 -56804102339298976947225605198162021041914664320931477721735791062926383819727 0 53769135077508761110025027722988928768 114899103846736908085945156872710400047 -36344677466237804180332731813427081591548461874377325715629636029542643635600 0 78675129315223385559982447423586728659 149996002188809691333900403511611808669 -74192427450011839922065136869810514995455297294473009922802398357772484357116 0 231075558226846948790838356728789803218 247788366733093007191633218920156128676 -10814607672194567708476955895911343647106655511963324128736517074523432296839 0 339804128683543310990293936155072305939 84560082006366279303397770296163374502 -14670247243417959748430522331710394486060945019663229292652381944686873932949 0 216816132467768706293094573634318230766 104398878419944410625233659620082612605 -56107121155374357535945152164294125642042757527061510117228535407976438121497 0 386892987353912128991329976336503087663 177056120338547206064090741914307427623 -77188073545141919153253032079852740640070319670556722220393219363109374723169 0 160023758393181220743981990294458592550 176101366278784987644445468565960054734 -80438386114623064927081270874114948353006511217400804502969162121456798770972 0 237644167675163130732252669886630134053 165845044977546381122944494488511437219 -21750645098900908912678883667612133796043775549396301332468588133882973948423 1 352818499509769438196965569266618433477 46097658249573195873115401561342364971 -26862423298115945424714035040705559189101666757714539997310305287247826384072 0 399410086271561552098443586429538266727 133833127179670490138292782897063540502 -84080526562328653229664227914484504486674483582449941747220480411763289195625 0 401664657227536740437249455683812959613 100032113100646377756626749845861775733 -62111157053950200884658018451481945090142434132677284556025153670367313526083 0 370411415301340194750740515404640345867 228428336354806362252125128311087217418 -20424636474284922549582098406694102113352361920085060259599092888980976860405 0 59901448108733896277327576901204637639 168974316108173167722431119890394086304 -4160741530737146563091753966954883675428769918419651542270453218465396411039 0 269768321090245135860744703491135204176 161918775753946834640965015495806500243 -104425436525312353906936282248490165432844814232751969526593455875068190422401 0 116842637655429969687192063405922383016 282963147268125192126386127265341408880 -45930251344865671062516217930438777182729125375578126035939365948425751025341 0 107758920282811432284432421635820750119 123967199290914156627921605572173478047 -72166184723593643001804792566029224788650578804787833776316904348974427149973 0 440446365303761438160849560777344991059 183872861468422199367074858983042235115 -2135453739441151053057995441603527253842483912513195498931921015333762698074 1 192707615268490441859403928586904730230 27443246753789444977871683730713716939 -104721606071924032616289509731059945977525632443948667457224299259862780652331 0 99444080945278110891417445470834440351 234394336920344357446088626074774513777 -64649953962548670309290426361806178400660868603739559301989610775384906017495 0 119437588015372638358653065955929696067 207301307614384551817741015416335873135 -60417201892110932276808545275887130933760205660759426438971415293151990784104 0 357563908700485063630659780719065773984 87137760942547591151360966114147098276 -1664536496415348284764196001551027954475847974659102907819354668847923381573 0 182045570726329972739526684296461028116 241640667881073598698849741884010686015 -50334896246466881619652816643741010809861401542950841215066206542516528102462 0 76982247423725866446244451658781690462 256225685541611358347372834773391879412 -111671568565463631161878244794179262953758976156489233845234863174777065225302 0 209674305635206206295267498468839168211 334836052697409696720943411830443927749 -84068227844428618510752367273992331772053774742356243151842411999371420637390 0 213856510655212747028968004757416813425 222215284506449987049877285938495622312 -110461813543747915084659553707740550284295066838275703224501816139984718372811 0 182635661414763611436852512202959298454 246374114488987432989195223519784003714 -29122247838865942836137321790378969069427684636926264527790956825568474242589 1 299062050762546799893302911446117025242 21385481687783856753974327664184076975 -16139263766274456177120355717390955306945847926594640452192538079975737408402 0 71648532241236883109215415334010002606 297979341628169690399484262103437310377 -20874239397852157795669141416178151087606380113974852609761536881486493307392 0 150553430298391297479361605513233569661 192471917098583014371143253644106423847 -104756145063898825208314983368638941374063531139745857591331545086102872055886 0 285030268787929265222013005900329452927 36246807619398950222393088279865542261 -16755210969954310765772278703348360905394375120217980143154390499093667986706 0 182375653669222507590299539329223664205 212429785785345358252219258317618075269 -70783109175121756862845343456351761250951390552005811879507805412945108769003 0 173364062218023105248771803378923309564 254499306310855828324275461595044322206 -58222758908908801229188263699948193412155251602750877235727824399408958823180 1 260364144991476085540847676394715163006 6216379023146083833797664783851119428 -64353453107305707254506444564522097019246741144999070996419662360688616425200 0 149196767399047737387187523417183578929 218984233813941470956365754335022558948 -23354141892373264776056653866323711150159533531152826524271373486896062079789 0 105379255404110152858013130094867167983 95808563785963366788123337399978175961 -57611942899484060300220171354902447078566605980011822292979366602702697093733 0 262371395567136959236798414413756731062 79454808214675985290091166154330561735 -91808587882179410241698697432443233124181819236062853091400802770675587123453 0 95262282643029874522451691973020293809 73639088399079781493053381290465217598 -60407678448328100376700120908974227594315698177575142685012440141825902479686 0 86350058477511789825269604245611020595 201453575936887761731596689172812610649 -55607964307589679565627221312050555924965301035201614143863626108426976586943 0 149806402551016139381632929153498089910 322190303137941309147101690410399742149 -15413513245722317145573937263298588315338520550444589637013196058603861533929 0 311413133960420882134668940412547732657 41752856447193350215821364955138846387 -45288307403562577908073300826138633502447496019441638492651413492215307502001 0 334612629039861254519449932805080904299 249134695833083167552432498040264330773 -10114287750251240077003521495780052652710906794931970767516471307021478042372 0 171855821176733600196644704610006371031 224264889055473063135963301318521913722 -75265869302360323966037358405959354112912133407276386969305344351127211985499 0 187629032489822873024840163305080532404 67946726721917054161674881154812311851 -82152140935567462125942530669394987761484709680471652422176220016190772323683 0 341711612671273408796680780277092788852 28162315999875702735428022505126898785 -115493258573648939360332440464654352426418451414031017462467410557521316482296 0 473368058800169480420489020974833089245 203037730079224839345182038021209908632 -76479466949996444789078719436743917952923292996685467124258003672588325212268 0 444905791058695952979320814797488933794 273796041384197302803781177529748091699 -25125996619364855763011720349183645509988835722218814152536734845877645629459 0 278343053289420744465930265972001641765 98058311008454617563825515575074589524 -1248078784790969430960737943140846067104070478921585937660777704984684765315 0 38416534064979764071134997784606951428 127546077762334049779419306099136370631 -11686198105044859792342682897153468115390574663358027760130867916223539595820 0 287146318209289667583902269984784231016 10765504804724987353392419097343402007 -141137463265921021412870884736445100035811670446600694335396867672508171650 0 274538521361560663499576744085724627784 43759352819540090137575600740942368090 -144477822419594343023623868012350352326412608245328586229841950645922033380 0 385071211877541479197628698548269248570 216530764296105542633490555168418706765 -40992570010755300113787619080842635223227219430122838726605437431997137071983 0 381986273085074957208534020565292972885 97249896313959696898263511907805366012 -12371219560722909729801092779566636720666568841000197545482418738774620333404 0 49031433498638207394111313092777421885 98213948980661473321966633660879562330 -35364145411313833723155005654157370127366685927320245081060340566566358872091 0 48244574149369049428136591890000866807 130929816671018105885243625154836387471 -66526060365153106090097562728372879608145845946552240188072421392613749055871 0 408064451481820347594923372630675737973 158337362317029691406884575296530908875 -91593038880149586289478060392810945286291314167005798449092379142091243240221 0 107426298672020696194031065661831880111 98102523989228437563023482987037203113 -36953158611679062860779341792683933272314093244384643873893957899852659939766 0 268220495268502573153302303502516989447 36706988253247939955429300467301260877 -102806076389248676169723386456845517019583891903155373282638030766050822573442 0 369357301144600826179236296942881198398 140238574182124346900541398498633260517 -46044626959422514914355589659345347006403766372290743284392160192247861050437 0 276798709786093669651474831434363707422 176469346034907716557981322668565373378 -6643241370247813390213189856923622457243138508554526415012501652095862948578 0 362809350268703833655982210520577611333 248234889002626536539296445178050883467 -3003611162645085184724773306628921343238426566743403083806568135912317221711 0 49430335564908082919354003134664006408 54277786036874037199333792285725984168 -96876230011928012643319349144809249486236091044415402214656652123498404816465 0 371865972612933313125490018137335013361 181035470744186787316188165294300429057 -70539399787146524119537253782689181217782531842640890859557885068192318808675 0 219895234157785192115371062823093258139 40452077911054828451716952279309183079 -12792182983527004520975218513340517459942353335063150574519623735081074174423 0 63571412164010818098072521617700329316 85329396661156419390362628137874964107 -110152695794993170753923644931120234258349968997078249043716663735048422814374 0 248188446182126041552204184851733813445 93139156084824522664353241489935855613 -65840731854429843283458734433514477644484906558272863261249182288564870527907 0 99315315012308028197996798680515898864 302468868741384936781149965403691875226 -52853388003490222462322884440094929618336542635888093820348783014557592715136 0 111109581968930903523994230157574979504 250247047983837250463484617920066150742 -50734701374467073106172641985592145155755728377753483865748069366241851996301 0 113285192555933656337001594394721208316 114188194674249494201342828060443412702 -75220177207339571486214284671208360514752674018651974660672077642757335257964 0 208753672347302431403085463318802646825 38079291622561352853876760845752233823 -70850502259261963281077733183853116012527658146003489440651781484509736090747 0 383849891090772776349800233543906736636 115116677521309445920019447198820467607 -108384758494731974499059475488930734994270173848227614231105472374331385075039 0 305813145983335213224833465217614586002 304027241590675546375125414312879526460 -94373599114502355455545199133910091218317366506629156537406087577194291244011 0 351136016950756632286804075936343958770 95067682142608432546549827729743476368 -7521550967913586903228360363216764835777144780933977995170441904489123087211 0 253982028825150512281146329690969617083 252559256526854359480025933012230928390 -61666829540629680448849586522092115591540432827016616588771017710458696954399 0 425770473896701467405333075315188289751 154626125321862001610086983916421881406 -83264226567052362967889718567642041892799793060194341234382713980215885515458 0 426148169185249288043610821740620753492 279418344796949182873075834028478072383 -19019347415732266071991527865888663738788152541408584446039325290901778680968 0 297037177318530079737599553142051249429 258324427867533886709683197241010959165 -66805591623561814519371162167023575943173675845202764176053458626426415285279 0 431874248864119623385007564239662402383 113747308401473376404062565459480246442 -41097576912135798324449247483462337595237158960632722269680734379550641282360 0 310239710353665125964247442453361783538 36211255729138935810809388737560179792 -106531828752929097973099333323873511155015138577164953772095982974264754025720 0 160144335573662551680491632669654960400 286533908321602540916663884444348469192 -112562653182041598411223262346013009051779519559885256720772447121240284928278 0 347700247713861601575782430734816386205 300058978671715632622934387591547039372 -52427044257732773839332556348154585646167248203478162452755267634742677706970 0 390966194973676476419828646774635297917 216136611829696600693343021137419448733 -15212092589841742999753871635822286815018075280258225985733671459221655374161 0 327646356774615541816703175226381732647 218725297244237214830407422552722548155 -97553216855710973986861809091613125625844553296640212060217960231100388695310 0 313769086164482510335746925200056718599 221534517434445658237164082100581035083 -83355570070624458994065855852548410753932476200906527167345973187957887904211 0 363444147578926634179702666939073411987 145198050680939081864852219892822209712 -41343444822532763737703969955283041579029742717270388437745094693668395478522 0 159544845391552409583305047359448088977 306329369601186353748116846691267622034 -69418381162326895416670147347702351280013772780284338417099683798886749335000 0 325042069151948582473511009040309533189 156532359584716063601302777577287443307 -86364868946101942551622516498127240262704182804837681238926408244440326124422 0 336974675322679468203539269571439868209 56664323533183020834598474906965745140 -99641177107819237055940644169179810357708227101112995191006535542547881424189 0 176948700035946127572922837533619941208 116086607304093585021818521383072452187 -57786446020611608012812377796223714878123336362492829538615405329313910757275 0 384800491534406380059844565570981772222 52266986398002287433031888862791991912 -3997314366767485810536545892291469074475439063264066213159323908499425387885 0 163725879096128676036352682652791025333 226192662661660937487283376658070867993 -67615980243338399738933073436777111073055676323119013192447912286335308137561 1 374683121854576184123882418807855041884 16460998928311049120615301499425467046 -95056188134586701650731142730682390276180906522232386805776875227233931192257 0 182406152787653624920535597648223675130 321349256573358626023271328220600865885 -29303255512942236056559307424251563011898396583247137160713909543128925925427 0 394355598494679314906318546129282608566 21331184493823760431200200045312958317 -106095072816802880785446250517258359371356549964859346325751724793738001008422 0 227220012957687545864426229191667293600 246770254904721260287425808259102883326 -36663409390673276751483064413776972596349494023383074980924833849240715914985 0 230187743392050124167268335285107339099 113059593568162008643646418169617685921 -82771506453137383921805646090184316226373521296248698278472145852657812654973 0 448680297043662761128367615186030747453 262213197051601850186326211611243750630 -63961727889177597433433858730561143931667179944225767027103327736231065696099 0 383046246971869687678886265006291417773 176507028690258621063089573000178683886 -78958182741591209735566019555046167360622345655285025222267245540000693237686 0 307912291337105562139537119019669321441 205848874805968588248301686005915074358 -29992541544181020685567466715431424759364607099134658865493940770134575976913 0 313333525502439697557329124795940920692 119522579582707356541133016141177173429 -55996337402705502978149476294220833964476263135957787076213671287801218036407 0 248653658166754470467954009769673979237 276357143630952130131740319087086825142 -97388654595383098119323361968512505408880391182023251416914044507619796828952 0 129607295120933934361947354739649396253 348702844153420909874274280858560595705 -103684421200131084868193986299612363056150648084335897887918260497897369235090 0 137988002724012727477191872780034713743 281923115583615970905143589103674297341 -51903898411245971311002978993768156073831050322488428489494694776389241427257 0 262623709047670399028123774298754795224 31207003832941590720457219524494852428 -58425740812556224150592989975848513144000880020796014870836565112334653910969 0 68158486446232977754554838151530747723 103012829212283472090535513492564260332 -37796766811528874602749994484146268556661763818946409615191822134163010896195 0 156162579596819770844738799408305517568 216013367627807166468937156952120714774 -104673787754110794527069099437830027691927980594776028872356770838068203806260 0 180507395316923827970381624873078371023 178646113611377959474138110551958431743 -45049215919159377471044030910333276930460202953886997427951830354892876391750 0 289076163967625382925306621033964902295 275857644218806224885962811288944950047 -63380093078641019264279595299599687418919536736701706690586662050919186274038 0 399343751961570017203410924552463623568 214629550774181167492620640131657432952 -113574786881534700522953391206121360810474649833543795441469078984157833695331 0 337585385764445108631145233545574984716 111193763139435755487945169649411985164 -49790013599705917814124073220601751501094132229628439049642413761065435294261 0 133366839688672057327444255549371842134 154705106335188742425870712888796851785 -64788086314106700834083217375850254865242934978855596692209349780129318378744 0 208048087191243283921553562292224008573 167962365335602158241904574503681973259 -21491352853103006049432930470687105869438626598819647480078412200076780080071 0 332927058661660714688841373072172537860 250843627315496890002575084365967548370 -32545348251896241054810690816139751919948032476162876085055732154364864057131 0 316420089474027539413130854556009781339 270726459303085467721289162826279737461 -31996583464016056235483983406448600381643612958093441920343439838927133445573 0 29765666218398212724673810874306110546 53399747936093672030894874965364064994 -89615799918538749381458729851193528246397510676297075907981857435559071071168 0 295961493720216429081105109644726719164 166422862787022480873353396305163229140 -15099232009191703557558812339937048250095387722489276214956414252433682422949 0 41556871202295228747165988589465572779 18694763296781371373688519867172104072 -57782406756368925624499515233394410310678496338615394643584084829055171163362 0 323173423073911508486605108651109896446 275664965293871722614277067423096860210 -83687148390003254520718432275833361406493655534410485533465629909784485351645 0 141707333321176834248589538053969047926 105093052280280330880420790614797103764 -94092632829203668064644865473590683890347120881122980873059859591305224541350 0 173463607522614220455498884551679162201 110097298199074074423678389142644523679 -80090736820260360487524344579373063292049864365463485605145955787985831409649 0 331405388022832422419399109218815665369 216771901726439591270277310542827853977 -4535777321770763218606323711246921035408569985909271950592300354642976197724 0 186391731486184025423142954209585423742 284613554603792609269913086961998880737 -30349365459394789718698194480160894678149070522952896486375773030035845255292 0 374909122453556624374459507677331897405 180673515562524763308695824558468012619 -72161671505952573796585894492305379034527876152238180794487819996016895314734 0 237579250085222191217791969107501240781 270701579459201000027844273593745256308 -48235355097859320774568350607756012532791518095832519070257073273821652387881 0 118852566568104430033747992761543500660 252476177183388145123352883841457568048 -43458547309016996164900737966450444092259120892532867520800108971738481241089 1 229858288423301440725886092157390239384 9465475033813460502057314905576362790 -87707849061176806397783023083472930256635791245553973448536304191247865297995 0 420158629397090655290956352806019948850 206730737632167395841059566861837480242 -32484531001265918515785349406978341204499124194739421246274581141032317566767 0 195662044073880514719905180740973104082 253767289227219312208752180951529687412 diff --git a/evm/src/cpu/kernel/tests/exp.rs b/evm/src/cpu/kernel/tests/exp.rs deleted file mode 100644 index 482c6b7216..0000000000 --- a/evm/src/cpu/kernel/tests/exp.rs +++ /dev/null @@ -1,42 +0,0 @@ -use anyhow::Result; -use ethereum_types::U256; -use rand::{thread_rng, Rng}; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::interpreter::{run_interpreter, Interpreter}; - -#[test] -fn test_exp() -> Result<()> { - // Make sure we can parse and assemble the entire kernel. - let exp = KERNEL.global_labels["exp"]; - let mut rng = thread_rng(); - let a = U256([0; 4].map(|_| rng.gen())); - let b = U256([0; 4].map(|_| rng.gen())); - - // Random input - let initial_stack = vec![0xDEADBEEFu32.into(), b, a]; - let mut interpreter = Interpreter::new_with_kernel(0, initial_stack.clone()); - - let stack_with_kernel = run_interpreter(exp, initial_stack)?.stack(); - - let expected_exp = a.overflowing_pow(b).0; - assert_eq!(stack_with_kernel, vec![expected_exp]); - - // 0 base - let initial_stack = vec![0xDEADBEEFu32.into(), b, U256::zero()]; - let stack_with_kernel = run_interpreter(exp, initial_stack)?.stack(); - - let expected_exp = U256::zero().overflowing_pow(b).0; - assert_eq!(stack_with_kernel, vec![expected_exp]); - - // 0 exponent - let initial_stack = vec![0xDEADBEEFu32.into(), U256::zero(), a]; - interpreter.set_is_kernel(true); - interpreter.set_context(0); - let stack_with_kernel = run_interpreter(exp, initial_stack)?.stack(); - - let expected_exp = 1.into(); - assert_eq!(stack_with_kernel, vec![expected_exp]); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/hash.rs b/evm/src/cpu/kernel/tests/hash.rs deleted file mode 100644 index 6371f0a8a3..0000000000 --- a/evm/src/cpu/kernel/tests/hash.rs +++ /dev/null @@ -1,136 +0,0 @@ -use anyhow::Result; -// use blake2::Blake2b512; -use ethereum_types::U256; -use rand::{thread_rng, Rng}; -use ripemd::{Digest, Ripemd160}; -use sha2::Sha256; - -use crate::cpu::kernel::interpreter::{ - run_interpreter_with_memory, InterpreterMemoryInitialization, -}; -use crate::memory::segments::Segment::KernelGeneral; - -/// Standard RipeMD implementation. -fn ripemd(input: Vec) -> U256 { - let mut hasher = Ripemd160::new(); - hasher.update(input); - U256::from(&hasher.finalize()[..]) -} - -/// Standard Sha2 implementation. -fn sha2(input: Vec) -> U256 { - let mut hasher = Sha256::new(); - hasher.update(input); - U256::from(&hasher.finalize()[..]) -} - -fn make_random_input() -> Vec { - // Generate a random message, between 0 and 9999 bytes. - let mut rng = thread_rng(); - let num_bytes = rng.gen_range(0..10000); - (0..num_bytes).map(|_| rng.gen()).collect() -} - -fn make_interpreter_setup( - message: Vec, - hash_fn_label: &str, - hash_input_virt: (usize, usize), -) -> InterpreterMemoryInitialization { - InterpreterMemoryInitialization { - label: hash_fn_label.to_string(), - stack: vec![ - U256::from(hash_input_virt.0), - U256::from(message.len()), - U256::from(0xdeadbeefu32), - ], - segment: KernelGeneral, - memory: vec![( - hash_input_virt.1, - message.iter().map(|&x| U256::from(x as u32)).collect(), - )], - } -} - -fn prepare_test( - hash_fn_label: &str, - hash_input_virt: (usize, usize), - standard_implementation: &dyn Fn(Vec) -> T, -) -> Result<(T, Vec)> { - // Make the input. - let message = make_random_input(); - - // Hash the message using a standard implementation. - let expected = standard_implementation(message.clone()); - - // Load the message into the kernel. - let interpreter_setup = make_interpreter_setup(message, hash_fn_label, hash_input_virt); - - // Run the interpreter - let result = run_interpreter_with_memory(interpreter_setup).unwrap(); - - Ok((expected, result.stack().to_vec())) -} - -fn test_hash_256( - hash_fn_label: &str, - hash_input_virt: (usize, usize), - standard_implementation: &dyn Fn(Vec) -> U256, -) -> Result<()> { - let (expected, result_stack) = - prepare_test(hash_fn_label, hash_input_virt, standard_implementation).unwrap(); - - // Extract the final output. - let actual = result_stack[0]; - - // Check that the result is correct. - assert_eq!(expected, actual); - - Ok(()) -} - -#[test] -fn test_ripemd() -> Result<()> { - test_hash_256("ripemd", (200, 200), &ripemd) -} - -#[test] -fn test_sha2() -> Result<()> { - test_hash_256("sha2", (0, 1), &sha2) -} - -// Since the Blake precompile requires only the blake2_f compression function instead of the full blake2b hash, -// the full hash function is not included in the kernel. To include it, blake2/compression.asm and blake2/main.asm -// must be added to the kernel. - -// /// Standard Blake2b implementation. -// fn blake2b(input: Vec) -> U512 { -// let mut hasher = Blake2b512::new(); -// hasher.update(input); -// U512::from(&hasher.finalize()[..]) -// } - -// fn combine_u256s(hi: U256, lo: U256) -> U512 { -// U512::from(lo) + (U512::from(hi) << 256) -// } - -// fn test_hash_512( -// hash_fn_label: &str, -// hash_input_virt: (usize, usize), -// standard_implementation: &dyn Fn(Vec) -> U512, -// ) -> Result<()> { -// let (expected, result_stack) = -// prepare_test(hash_fn_label, hash_input_virt, standard_implementation).unwrap(); - -// // Extract the final output. -// let actual = combine_u256s(result_stack[0], result_stack[1]); - -// // Check that the result is correct. -// assert_eq!(expected, actual); - -// Ok(()) -// } - -// #[test] -// fn test_blake2b() -> Result<()> { -// test_hash_512("blake2b", (0, 2), &blake2b) -// } diff --git a/evm/src/cpu/kernel/tests/kernel_consistency.rs b/evm/src/cpu/kernel/tests/kernel_consistency.rs deleted file mode 100644 index b02c11a234..0000000000 --- a/evm/src/cpu/kernel/tests/kernel_consistency.rs +++ /dev/null @@ -1,13 +0,0 @@ -use anyhow::Result; - -use crate::cpu::kernel::aggregator::{combined_kernel, KERNEL}; - -#[test] -fn test_kernel_code_hash_consistency() -> Result<()> { - for _ in 0..10 { - let kernel2 = combined_kernel(); - assert_eq!(kernel2.code_hash, KERNEL.code_hash); - } - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/log.rs b/evm/src/cpu/kernel/tests/log.rs deleted file mode 100644 index 406fba0c5b..0000000000 --- a/evm/src/cpu/kernel/tests/log.rs +++ /dev/null @@ -1,198 +0,0 @@ -use anyhow::Result; -use ethereum_types::{Address, U256}; -use rand::{thread_rng, Rng}; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::memory::segments::Segment; - -#[test] -fn test_log_0() -> Result<()> { - let logs_entry = KERNEL.global_labels["log_n_entry"]; - let address: Address = thread_rng().gen(); - let num_topics = U256::from(0); - let data_len = U256::from(0); - let data_offset = U256::from(0); - - let retdest = 0xDEADBEEFu32.into(); - - let initial_stack = vec![ - retdest, - data_offset, - data_len, - num_topics, - U256::from_big_endian(&address.to_fixed_bytes()), - ]; - - let mut interpreter = Interpreter::new_with_kernel(logs_entry, initial_stack); - interpreter.set_global_metadata_field(GlobalMetadata::LogsLen, 0.into()); - interpreter.set_global_metadata_field(GlobalMetadata::LogsDataLen, 0.into()); - - interpreter.run()?; - - // The address is encoded in 1+20 bytes. There are no topics or data, so each is encoded in 1 byte. This leads to a payload of 23. - let payload_len = 23; - assert_eq!( - interpreter.get_memory_segment(Segment::LogsData), - [ - payload_len.into(), - U256::from_big_endian(&address.to_fixed_bytes()), - 0.into(), - 0.into(), - ] - ); - Ok(()) -} - -#[test] -fn test_log_2() -> Result<()> { - let logs_entry = KERNEL.global_labels["log_n_entry"]; - let address: Address = thread_rng().gen(); - let num_topics = U256::from(2); - let topics = [4.into(), 5.into()]; - let data_len = U256::from(3); - let data_offset = U256::from(0); - - let memory = vec![10.into(), 20.into(), 30.into()]; - - let retdest = 0xDEADBEEFu32.into(); - - let initial_stack = vec![ - retdest, - data_offset, - data_len, - topics[1], - topics[0], - num_topics, - U256::from_big_endian(&address.to_fixed_bytes()), - ]; - - let mut interpreter = Interpreter::new_with_kernel(logs_entry, initial_stack); - interpreter.set_global_metadata_field(GlobalMetadata::LogsLen, 2.into()); - interpreter.set_global_metadata_field(GlobalMetadata::LogsDataLen, 5.into()); - - interpreter.set_memory_segment(Segment::MainMemory, memory); - - interpreter.run()?; - assert_eq!( - interpreter.get_memory_segment(Segment::Logs), - [0.into(), 0.into(), 5.into(),] - ); - - // The data has length 3 bytes, and is encoded in 4 bytes. Each of the two topics is encoded in 1+32 bytes. The prefix for the topics list requires 2 bytes. The address is encoded in 1+20 bytes. Overall, we have a logs payload length of 93 bytes. - let payload_len = 93; - assert_eq!( - interpreter.get_memory_segment(Segment::LogsData), - [ - 0.into(), - 0.into(), - 0.into(), - 0.into(), - 0.into(), - payload_len.into(), - U256::from_big_endian(&address.to_fixed_bytes()), - 2.into(), - 4.into(), - 5.into(), - 3.into(), - 10.into(), - 20.into(), - 30.into(), - ] - ); - Ok(()) -} - -#[test] -fn test_log_4() -> Result<()> { - let logs_entry = KERNEL.global_labels["log_n_entry"]; - let address: Address = thread_rng().gen(); - let num_topics = U256::from(4); - let topics = [45.into(), 46.into(), 47.into(), 48.into()]; - let data_len = U256::from(1); - let data_offset = U256::from(2); - - let memory = vec![0.into(), 0.into(), 123.into()]; - - let retdest = 0xDEADBEEFu32.into(); - - let initial_stack = vec![ - retdest, - data_offset, - data_len, - topics[3], - topics[2], - topics[1], - topics[0], - num_topics, - U256::from_big_endian(&address.to_fixed_bytes()), - ]; - - let mut interpreter = Interpreter::new_with_kernel(logs_entry, initial_stack); - interpreter.set_global_metadata_field(GlobalMetadata::LogsLen, 2.into()); - interpreter.set_global_metadata_field(GlobalMetadata::LogsDataLen, 5.into()); - - interpreter.set_memory_segment(Segment::MainMemory, memory); - - interpreter.run()?; - assert_eq!( - interpreter.get_memory_segment(Segment::Logs), - [0.into(), 0.into(), 5.into(),] - ); - - // The data is of length 1 byte, and is encoded in 1 byte. Each of the four topics is encoded in 1+32 bytes. The topics list is prefixed by 2 bytes. The address is encoded in 1+20 bytes. Overall, this leads to a log payload length of 156. - let payload_len = 156; - assert_eq!( - interpreter.get_memory_segment(Segment::LogsData), - [ - 0.into(), - 0.into(), - 0.into(), - 0.into(), - 0.into(), - payload_len.into(), - U256::from_big_endian(&address.to_fixed_bytes()), - 4.into(), - 45.into(), - 46.into(), - 47.into(), - 48.into(), - 1.into(), - 123.into(), - ] - ); - Ok(()) -} - -#[test] -fn test_log_5() -> Result<()> { - let logs_entry = KERNEL.global_labels["log_n_entry"]; - let address: Address = thread_rng().gen(); - let num_topics = U256::from(5); - let topics = [1.into(), 2.into(), 3.into(), 4.into(), 5.into()]; - let data_len = U256::from(0); - let data_offset = U256::from(0); - - let retdest = 0xDEADBEEFu32.into(); - - let initial_stack = vec![ - retdest, - data_offset, - data_len, - topics[4], - topics[3], - topics[2], - topics[1], - topics[0], - num_topics, - U256::from_big_endian(&address.to_fixed_bytes()), - ]; - - let mut interpreter = Interpreter::new_with_kernel(logs_entry, initial_stack); - interpreter.set_global_metadata_field(GlobalMetadata::LogsLen, 0.into()); - interpreter.set_global_metadata_field(GlobalMetadata::LogsDataLen, 0.into()); - - assert!(interpreter.run().is_err()); - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/mod.rs b/evm/src/cpu/kernel/tests/mod.rs deleted file mode 100644 index 7581eefe75..0000000000 --- a/evm/src/cpu/kernel/tests/mod.rs +++ /dev/null @@ -1,32 +0,0 @@ -mod account_code; -mod add11; -mod balance; -mod bignum; -mod blake2_f; -mod block_hash; -mod bls381; -mod bn254; -mod core; -mod ecc; -mod exp; -mod hash; -mod kernel_consistency; -mod log; -mod mpt; -mod packing; -mod receipt; -mod rlp; -mod signed_syscalls; -mod transaction_parsing; - -use std::str::FromStr; - -use anyhow::Result; -use ethereum_types::U256; - -pub(crate) fn u256ify<'a>(hexes: impl IntoIterator) -> Result> { - Ok(hexes - .into_iter() - .map(U256::from_str) - .collect::, _>>()?) -} diff --git a/evm/src/cpu/kernel/tests/mpt/delete.rs b/evm/src/cpu/kernel/tests/mpt/delete.rs deleted file mode 100644 index 0d4d5e71f7..0000000000 --- a/evm/src/cpu/kernel/tests/mpt/delete.rs +++ /dev/null @@ -1,176 +0,0 @@ -use anyhow::Result; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{BigEndianHash, H256, U512}; -use rand::random; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::cpu::kernel::tests::account_code::initialize_mpts; -use crate::cpu::kernel::tests::mpt::{nibbles_64, test_account_1_rlp, test_account_2}; -use crate::generation::mpt::AccountRlp; -use crate::generation::TrieInputs; -use crate::Node; - -#[test] -fn mpt_delete_empty() -> Result<()> { - test_state_trie(Default::default(), nibbles_64(0xABC), test_account_2()) -} - -#[test] -fn mpt_delete_leaf_nonoverlapping_keys() -> Result<()> { - let state_trie = Node::Leaf { - nibbles: nibbles_64(0xABC), - value: test_account_1_rlp(), - } - .into(); - test_state_trie(state_trie, nibbles_64(0x123), test_account_2()) -} - -#[test] -fn mpt_delete_leaf_overlapping_keys() -> Result<()> { - let state_trie = Node::Leaf { - nibbles: nibbles_64(0xABC), - value: test_account_1_rlp(), - } - .into(); - test_state_trie(state_trie, nibbles_64(0xADE), test_account_2()) -} - -#[test] -fn mpt_delete_branch_into_hash() -> Result<()> { - let hash = Node::Hash(H256::random()); - let state_trie = Node::Extension { - nibbles: nibbles_64(0xADF), - child: hash.into(), - } - .into(); - test_state_trie(state_trie, nibbles_64(0xADE), test_account_2()) -} - -#[test] -fn test_after_mpt_delete_extension_branch() -> Result<()> { - let hash = Node::Hash(H256::random()); - let branch = Node::Branch { - children: std::array::from_fn(|i| { - if i == 0 { - Node::Empty.into() - } else { - hash.clone().into() - } - }), - value: vec![], - }; - let nibbles = Nibbles::from_bytes_be(&random::<[u8; 5]>()).unwrap(); - let state_trie = Node::Extension { - nibbles, - child: branch.into(), - } - .into(); - let key = nibbles.merge_nibbles(&Nibbles { - packed: U512::zero(), - count: 64 - nibbles.count, - }); - test_state_trie(state_trie, key, test_account_2()) -} - -/// Note: The account's storage_root is ignored, as we can't insert a new storage_root without the -/// accompanying trie data. An empty trie's storage_root is used instead. -fn test_state_trie( - state_trie: HashedPartialTrie, - k: Nibbles, - mut account: AccountRlp, -) -> Result<()> { - assert_eq!(k.count, 64); - - // Ignore any storage_root; see documentation note. - account.storage_root = HashedPartialTrie::from(Node::Empty).hash(); - - let trie_inputs = TrieInputs { - state_trie: state_trie.clone(), - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - let mpt_insert_state_trie = KERNEL.global_labels["mpt_insert_state_trie"]; - let mpt_delete = KERNEL.global_labels["mpt_delete"]; - let mpt_hash_state_trie = KERNEL.global_labels["mpt_hash_state_trie"]; - - let initial_stack = vec![]; - let mut interpreter = Interpreter::new_with_kernel(0, initial_stack); - - initialize_mpts(&mut interpreter, &trie_inputs); - assert_eq!(interpreter.stack(), vec![]); - - // Next, execute mpt_insert_state_trie. - interpreter.generation_state.registers.program_counter = mpt_insert_state_trie; - let trie_data = interpreter.get_trie_data_mut(); - if trie_data.is_empty() { - // In the assembly we skip over 0, knowing trie_data[0] = 0 by default. - // Since we don't explicitly set it to 0, we need to do so here. - trie_data.push(0.into()); - } - let value_ptr = trie_data.len(); - trie_data.push(account.nonce); - trie_data.push(account.balance); - // In memory, storage_root gets interpreted as a pointer to a storage trie, - // so we have to ensure the pointer is valid. It's easiest to set it to 0, - // which works as an empty node, since trie_data[0] = 0 = MPT_TYPE_EMPTY. - trie_data.push(H256::zero().into_uint()); - trie_data.push(account.code_hash.into_uint()); - let trie_data_len = trie_data.len().into(); - interpreter.set_global_metadata_field(GlobalMetadata::TrieDataSize, trie_data_len); - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(value_ptr.into()) - .expect("The stack should not overflow"); // value_ptr - interpreter - .push(k.try_into_u256().unwrap()) - .expect("The stack should not overflow"); // key - interpreter.run()?; - assert_eq!( - interpreter.stack().len(), - 0, - "Expected empty stack after insert, found {:?}", - interpreter.stack() - ); - - // Next, execute mpt_delete, deleting the account we just inserted. - let state_trie_ptr = interpreter.get_global_metadata_field(GlobalMetadata::StateTrieRoot); - interpreter.generation_state.registers.program_counter = mpt_delete; - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(k.try_into_u256().unwrap()) - .expect("The stack should not overflow"); - interpreter - .push(64.into()) - .expect("The stack should not overflow"); - interpreter - .push(state_trie_ptr) - .expect("The stack should not overflow"); - interpreter.run()?; - let state_trie_ptr = interpreter.pop().expect("The stack should not be empty"); - interpreter.set_global_metadata_field(GlobalMetadata::StateTrieRoot, state_trie_ptr); - - // Now, execute mpt_hash_state_trie. - interpreter.generation_state.registers.program_counter = mpt_hash_state_trie; - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(1.into()) // Initial length of the trie data segment, unused. - .expect("The stack should not overflow"); - interpreter.run()?; - - let state_trie_hash = - H256::from_uint(&interpreter.pop().expect("The stack should not be empty")); - let expected_state_trie_hash = state_trie.hash(); - assert_eq!(state_trie_hash, expected_state_trie_hash); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/mpt/hash.rs b/evm/src/cpu/kernel/tests/mpt/hash.rs deleted file mode 100644 index a06dd2a0b5..0000000000 --- a/evm/src/cpu/kernel/tests/mpt/hash.rs +++ /dev/null @@ -1,140 +0,0 @@ -use anyhow::Result; -use eth_trie_utils::partial_trie::PartialTrie; -use ethereum_types::{BigEndianHash, H256}; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::cpu::kernel::tests::account_code::initialize_mpts; -use crate::cpu::kernel::tests::mpt::{extension_to_leaf, test_account_1_rlp, test_account_2_rlp}; -use crate::generation::TrieInputs; -use crate::Node; - -// TODO: Test with short leaf. Might need to be a storage trie. - -#[test] -fn mpt_hash_empty() -> Result<()> { - let trie_inputs = TrieInputs { - state_trie: Default::default(), - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - - test_state_trie(trie_inputs) -} - -#[test] -fn mpt_hash_empty_branch() -> Result<()> { - let children = core::array::from_fn(|_| Node::Empty.into()); - let state_trie = Node::Branch { - children, - value: vec![], - } - .into(); - let trie_inputs = TrieInputs { - state_trie, - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - test_state_trie(trie_inputs) -} - -#[test] -fn mpt_hash_hash() -> Result<()> { - let hash = H256::random(); - let trie_inputs = TrieInputs { - state_trie: Node::Hash(hash).into(), - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - - test_state_trie(trie_inputs) -} - -#[test] -fn mpt_hash_leaf() -> Result<()> { - let state_trie = Node::Leaf { - nibbles: 0xABC_u64.into(), - value: test_account_1_rlp(), - } - .into(); - let trie_inputs = TrieInputs { - state_trie, - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - test_state_trie(trie_inputs) -} - -#[test] -fn mpt_hash_extension_to_leaf() -> Result<()> { - let state_trie = extension_to_leaf(test_account_1_rlp()); - let trie_inputs = TrieInputs { - state_trie, - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - test_state_trie(trie_inputs) -} - -#[test] -fn mpt_hash_branch_to_leaf() -> Result<()> { - let leaf = Node::Leaf { - nibbles: 0xABC_u64.into(), - value: test_account_2_rlp(), - } - .into(); - - let mut children = core::array::from_fn(|_| Node::Empty.into()); - children[3] = leaf; - let state_trie = Node::Branch { - children, - value: vec![], - } - .into(); - - let trie_inputs = TrieInputs { - state_trie, - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - - test_state_trie(trie_inputs) -} - -fn test_state_trie(trie_inputs: TrieInputs) -> Result<()> { - let mpt_hash_state_trie = KERNEL.global_labels["mpt_hash_state_trie"]; - - let initial_stack = vec![]; - let mut interpreter = Interpreter::new_with_kernel(0, initial_stack); - - initialize_mpts(&mut interpreter, &trie_inputs); - assert_eq!(interpreter.stack(), vec![]); - - // Now, execute mpt_hash_state_trie. - interpreter.generation_state.registers.program_counter = mpt_hash_state_trie; - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(1.into()) // Initial length of the trie data segment, unused. - .expect("The stack should not overflow"); - interpreter.run()?; - - assert_eq!( - interpreter.stack().len(), - 2, - "Expected 2 items on stack, found {:?}", - interpreter.stack() - ); - let hash = H256::from_uint(&interpreter.stack()[1]); - let expected_state_trie_hash = trie_inputs.state_trie.hash(); - assert_eq!(hash, expected_state_trie_hash); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/mpt/hex_prefix.rs b/evm/src/cpu/kernel/tests/mpt/hex_prefix.rs deleted file mode 100644 index e51e60ab46..0000000000 --- a/evm/src/cpu/kernel/tests/mpt/hex_prefix.rs +++ /dev/null @@ -1,92 +0,0 @@ -use anyhow::Result; -use ethereum_types::U256; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::memory::segments::Segment; - -#[test] -fn hex_prefix_even_nonterminated() -> Result<()> { - let hex_prefix = KERNEL.global_labels["hex_prefix_rlp"]; - - let retdest = 0xDEADBEEFu32.into(); - let terminated = 0.into(); - let packed_nibbles = 0xABCDEF.into(); - let num_nibbles = 6.into(); - let rlp_pos = U256::from(Segment::RlpRaw as usize); - let initial_stack = vec![retdest, terminated, packed_nibbles, num_nibbles, rlp_pos]; - let mut interpreter = Interpreter::new_with_kernel(hex_prefix, initial_stack); - interpreter.run()?; - assert_eq!(interpreter.stack(), vec![rlp_pos + U256::from(5)]); - - assert_eq!( - interpreter.get_rlp_memory(), - vec![ - 0x80 + 4, // prefix - 0, // neither flag is set - 0xAB, - 0xCD, - 0xEF - ] - ); - - Ok(()) -} - -#[test] -fn hex_prefix_odd_terminated() -> Result<()> { - let hex_prefix = KERNEL.global_labels["hex_prefix_rlp"]; - - let retdest = 0xDEADBEEFu32.into(); - let terminated = 1.into(); - let packed_nibbles = 0xABCDE.into(); - let num_nibbles = 5.into(); - let rlp_pos = U256::from(Segment::RlpRaw as usize); - let initial_stack = vec![retdest, terminated, packed_nibbles, num_nibbles, rlp_pos]; - let mut interpreter = Interpreter::new_with_kernel(hex_prefix, initial_stack); - interpreter.run()?; - assert_eq!(interpreter.stack(), vec![rlp_pos + U256::from(4)]); - - assert_eq!( - interpreter.get_rlp_memory(), - vec![ - 0x80 + 3, // prefix - (2 + 1) * 16 + 0xA, - 0xBC, - 0xDE, - ] - ); - - Ok(()) -} - -#[test] -fn hex_prefix_odd_terminated_tiny() -> Result<()> { - let hex_prefix = KERNEL.global_labels["hex_prefix_rlp"]; - - let retdest = 0xDEADBEEFu32.into(); - let terminated = 1.into(); - let packed_nibbles = 0xA.into(); - let num_nibbles = 1.into(); - let rlp_pos = U256::from(Segment::RlpRaw as usize + 2); - let initial_stack = vec![retdest, terminated, packed_nibbles, num_nibbles, rlp_pos]; - let mut interpreter = Interpreter::new_with_kernel(hex_prefix, initial_stack); - interpreter.run()?; - assert_eq!( - interpreter.stack(), - vec![U256::from(Segment::RlpRaw as usize + 3)] - ); - - assert_eq!( - interpreter.get_rlp_memory(), - vec![ - // Since rlp_pos = 2, we skipped over the first two bytes. - 0, - 0, - // No length prefix; this tiny string is its own RLP encoding. - (2 + 1) * 16 + 0xA, - ] - ); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/mpt/insert.rs b/evm/src/cpu/kernel/tests/mpt/insert.rs deleted file mode 100644 index 19b82f74a2..0000000000 --- a/evm/src/cpu/kernel/tests/mpt/insert.rs +++ /dev/null @@ -1,240 +0,0 @@ -use anyhow::Result; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{BigEndianHash, H256}; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::cpu::kernel::tests::account_code::initialize_mpts; -use crate::cpu::kernel::tests::mpt::{ - nibbles_64, nibbles_count, test_account_1_rlp, test_account_2, -}; -use crate::generation::mpt::AccountRlp; -use crate::generation::TrieInputs; -use crate::Node; - -#[test] -fn mpt_insert_empty() -> Result<()> { - test_state_trie(Default::default(), nibbles_64(0xABC), test_account_2()) -} - -#[test] -fn mpt_insert_leaf_identical_keys() -> Result<()> { - let key = nibbles_64(0xABC); - let state_trie = Node::Leaf { - nibbles: key, - value: test_account_1_rlp(), - } - .into(); - test_state_trie(state_trie, key, test_account_2()) -} - -#[test] -fn mpt_insert_leaf_nonoverlapping_keys() -> Result<()> { - let state_trie = Node::Leaf { - nibbles: nibbles_64(0xABC), - value: test_account_1_rlp(), - } - .into(); - test_state_trie(state_trie, nibbles_64(0x123), test_account_2()) -} - -#[test] -fn mpt_insert_leaf_overlapping_keys() -> Result<()> { - let state_trie = Node::Leaf { - nibbles: nibbles_64(0xABC), - value: test_account_1_rlp(), - } - .into(); - test_state_trie(state_trie, nibbles_64(0xADE), test_account_2()) -} - -#[test] -#[ignore] // TODO: Not valid for state trie, all keys have same len. -fn mpt_insert_leaf_insert_key_extends_leaf_key() -> Result<()> { - let state_trie = Node::Leaf { - nibbles: 0xABC_u64.into(), - value: test_account_1_rlp(), - } - .into(); - test_state_trie(state_trie, nibbles_64(0xABCDE), test_account_2()) -} - -#[test] -#[ignore] // TODO: Not valid for state trie, all keys have same len. -fn mpt_insert_leaf_leaf_key_extends_insert_key() -> Result<()> { - let state_trie = Node::Leaf { - nibbles: 0xABCDE_u64.into(), - value: test_account_1_rlp(), - } - .into(); - test_state_trie(state_trie, nibbles_64(0xABC), test_account_2()) -} - -#[test] -fn mpt_insert_branch_replacing_empty_child() -> Result<()> { - let children = core::array::from_fn(|_| Node::Empty.into()); - let state_trie = Node::Branch { - children, - value: vec![], - } - .into(); - - test_state_trie(state_trie, nibbles_64(0xABC), test_account_2()) -} - -#[test] -// TODO: Not a valid test because branches state trie cannot have branch values. -// We should change it to use a different trie. -#[ignore] -fn mpt_insert_extension_nonoverlapping_keys() -> Result<()> { - // Existing keys are 0xABC, 0xABCDEF; inserted key is 0x12345. - let mut children = core::array::from_fn(|_| Node::Empty.into()); - children[0xD] = Node::Leaf { - nibbles: 0xEF_u64.into(), - value: test_account_1_rlp(), - } - .into(); - let state_trie = Node::Extension { - nibbles: 0xABC_u64.into(), - child: Node::Branch { - children, - value: test_account_1_rlp(), - } - .into(), - } - .into(); - test_state_trie(state_trie, nibbles_64(0x12345), test_account_2()) -} - -#[test] -// TODO: Not a valid test because branches state trie cannot have branch values. -// We should change it to use a different trie. -#[ignore] -fn mpt_insert_extension_insert_key_extends_node_key() -> Result<()> { - // Existing keys are 0xA, 0xABCD; inserted key is 0xABCDEF. - let mut children = core::array::from_fn(|_| Node::Empty.into()); - children[0xB] = Node::Leaf { - nibbles: 0xCD_u64.into(), - value: test_account_1_rlp(), - } - .into(); - let state_trie = Node::Extension { - nibbles: 0xA_u64.into(), - child: Node::Branch { - children, - value: test_account_1_rlp(), - } - .into(), - } - .into(); - test_state_trie(state_trie, nibbles_64(0xABCDEF), test_account_2()) -} - -#[test] -fn mpt_insert_branch_to_leaf_same_key() -> Result<()> { - let leaf = Node::Leaf { - nibbles: nibbles_count(0xBCD, 63), - value: test_account_1_rlp(), - } - .into(); - - let mut children = core::array::from_fn(|_| Node::Empty.into()); - children[0] = leaf; - let state_trie = Node::Branch { - children, - value: vec![], - } - .into(); - - test_state_trie(state_trie, nibbles_64(0xABCD), test_account_2()) -} - -/// Note: The account's storage_root is ignored, as we can't insert a new storage_root without the -/// accompanying trie data. An empty trie's storage_root is used instead. -fn test_state_trie( - mut state_trie: HashedPartialTrie, - k: Nibbles, - mut account: AccountRlp, -) -> Result<()> { - assert_eq!(k.count, 64); - - // Ignore any storage_root; see documentation note. - account.storage_root = HashedPartialTrie::from(Node::Empty).hash(); - - let trie_inputs = TrieInputs { - state_trie: state_trie.clone(), - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - let mpt_insert_state_trie = KERNEL.global_labels["mpt_insert_state_trie"]; - let mpt_hash_state_trie = KERNEL.global_labels["mpt_hash_state_trie"]; - - let initial_stack = vec![]; - let mut interpreter = Interpreter::new_with_kernel(0, initial_stack); - - initialize_mpts(&mut interpreter, &trie_inputs); - assert_eq!(interpreter.stack(), vec![]); - - // Next, execute mpt_insert_state_trie. - interpreter.generation_state.registers.program_counter = mpt_insert_state_trie; - let trie_data = interpreter.get_trie_data_mut(); - if trie_data.is_empty() { - // In the assembly we skip over 0, knowing trie_data[0] = 0 by default. - // Since we don't explicitly set it to 0, we need to do so here. - trie_data.push(0.into()); - } - let value_ptr = trie_data.len(); - trie_data.push(account.nonce); - trie_data.push(account.balance); - // In memory, storage_root gets interpreted as a pointer to a storage trie, - // so we have to ensure the pointer is valid. It's easiest to set it to 0, - // which works as an empty node, since trie_data[0] = 0 = MPT_TYPE_EMPTY. - trie_data.push(H256::zero().into_uint()); - trie_data.push(account.code_hash.into_uint()); - let trie_data_len = trie_data.len().into(); - interpreter.set_global_metadata_field(GlobalMetadata::TrieDataSize, trie_data_len); - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(value_ptr.into()) - .expect("The stack should not overflow"); // value_ptr - interpreter - .push(k.try_into_u256().unwrap()) - .expect("The stack should not overflow"); // key - - interpreter.run()?; - assert_eq!( - interpreter.stack().len(), - 0, - "Expected empty stack after insert, found {:?}", - interpreter.stack() - ); - - // Now, execute mpt_hash_state_trie. - interpreter.generation_state.registers.program_counter = mpt_hash_state_trie; - interpreter - .push(0xDEADBEEFu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(1.into()) // Initial length of the trie data segment, unused. - .expect("The stack should not overflow"); - interpreter.run()?; - - assert_eq!( - interpreter.stack().len(), - 2, - "Expected 2 items on stack after hashing, found {:?}", - interpreter.stack() - ); - let hash = H256::from_uint(&interpreter.stack()[1]); - - state_trie.insert(k, rlp::encode(&account).to_vec()); - let expected_state_trie_hash = state_trie.hash(); - assert_eq!(hash, expected_state_trie_hash); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/mpt/load.rs b/evm/src/cpu/kernel/tests/mpt/load.rs deleted file mode 100644 index bff1d8cb39..0000000000 --- a/evm/src/cpu/kernel/tests/mpt/load.rs +++ /dev/null @@ -1,264 +0,0 @@ -use std::str::FromStr; - -use anyhow::Result; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::HashedPartialTrie; -use ethereum_types::{BigEndianHash, H256, U256}; -use hex_literal::hex; - -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cpu::kernel::constants::trie_type::PartialTrieType; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::cpu::kernel::tests::account_code::initialize_mpts; -use crate::cpu::kernel::tests::mpt::{extension_to_leaf, test_account_1, test_account_1_rlp}; -use crate::generation::TrieInputs; -use crate::Node; - -#[test] -fn load_all_mpts_empty() -> Result<()> { - let trie_inputs = TrieInputs { - state_trie: Default::default(), - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - - let initial_stack = vec![]; - let mut interpreter = Interpreter::new_with_kernel(0, initial_stack); - initialize_mpts(&mut interpreter, &trie_inputs); - assert_eq!(interpreter.stack(), vec![]); - - // We need to have the first element in `TrieData` be 0. - assert_eq!(interpreter.get_trie_data(), vec![0.into()]); - - assert_eq!( - interpreter.get_global_metadata_field(GlobalMetadata::StateTrieRoot), - 0.into() - ); - assert_eq!( - interpreter.get_global_metadata_field(GlobalMetadata::TransactionTrieRoot), - 0.into() - ); - assert_eq!( - interpreter.get_global_metadata_field(GlobalMetadata::ReceiptTrieRoot), - 0.into() - ); - - Ok(()) -} - -#[test] -fn load_all_mpts_leaf() -> Result<()> { - let trie_inputs = TrieInputs { - state_trie: Node::Leaf { - nibbles: 0xABC_u64.into(), - value: test_account_1_rlp(), - } - .into(), - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - - let initial_stack = vec![]; - let mut interpreter = Interpreter::new_with_kernel(0, initial_stack); - initialize_mpts(&mut interpreter, &trie_inputs); - assert_eq!(interpreter.stack(), vec![]); - - let type_leaf = U256::from(PartialTrieType::Leaf as u32); - assert_eq!( - interpreter.get_trie_data(), - vec![ - 0.into(), - type_leaf, - 3.into(), - 0xABC.into(), - 5.into(), // value ptr - test_account_1().nonce, - test_account_1().balance, - 9.into(), // pointer to storage trie root - test_account_1().code_hash.into_uint(), - // These last two elements encode the storage trie, which is a hash node. - (PartialTrieType::Hash as u32).into(), - test_account_1().storage_root.into_uint(), - ] - ); - - assert_eq!( - interpreter.get_global_metadata_field(GlobalMetadata::TransactionTrieRoot), - 0.into() - ); - assert_eq!( - interpreter.get_global_metadata_field(GlobalMetadata::ReceiptTrieRoot), - 0.into() - ); - - Ok(()) -} - -#[test] -fn load_all_mpts_hash() -> Result<()> { - let hash = H256::random(); - let trie_inputs = TrieInputs { - state_trie: Node::Hash(hash).into(), - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - - let initial_stack = vec![]; - let mut interpreter = Interpreter::new_with_kernel(0, initial_stack); - initialize_mpts(&mut interpreter, &trie_inputs); - assert_eq!(interpreter.stack(), vec![]); - - let type_hash = U256::from(PartialTrieType::Hash as u32); - assert_eq!( - interpreter.get_trie_data(), - vec![0.into(), type_hash, hash.into_uint(),] - ); - - assert_eq!( - interpreter.get_global_metadata_field(GlobalMetadata::TransactionTrieRoot), - 0.into() - ); - assert_eq!( - interpreter.get_global_metadata_field(GlobalMetadata::ReceiptTrieRoot), - 0.into() - ); - - Ok(()) -} - -#[test] -fn load_all_mpts_empty_branch() -> Result<()> { - let children = core::array::from_fn(|_| Node::Empty.into()); - let state_trie = Node::Branch { - children, - value: vec![], - } - .into(); - let trie_inputs = TrieInputs { - state_trie, - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - - let initial_stack = vec![]; - let mut interpreter = Interpreter::new_with_kernel(0, initial_stack); - initialize_mpts(&mut interpreter, &trie_inputs); - assert_eq!(interpreter.stack(), vec![]); - - let type_branch = U256::from(PartialTrieType::Branch as u32); - assert_eq!( - interpreter.get_trie_data(), - vec![ - 0.into(), // First address is unused, so that 0 can be treated as a null pointer. - type_branch, - 0.into(), // child 0 - 0.into(), // ... - 0.into(), - 0.into(), - 0.into(), - 0.into(), - 0.into(), - 0.into(), - 0.into(), - 0.into(), - 0.into(), - 0.into(), - 0.into(), - 0.into(), - 0.into(), - 0.into(), // child 16 - 0.into(), // value_ptr - ] - ); - - assert_eq!( - interpreter.get_global_metadata_field(GlobalMetadata::TransactionTrieRoot), - 0.into() - ); - assert_eq!( - interpreter.get_global_metadata_field(GlobalMetadata::ReceiptTrieRoot), - 0.into() - ); - - Ok(()) -} - -#[test] -fn load_all_mpts_ext_to_leaf() -> Result<()> { - let trie_inputs = TrieInputs { - state_trie: extension_to_leaf(test_account_1_rlp()), - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - - let initial_stack = vec![]; - let mut interpreter = Interpreter::new_with_kernel(0, initial_stack); - initialize_mpts(&mut interpreter, &trie_inputs); - assert_eq!(interpreter.stack(), vec![]); - - let type_extension = U256::from(PartialTrieType::Extension as u32); - let type_leaf = U256::from(PartialTrieType::Leaf as u32); - assert_eq!( - interpreter.get_trie_data(), - vec![ - 0.into(), // First address is unused, so that 0 can be treated as a null pointer. - type_extension, - 3.into(), // 3 nibbles - 0xABC.into(), // key part - 5.into(), // Pointer to the leaf node immediately below. - type_leaf, - 3.into(), // 3 nibbles - 0xDEF.into(), // key part - 9.into(), // value pointer - test_account_1().nonce, - test_account_1().balance, - 13.into(), // pointer to storage trie root - test_account_1().code_hash.into_uint(), - // These last two elements encode the storage trie, which is a hash node. - (PartialTrieType::Hash as u32).into(), - test_account_1().storage_root.into_uint(), - ] - ); - - Ok(()) -} - -#[test] -fn load_mpt_txn_trie() -> Result<()> { - let txn = hex!("f860010a830186a094095e7baea6a6c7c4c2dfeb977efac326af552e89808025a04a223955b0bd3827e3740a9a427d0ea43beb5bafa44a0204bf0a3306c8219f7ba0502c32d78f233e9e7ce9f5df3b576556d5d49731e0678fd5a068cdf359557b5b").to_vec(); - - let trie_inputs = TrieInputs { - state_trie: Default::default(), - transactions_trie: HashedPartialTrie::from(Node::Leaf { - nibbles: Nibbles::from_str("0x80").unwrap(), - value: txn.clone(), - }), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - - let initial_stack = vec![]; - let mut interpreter = Interpreter::new_with_kernel(0, initial_stack); - initialize_mpts(&mut interpreter, &trie_inputs); - assert_eq!(interpreter.stack(), vec![]); - - let mut expected_trie_data = vec![ - 0.into(), - U256::from(PartialTrieType::Leaf as u32), - 2.into(), - 128.into(), // Nibble - 5.into(), // value_ptr - txn.len().into(), - ]; - expected_trie_data.extend(txn.into_iter().map(U256::from)); - let trie_data = interpreter.get_trie_data(); - - assert_eq!(trie_data, expected_trie_data); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/mpt/mod.rs b/evm/src/cpu/kernel/tests/mpt/mod.rs deleted file mode 100644 index 292d064af1..0000000000 --- a/evm/src/cpu/kernel/tests/mpt/mod.rs +++ /dev/null @@ -1,71 +0,0 @@ -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::HashedPartialTrie; -use ethereum_types::{BigEndianHash, H256, U256}; - -use crate::generation::mpt::AccountRlp; -use crate::Node; - -mod delete; -mod hash; -mod hex_prefix; -mod insert; -mod load; -mod read; - -pub(crate) fn nibbles_64>(v: T) -> Nibbles { - let packed: U256 = v.into(); - Nibbles { - count: 64, - packed: packed.into(), - } -} - -pub(crate) fn nibbles_count>(v: T, count: usize) -> Nibbles { - let packed: U256 = v.into(); - Nibbles { - count, - packed: packed.into(), - } -} - -pub(crate) fn test_account_1() -> AccountRlp { - AccountRlp { - nonce: U256::from(1111), - balance: U256::from(2222), - storage_root: H256::from_uint(&U256::from(3333)), - code_hash: H256::from_uint(&U256::from(4444)), - } -} - -pub(crate) fn test_account_1_rlp() -> Vec { - rlp::encode(&test_account_1()).to_vec() -} - -pub(crate) fn test_account_2() -> AccountRlp { - AccountRlp { - nonce: U256::from(5555), - balance: U256::from(6666), - storage_root: H256::from_uint(&U256::from(7777)), - code_hash: H256::from_uint(&U256::from(8888)), - } -} - -pub(crate) fn test_account_2_rlp() -> Vec { - rlp::encode(&test_account_2()).to_vec() -} - -/// A `PartialTrie` where an extension node leads to a leaf node containing an account. -pub(crate) fn extension_to_leaf(value: Vec) -> HashedPartialTrie { - Node::Extension { - nibbles: 0xABC_u64.into(), - child: Node::Leaf { - nibbles: Nibbles { - count: 3, - packed: 0xDEF.into(), - }, - value, - } - .into(), - } - .into() -} diff --git a/evm/src/cpu/kernel/tests/mpt/read.rs b/evm/src/cpu/kernel/tests/mpt/read.rs deleted file mode 100644 index 16206d1390..0000000000 --- a/evm/src/cpu/kernel/tests/mpt/read.rs +++ /dev/null @@ -1,53 +0,0 @@ -use anyhow::Result; -use ethereum_types::BigEndianHash; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::cpu::kernel::tests::account_code::initialize_mpts; -use crate::cpu::kernel::tests::mpt::{extension_to_leaf, test_account_1, test_account_1_rlp}; -use crate::generation::TrieInputs; - -#[test] -fn mpt_read() -> Result<()> { - let trie_inputs = TrieInputs { - state_trie: extension_to_leaf(test_account_1_rlp()), - transactions_trie: Default::default(), - receipts_trie: Default::default(), - storage_tries: vec![], - }; - - let mpt_read = KERNEL.global_labels["mpt_read"]; - - let initial_stack = vec![]; - let mut interpreter = Interpreter::new_with_kernel(0, initial_stack); - initialize_mpts(&mut interpreter, &trie_inputs); - assert_eq!(interpreter.stack(), vec![]); - - // Now, execute mpt_read on the state trie. - interpreter.generation_state.registers.program_counter = mpt_read; - interpreter - .push(0xdeadbeefu32.into()) - .expect("The stack should not overflow"); - interpreter - .push(0xABCDEFu64.into()) - .expect("The stack should not overflow"); - interpreter - .push(6.into()) - .expect("The stack should not overflow"); - interpreter - .push(interpreter.get_global_metadata_field(GlobalMetadata::StateTrieRoot)) - .expect("The stack should not overflow"); - interpreter.run()?; - - assert_eq!(interpreter.stack().len(), 1); - let result_ptr = interpreter.stack()[0].as_usize(); - let result = &interpreter.get_trie_data()[result_ptr..][..4]; - assert_eq!(result[0], test_account_1().nonce); - assert_eq!(result[1], test_account_1().balance); - // result[2] is the storage root pointer. We won't check that it matches a - // particular address, since that seems like over-specifying. - assert_eq!(result[3], test_account_1().code_hash.into_uint()); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/packing.rs b/evm/src/cpu/kernel/tests/packing.rs deleted file mode 100644 index 0eb09cf7a6..0000000000 --- a/evm/src/cpu/kernel/tests/packing.rs +++ /dev/null @@ -1,28 +0,0 @@ -use anyhow::Result; -use ethereum_types::U256; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::memory::segments::Segment; - -#[test] -fn test_mstore_unpacking() -> Result<()> { - let mstore_unpacking = KERNEL.global_labels["mstore_unpacking"]; - - let retdest = 0xDEADBEEFu32.into(); - let len = 4.into(); - let value = 0xABCD1234u32.into(); - let addr = (Segment::TxnData as u64).into(); - let initial_stack = vec![retdest, len, value, addr]; - - let mut interpreter = Interpreter::new_with_kernel(mstore_unpacking, initial_stack); - - interpreter.run()?; - assert_eq!(interpreter.stack(), vec![addr + U256::from(4)]); - assert_eq!( - &interpreter.get_txn_data(), - &[0xAB.into(), 0xCD.into(), 0x12.into(), 0x34.into()] - ); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/receipt.rs b/evm/src/cpu/kernel/tests/receipt.rs deleted file mode 100644 index 7d00cb2746..0000000000 --- a/evm/src/cpu/kernel/tests/receipt.rs +++ /dev/null @@ -1,610 +0,0 @@ -use anyhow::Result; -use ethereum_types::{Address, U256}; -use hex_literal::hex; -use keccak_hash::keccak; -use rand::{thread_rng, Rng}; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cpu::kernel::constants::txn_fields::NormalizedTxnField; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::cpu::kernel::tests::account_code::initialize_mpts; -use crate::generation::mpt::{LegacyReceiptRlp, LogRlp}; -use crate::memory::segments::Segment; - -#[test] -fn test_process_receipt() -> Result<()> { - /* Tests process_receipt, which: - - computes the cumulative gas - - computes the bloom filter - - inserts the receipt data in MPT_TRIE_DATA - - inserts a node in receipt_trie - - resets the bloom filter to 0 for the next transaction. */ - let process_receipt = KERNEL.global_labels["process_receipt"]; - let success = U256::from(1); - let leftover_gas = U256::from(4000); - let prev_cum_gas = U256::from(1000); - let retdest = 0xDEADBEEFu32.into(); - - // Log. - let address: Address = thread_rng().gen(); - let num_topics = 1; - - let mut topic = vec![0_u8; 32]; - topic[31] = 4; - - // Compute the expected Bloom filter. - let test_logs_list = vec![(address.to_fixed_bytes().to_vec(), vec![topic])]; - let expected_bloom = logs_bloom_bytes_fn(test_logs_list).to_vec(); - - // Set memory. - let num_nibbles = 2.into(); - let initial_stack: Vec = vec![ - retdest, - num_nibbles, - 0.into(), - prev_cum_gas, - leftover_gas, - success, - ]; - let mut interpreter = Interpreter::new_with_kernel(process_receipt, initial_stack); - interpreter.set_memory_segment( - Segment::LogsData, - vec![ - 56.into(), // payload len - U256::from_big_endian(&address.to_fixed_bytes()), // address - num_topics.into(), // num_topics - 4.into(), // topic - 0.into(), // data_len - ], - ); - interpreter.set_txn_field(NormalizedTxnField::GasLimit, U256::from(5000)); - interpreter.set_memory_segment(Segment::TxnBloom, vec![0.into(); 256]); - interpreter.set_memory_segment(Segment::Logs, vec![0.into()]); - interpreter.set_global_metadata_field(GlobalMetadata::LogsPayloadLen, 58.into()); - interpreter.set_global_metadata_field(GlobalMetadata::LogsLen, U256::from(1)); - interpreter.set_global_metadata_field(GlobalMetadata::ReceiptTrieRoot, 500.into()); - interpreter.run()?; - - let segment_read = interpreter.get_memory_segment(Segment::TrieData); - - // The expected TrieData has the form [payload_len, status, cum_gas_used, bloom_filter, logs_payload_len, num_logs, [logs]] - let mut expected_trie_data: Vec = vec![323.into(), success, 2000.into()]; - expected_trie_data.extend( - expected_bloom - .into_iter() - .map(|elt| elt.into()) - .collect::>(), - ); - expected_trie_data.push(58.into()); // logs_payload_len - expected_trie_data.push(1.into()); // num_logs - expected_trie_data.extend(vec![ - 56.into(), // payload len - U256::from_big_endian(&address.to_fixed_bytes()), // address - num_topics.into(), // num_topics - 4.into(), // topic - 0.into(), // data_len - ]); - - assert_eq!( - expected_trie_data, - segment_read[0..expected_trie_data.len()] - ); - - Ok(()) -} - -/// Values taken from the block 1000000 of Goerli: https://goerli.etherscan.io/txs?block=1000000 -#[test] -fn test_receipt_encoding() -> Result<()> { - // Initialize interpreter. - let success = U256::from(1); - - let retdest = 0xDEADBEEFu32.into(); - let num_topics = 3; - - let encode_receipt = KERNEL.global_labels["encode_receipt"]; - - // Logs and receipt in encodable form. - let log_1 = LogRlp { - address: hex!("7ef66b77759e12Caf3dDB3E4AFF524E577C59D8D").into(), - topics: vec![ - hex!("8a22ee899102a366ac8ad0495127319cb1ff2403cfae855f83a89cda1266674d").into(), - hex!("0000000000000000000000000000000000000000000000000000000000000004").into(), - hex!("00000000000000000000000000000000000000000000000000000000004920ea").into(), - ], - data: hex!("a814f7df6a2203dc0e472e8828be95957c6b329fee8e2b1bb6f044c1eb4fc243") - .to_vec() - .into(), - }; - - let receipt_1 = LegacyReceiptRlp { - status: true, - cum_gas_used: 0x02dcb6u64.into(), - bloom: hex!("00000000000000000000000000000000000000000000000000800000000000000040000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000008000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000400000000000000000000000000000002000040000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000008000000000000000000000000").to_vec().into(), - logs: vec![log_1], - }; - // Get the expected RLP encoding. - let expected_rlp = rlp::encode(&rlp::encode(&receipt_1)); - - let initial_stack: Vec = vec![retdest, 0.into(), 0.into(), 0.into()]; - let mut interpreter = Interpreter::new_with_kernel(encode_receipt, initial_stack); - - // Write data to memory. - let expected_bloom_bytes = vec![ - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 0x80, 00, 00, 00, 00, 00, 00, 00, 0x40, 00, 00, 00, 00, 0x10, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x02, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 0x08, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 0x01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x01, 00, 00, 00, 0x40, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 0x20, 00, 0x04, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x80, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x08, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - ]; - let expected_bloom: Vec = expected_bloom_bytes - .into_iter() - .map(|elt| elt.into()) - .collect(); - - let addr = U256::from([ - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x7e, 0xf6, 0x6b, 0x77, 0x75, 0x9e, 0x12, 0xca, 0xf3, - 0xdd, 0xb3, 0xe4, 0xaf, 0xf5, 0x24, 0xe5, 0x77, 0xc5, 0x9d, 0x8d, - ]); - - let topic1 = U256::from([ - 0x8a, 0x22, 0xee, 0x89, 0x91, 0x02, 0xa3, 0x66, 0xac, 0x8a, 0xd0, 0x49, 0x51, 0x27, 0x31, - 0x9c, 0xb1, 0xff, 0x24, 0x03, 0xcf, 0xae, 0x85, 0x5f, 0x83, 0xa8, 0x9c, 0xda, 0x12, 0x66, - 0x67, 0x4d, - ]); - - let topic2 = 4.into(); - let topic3 = 0x4920ea.into(); - - let mut logs = vec![ - 155.into(), // unused - addr, - num_topics.into(), // num_topics - topic1, // topic1 - topic2, // topic2 - topic3, // topic3 - 32.into(), // data length - ]; - let cur_data = hex!("a814f7df6a2203dc0e472e8828be95957c6b329fee8e2b1bb6f044c1eb4fc243") - .iter() - .copied() - .map(U256::from); - logs.extend(cur_data); - - let mut receipt = vec![423.into(), success, receipt_1.cum_gas_used]; - receipt.extend(expected_bloom.clone()); - receipt.push(157.into()); // logs_payload_len - receipt.push(1.into()); // num_logs - receipt.extend(logs.clone()); - interpreter.set_memory_segment(Segment::LogsData, logs); - - interpreter.set_memory_segment(Segment::TxnBloom, expected_bloom); - - interpreter.set_memory_segment(Segment::Logs, vec![0.into()]); - interpreter.set_global_metadata_field(GlobalMetadata::LogsLen, 1.into()); - interpreter.set_global_metadata_field(GlobalMetadata::LogsPayloadLen, 157.into()); - interpreter.set_memory_segment(Segment::TrieData, receipt); - - interpreter.run()?; - let rlp_pos = interpreter.pop().expect("The stack should not be empty"); - - let rlp_read: Vec = interpreter.get_rlp_memory(); - - assert_eq!(rlp_pos.as_usize(), expected_rlp.len()); - for i in 0..rlp_read.len() { - assert_eq!(rlp_read[i], expected_rlp[i]); - } - - Ok(()) -} - -/// Values taken from the block 1000000 of Goerli: https://goerli.etherscan.io/txs?block=1000000 -#[test] -fn test_receipt_bloom_filter() -> Result<()> { - let logs_bloom = KERNEL.global_labels["logs_bloom"]; - - let num_topics = 3; - - // Expected bloom - let first_bloom_bytes = vec![ - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 0x80, 00, 00, 00, 00, 00, 00, 00, 0x40, 00, 00, 00, 00, 0x50, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x02, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x08, 00, 0x08, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x50, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x10, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x20, 00, 00, 00, 00, 00, 0x08, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - ]; - - let retdest = 0xDEADBEEFu32.into(); - - let addr = U256::from([ - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x7e, 0xf6, 0x6b, 0x77, 0x75, 0x9e, 0x12, 0xca, 0xf3, - 0xdd, 0xb3, 0xe4, 0xaf, 0xf5, 0x24, 0xe5, 0x77, 0xc5, 0x9d, 0x8d, - ]); - - let topic1 = U256::from([ - 0x8a, 0x22, 0xee, 0x89, 0x91, 0x02, 0xa3, 0x66, 0xac, 0x8a, 0xd0, 0x49, 0x51, 0x27, 0x31, - 0x9c, 0xb1, 0xff, 0x24, 0x03, 0xcf, 0xae, 0x85, 0x5f, 0x83, 0xa8, 0x9c, 0xda, 0x12, 0x66, - 0x67, 0x4d, - ]); - - let topic02 = 0x2a.into(); - let topic03 = 0xbd9fe6.into(); - - // Set logs memory and initialize TxnBloom and BlockBloom segments. - let initial_stack: Vec = vec![retdest]; - - let mut interpreter = Interpreter::new_with_kernel(logs_bloom, initial_stack); - let mut logs = vec![ - 0.into(), // unused - addr, - num_topics.into(), // num_topics - topic1, // topic1 - topic02, // topic2 - topic03, // topic3 - 32.into(), // data_len - ]; - let cur_data = hex!("a814f7df6a2203dc0e472e8828be95957c6b329fee8e2b1bb6f044c1eb4fc243") - .iter() - .copied() - .map(U256::from); - logs.extend(cur_data); - // The Bloom filter initialization is required for this test to ensure we have the correct length for the filters. Otherwise, some trailing zeroes could be missing. - interpreter.set_memory_segment(Segment::TxnBloom, vec![0.into(); 256]); // Initialize transaction Bloom filter. - interpreter.set_memory_segment(Segment::LogsData, logs); - interpreter.set_memory_segment(Segment::Logs, vec![0.into()]); - interpreter.set_global_metadata_field(GlobalMetadata::LogsLen, U256::from(1)); - interpreter.run()?; - - // Second transaction. - let loaded_bloom_u256 = interpreter.get_memory_segment(Segment::TxnBloom); - let loaded_bloom: Vec = loaded_bloom_u256 - .into_iter() - .map(|elt| elt.0[0] as u8) - .collect(); - - assert_eq!(first_bloom_bytes, loaded_bloom); - let topic12 = 0x4.into(); - let topic13 = 0x4920ea.into(); - let mut logs2 = vec![ - 0.into(), // unused - addr, - num_topics.into(), // num_topics - topic1, // topic1 - topic12, // topic2 - topic13, // topic3 - 32.into(), // data_len - ]; - let cur_data = hex!("a814f7df6a2203dc0e472e8828be95957c6b329fee8e2b1bb6f044c1eb4fc243") - .iter() - .copied() - .map(U256::from); - logs2.extend(cur_data); - - interpreter - .push(retdest) - .expect("The stack should not overflow"); - interpreter.generation_state.registers.program_counter = logs_bloom; - interpreter.set_memory_segment(Segment::TxnBloom, vec![0.into(); 256]); // Initialize transaction Bloom filter. - interpreter.set_memory_segment(Segment::LogsData, logs2); - interpreter.set_memory_segment(Segment::Logs, vec![0.into()]); - interpreter.set_global_metadata_field(GlobalMetadata::LogsLen, U256::from(1)); - interpreter.run()?; - - let second_bloom_bytes = vec![ - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 0x80, 00, 00, 00, 00, 00, 00, 00, 0x40, 00, 00, 00, 00, 0x10, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x02, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 0x08, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 0x01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x01, 00, 00, 00, 0x40, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 0x20, 00, 0x04, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x80, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x08, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - ]; - - let second_loaded_bloom_u256 = interpreter.get_memory_segment(Segment::TxnBloom); - let second_loaded_bloom: Vec = second_loaded_bloom_u256 - .into_iter() - .map(|elt| elt.0[0] as u8) - .collect(); - - assert_eq!(second_bloom_bytes, second_loaded_bloom); - - Ok(()) -} - -#[test] -fn test_mpt_insert_receipt() -> Result<()> { - // This test simulates a receipt processing to test `mpt_insert_receipt_trie`. - // For this, we need to set the data correctly in memory. - // In TrieData, we need to insert a receipt of the form: - // `[payload_len, status, cum_gas_used, bloom, logs_payload_len, num_logs, [logs]]`. - // We also need to set TrieDataSize correctly. - - let retdest = 0xDEADBEEFu32.into(); - let trie_inputs = Default::default(); - let mpt_insert = KERNEL.global_labels["mpt_insert_receipt_trie"]; - let num_topics = 3; // Both transactions have the same number of topics. - let payload_len = 423; // Total payload length for each receipt. - let logs_payload_len = 157; // Payload length for all logs. - let log_payload_len = 155; // Payload length for one log. - let num_logs = 1; - - // Receipt_0: - let status_0 = 1; - let cum_gas_used_0 = 0x016e5b; - let logs_bloom_0_bytes = vec![ - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 0x80, 00, 00, 00, 00, 00, 00, 00, 0x40, 00, 00, 00, 00, 0x50, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x02, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x08, 00, 0x08, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x50, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x10, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x20, 00, 00, 00, 00, 00, 0x08, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - ]; - - // Logs_0: - let logs_bloom_0: Vec = logs_bloom_0_bytes - .into_iter() - .map(|elt| elt.into()) - .collect(); - - let addr = U256::from([ - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x7e, 0xf6, 0x6b, 0x77, 0x75, 0x9e, 0x12, 0xca, 0xf3, - 0xdd, 0xb3, 0xe4, 0xaf, 0xf5, 0x24, 0xe5, 0x77, 0xc5, 0x9d, 0x8d, - ]); - - // The first topic is shared by the two transactions. - let topic1 = U256::from([ - 0x8a, 0x22, 0xee, 0x89, 0x91, 0x02, 0xa3, 0x66, 0xac, 0x8a, 0xd0, 0x49, 0x51, 0x27, 0x31, - 0x9c, 0xb1, 0xff, 0x24, 0x03, 0xcf, 0xae, 0x85, 0x5f, 0x83, 0xa8, 0x9c, 0xda, 0x12, 0x66, - 0x67, 0x4d, - ]); - - let topic02 = 0x2a.into(); - let topic03 = 0xbd9fe6.into(); - - let mut logs_0 = vec![ - log_payload_len.into(), // payload_len - addr, - num_topics.into(), // num_topics - topic1, // topic1 - topic02, // topic2 - topic03, // topic3 - 32.into(), // data_len - ]; - let cur_data = hex!("f7af1cc94b1aef2e0fa15f1b4baefa86eb60e78fa4bd082372a0a446d197fb58") - .iter() - .copied() - .map(U256::from); - logs_0.extend(cur_data); - - let mut receipt: Vec = vec![423.into(), status_0.into(), cum_gas_used_0.into()]; - receipt.extend(logs_bloom_0); - receipt.push(logs_payload_len.into()); // logs_payload_len - receipt.push(num_logs.into()); // num_logs - receipt.extend(logs_0.clone()); - - let mut interpreter = Interpreter::new_with_kernel(0, vec![]); - initialize_mpts(&mut interpreter, &trie_inputs); - - // If TrieData is empty, we need to push 0 because the first value is always 0. - let mut cur_trie_data = interpreter.get_memory_segment(Segment::TrieData); - if cur_trie_data.is_empty() { - cur_trie_data.push(0.into()); - } - - // stack: transaction_nb, value_ptr, retdest - let num_nibbles = 2; - let initial_stack: Vec = vec![ - retdest, - cur_trie_data.len().into(), - 0x80.into(), - num_nibbles.into(), - ]; - for i in 0..initial_stack.len() { - interpreter - .push(initial_stack[i]) - .expect("The stack should not overflow"); - } - - interpreter.generation_state.registers.program_counter = mpt_insert; - - // Set memory. - cur_trie_data.extend(receipt); - interpreter.set_memory_segment(Segment::TrieData, cur_trie_data.clone()); - interpreter.set_global_metadata_field(GlobalMetadata::TrieDataSize, cur_trie_data.len().into()); - // First insertion. - interpreter.run()?; - - // receipt_1: - let status_1 = 1; - let cum_gas_used_1 = 0x02dcb6; - let logs_bloom_1_bytes = vec![ - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 0x80, 00, 00, 00, 00, 00, 00, 00, 0x40, 00, 00, 00, 00, 0x10, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x02, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 0x08, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 0x01, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x01, 00, 00, 00, 0x40, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 0x20, 00, 0x04, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x80, 00, 00, 00, 00, 00, 00, 00, 00, 00, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 0x08, - 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, - ]; - - // Logs_1: - let logs_bloom_1: Vec = logs_bloom_1_bytes - .into_iter() - .map(|elt| elt.into()) - .collect(); - - let topic12 = 4.into(); - let topic13 = 0x4920ea.into(); - - let mut logs_1 = vec![ - log_payload_len.into(), // payload length - addr, - num_topics.into(), // nb topics - topic1, // topic1 - topic12, // topic2 - topic13, // topic3 - 32.into(), // data length - ]; - let cur_data = hex!("a814f7df6a2203dc0e472e8828be95957c6b329fee8e2b1bb6f044c1eb4fc243") - .iter() - .copied() - .map(U256::from); - logs_1.extend(cur_data); - - let mut receipt_1: Vec = vec![payload_len.into(), status_1.into(), cum_gas_used_1.into()]; - receipt_1.extend(logs_bloom_1); - receipt_1.push(logs_payload_len.into()); // logs payload len - receipt_1.push(num_logs.into()); // nb logs - receipt_1.extend(logs_1.clone()); - - // Get updated TrieData segment. - cur_trie_data = interpreter.get_memory_segment(Segment::TrieData); - let num_nibbles = 2; - let initial_stack2: Vec = vec![ - retdest, - cur_trie_data.len().into(), - 0x01.into(), - num_nibbles.into(), - ]; - for i in 0..initial_stack2.len() { - interpreter - .push(initial_stack2[i]) - .expect("The stack should not overflow"); - } - cur_trie_data.extend(receipt_1); - - // Set memory. - interpreter.generation_state.registers.program_counter = mpt_insert; - interpreter.set_memory_segment(Segment::TrieData, cur_trie_data.clone()); - interpreter.set_global_metadata_field(GlobalMetadata::TrieDataSize, cur_trie_data.len().into()); - interpreter.run()?; - - // Finally, check that the hashes correspond. - let mpt_hash_receipt = KERNEL.global_labels["mpt_hash_receipt_trie"]; - interpreter.generation_state.registers.program_counter = mpt_hash_receipt; - interpreter - .push(retdest) - .expect("The stack should not overflow"); - interpreter - .push(1.into()) // Initial length of the trie data segment, unused.; // Initial length of the trie data segment, unused. - .expect("The stack should not overflow"); - interpreter.run()?; - assert_eq!( - interpreter.stack()[1], - U256::from(hex!( - "da46cdd329bfedace32da95f2b344d314bc6f55f027d65f9f4ac04ee425e1f98" - )) - ); - Ok(()) -} - -#[test] -fn test_bloom_two_logs() -> Result<()> { - // Tests the Bloom filter computation with two logs in one transaction. - - // address - let to = [ - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x09, 0x5e, 0x7b, 0xae, 0xa6, 0xa6, 0xc7, 0xc4, 0xc2, - 0xdf, 0xeb, 0x97, 0x7e, 0xfa, 0xc3, 0x26, 0xaf, 0x55, 0x2d, 0x87, - ]; - - let retdest = 0xDEADBEEFu32.into(); - let logs_bloom = KERNEL.global_labels["logs_bloom"]; - - let initial_stack: Vec = vec![retdest]; - - // Set memory. - let logs = vec![ - 0.into(), // unused - to.into(), // address - 0.into(), // num_topics - 0.into(), // data_len, - 0.into(), // unused: rlp - to.into(), - 2.into(), // num_topics - 0x62.into(), - 0x63.into(), - 5.into(), - [ - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xa1, - 0xb2, 0xc3, 0xd4, 0xe5, - ] - .into(), - ]; - let mut interpreter = Interpreter::new_with_kernel(logs_bloom, initial_stack); - interpreter.set_memory_segment(Segment::TxnBloom, vec![0.into(); 256]); // Initialize transaction Bloom filter. - interpreter.set_memory_segment(Segment::LogsData, logs); - interpreter.set_memory_segment(Segment::Logs, vec![0.into(), 4.into()]); - interpreter.set_global_metadata_field(GlobalMetadata::LogsLen, U256::from(2)); - interpreter.run()?; - - let loaded_bloom_bytes: Vec = interpreter - .get_memory_segment(Segment::TxnBloom) - .into_iter() - .map(|elt| elt.0[0] as u8) - .collect(); - - let expected = hex!("00000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000000000000004000000000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000400000000000040000000000000000000000000002000000000000000000000000000").to_vec(); - - assert_eq!(expected, loaded_bloom_bytes); - Ok(()) -} - -fn logs_bloom_bytes_fn(logs_list: Vec<(Vec, Vec>)>) -> [u8; 256] { - // The first element of logs_list. - let mut bloom = [0_u8; 256]; - - for log in logs_list { - let cur_addr = log.0; - let topics = log.1; - - add_to_bloom(&mut bloom, &cur_addr); - for topic in topics { - add_to_bloom(&mut bloom, &topic); - } - } - bloom -} - -fn add_to_bloom(bloom: &mut [u8; 256], bloom_entry: &[u8]) { - let bloom_hash = keccak(bloom_entry).to_fixed_bytes(); - - for idx in 0..3 { - let bit_pair = u16::from_be_bytes(bloom_hash[2 * idx..2 * (idx + 1)].try_into().unwrap()); - let bit_to_set = 0x07FF - (bit_pair & 0x07FF); - let byte_index = bit_to_set / 8; - let bit_value = 1 << (7 - bit_to_set % 8); - bloom[byte_index as usize] |= bit_value; - } -} diff --git a/evm/src/cpu/kernel/tests/rlp/decode.rs b/evm/src/cpu/kernel/tests/rlp/decode.rs deleted file mode 100644 index 1f3260e56f..0000000000 --- a/evm/src/cpu/kernel/tests/rlp/decode.rs +++ /dev/null @@ -1,125 +0,0 @@ -use anyhow::Result; -use ethereum_types::U256; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::memory::segments::Segment; - -#[test] -fn test_decode_rlp_string_len_short() -> Result<()> { - let decode_rlp_string_len = KERNEL.global_labels["decode_rlp_string_len"]; - - let initial_stack = vec![ - 0xDEADBEEFu32.into(), - U256::from(Segment::RlpRaw as usize + 2), - ]; - let mut interpreter = Interpreter::new_with_kernel(decode_rlp_string_len, initial_stack); - - // A couple dummy bytes, followed by "0x70" which is its own encoding. - interpreter.set_rlp_memory(vec![123, 234, 0x70]); - - interpreter.run()?; - let expected_stack = vec![1.into(), U256::from(Segment::RlpRaw as usize + 2)]; // len, pos - assert_eq!(interpreter.stack(), expected_stack); - - Ok(()) -} - -#[test] -fn test_decode_rlp_string_len_medium() -> Result<()> { - let decode_rlp_string_len = KERNEL.global_labels["decode_rlp_string_len"]; - - let initial_stack = vec![ - 0xDEADBEEFu32.into(), - U256::from(Segment::RlpRaw as usize + 2), - ]; - let mut interpreter = Interpreter::new_with_kernel(decode_rlp_string_len, initial_stack); - - // A couple dummy bytes, followed by the RLP encoding of "1 2 3 4 5". - interpreter.set_rlp_memory(vec![123, 234, 0x85, 1, 2, 3, 4, 5]); - - interpreter.run()?; - let expected_stack = vec![5.into(), U256::from(Segment::RlpRaw as usize + 3)]; // len, pos - assert_eq!(interpreter.stack(), expected_stack); - - Ok(()) -} - -#[test] -fn test_decode_rlp_string_len_long() -> Result<()> { - let decode_rlp_string_len = KERNEL.global_labels["decode_rlp_string_len"]; - - let initial_stack = vec![ - 0xDEADBEEFu32.into(), - U256::from(Segment::RlpRaw as usize + 2), - ]; - let mut interpreter = Interpreter::new_with_kernel(decode_rlp_string_len, initial_stack); - - // The RLP encoding of the string "1 2 3 ... 56". - interpreter.set_rlp_memory(vec![ - 123, 234, 0xb8, 56, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, - 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, - 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, - ]); - - interpreter.run()?; - let expected_stack = vec![56.into(), U256::from(Segment::RlpRaw as usize + 4)]; // len, pos - assert_eq!(interpreter.stack(), expected_stack); - - Ok(()) -} - -#[test] -fn test_decode_rlp_list_len_short() -> Result<()> { - let decode_rlp_list_len = KERNEL.global_labels["decode_rlp_list_len"]; - - let initial_stack = vec![0xDEADBEEFu32.into(), U256::from(Segment::RlpRaw as usize)]; - let mut interpreter = Interpreter::new_with_kernel(decode_rlp_list_len, initial_stack); - - // The RLP encoding of [1, 2, [3, 4]]. - interpreter.set_rlp_memory(vec![0xc5, 1, 2, 0xc2, 3, 4]); - - interpreter.run()?; - let expected_stack = vec![5.into(), U256::from(Segment::RlpRaw as usize + 1)]; // len, pos - assert_eq!(interpreter.stack(), expected_stack); - - Ok(()) -} - -#[test] -fn test_decode_rlp_list_len_long() -> Result<()> { - let decode_rlp_list_len = KERNEL.global_labels["decode_rlp_list_len"]; - - let initial_stack = vec![0xDEADBEEFu32.into(), U256::from(Segment::RlpRaw as usize)]; - let mut interpreter = Interpreter::new_with_kernel(decode_rlp_list_len, initial_stack); - - // The RLP encoding of [1, ..., 56]. - interpreter.set_rlp_memory(vec![ - 0xf8, 56, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, - 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, - 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, - ]); - - interpreter.run()?; - let expected_stack = vec![56.into(), U256::from(Segment::RlpRaw as usize + 2)]; // len, pos - assert_eq!(interpreter.stack(), expected_stack); - - Ok(()) -} - -#[test] -fn test_decode_rlp_scalar() -> Result<()> { - let decode_rlp_scalar = KERNEL.global_labels["decode_rlp_scalar"]; - - let initial_stack = vec![0xDEADBEEFu32.into(), U256::from(Segment::RlpRaw as usize)]; - let mut interpreter = Interpreter::new_with_kernel(decode_rlp_scalar, initial_stack); - - // The RLP encoding of "12 34 56". - interpreter.set_rlp_memory(vec![0x83, 0x12, 0x34, 0x56]); - - interpreter.run()?; - let expected_stack = vec![0x123456.into(), U256::from(Segment::RlpRaw as usize + 4)]; // scalar, pos - assert_eq!(interpreter.stack(), expected_stack); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/rlp/encode.rs b/evm/src/cpu/kernel/tests/rlp/encode.rs deleted file mode 100644 index d28a763fe8..0000000000 --- a/evm/src/cpu/kernel/tests/rlp/encode.rs +++ /dev/null @@ -1,159 +0,0 @@ -use anyhow::Result; -use ethereum_types::U256; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::interpreter::Interpreter; -use crate::memory::segments::Segment; - -#[test] -fn test_encode_rlp_scalar_small() -> Result<()> { - let encode_rlp_scalar = KERNEL.global_labels["encode_rlp_scalar"]; - - let retdest = 0xDEADBEEFu32.into(); - let scalar = 42.into(); - let pos = U256::from(Segment::RlpRaw as usize + 2); - let initial_stack = vec![retdest, scalar, pos]; - let mut interpreter = Interpreter::new_with_kernel(encode_rlp_scalar, initial_stack); - - interpreter.run()?; - let expected_stack = vec![pos + U256::from(1)]; // pos' = pos + rlp_len = 2 + 1 - let expected_rlp = vec![0, 0, 42]; - assert_eq!(interpreter.stack(), expected_stack); - assert_eq!(interpreter.get_rlp_memory(), expected_rlp); - - Ok(()) -} - -#[test] -fn test_encode_rlp_scalar_medium() -> Result<()> { - let encode_rlp_scalar = KERNEL.global_labels["encode_rlp_scalar"]; - - let retdest = 0xDEADBEEFu32.into(); - let scalar = 0x12345.into(); - let pos = U256::from(Segment::RlpRaw as usize + 2); - let initial_stack = vec![retdest, scalar, pos]; - let mut interpreter = Interpreter::new_with_kernel(encode_rlp_scalar, initial_stack); - - interpreter.run()?; - let expected_stack = vec![pos + U256::from(4)]; // pos' = pos + rlp_len = 2 + 4 - let expected_rlp = vec![0, 0, 0x80 + 3, 0x01, 0x23, 0x45]; - assert_eq!(interpreter.stack(), expected_stack); - assert_eq!(interpreter.get_rlp_memory(), expected_rlp); - - Ok(()) -} - -#[test] -fn test_encode_rlp_160() -> Result<()> { - let encode_rlp_fixed = KERNEL.global_labels["encode_rlp_fixed"]; - - let retdest = 0xDEADBEEFu32.into(); - let string = 0x12345.into(); - let pos = U256::from(Segment::RlpRaw as usize); - let initial_stack = vec![retdest, string, pos, U256::from(20)]; - let mut interpreter = Interpreter::new_with_kernel(encode_rlp_fixed, initial_stack); - - interpreter.run()?; - let expected_stack = vec![pos + U256::from(1 + 20)]; // pos' - #[rustfmt::skip] - let expected_rlp = vec![0x80 + 20, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x01, 0x23, 0x45]; - assert_eq!(interpreter.stack(), expected_stack); - assert_eq!(interpreter.get_rlp_memory(), expected_rlp); - - Ok(()) -} - -#[test] -fn test_encode_rlp_256() -> Result<()> { - let encode_rlp_fixed = KERNEL.global_labels["encode_rlp_fixed"]; - - let retdest = 0xDEADBEEFu32.into(); - let string = 0x12345.into(); - let pos = U256::from(Segment::RlpRaw as usize); - let initial_stack = vec![retdest, string, pos, U256::from(32)]; - let mut interpreter = Interpreter::new_with_kernel(encode_rlp_fixed, initial_stack); - - interpreter.run()?; - let expected_stack = vec![pos + U256::from(1 + 32)]; // pos' - #[rustfmt::skip] - let expected_rlp = vec![0x80 + 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x01, 0x23, 0x45]; - assert_eq!(interpreter.stack(), expected_stack); - assert_eq!(interpreter.get_rlp_memory(), expected_rlp); - - Ok(()) -} - -#[test] -fn test_prepend_rlp_list_prefix_small() -> Result<()> { - let prepend_rlp_list_prefix = KERNEL.global_labels["prepend_rlp_list_prefix"]; - - let retdest = 0xDEADBEEFu32.into(); - let start_pos = U256::from(Segment::RlpRaw as usize + 9); - let end_pos = U256::from(Segment::RlpRaw as usize + 9 + 5); - let initial_stack = vec![retdest, start_pos, end_pos]; - let mut interpreter = Interpreter::new_with_kernel(prepend_rlp_list_prefix, initial_stack); - interpreter.set_rlp_memory(vec![ - // Nine 0s to leave room for the longest possible RLP list prefix. - 0, 0, 0, 0, 0, 0, 0, 0, 0, - // The actual RLP list payload, consisting of 5 tiny strings. - 1, 2, 3, 4, 5, - ]); - - interpreter.run()?; - - let expected_rlp_len = 6.into(); - let expected_start_pos = U256::from(Segment::RlpRaw as usize + 8); - let expected_stack = vec![expected_rlp_len, expected_start_pos]; - let expected_rlp = vec![0, 0, 0, 0, 0, 0, 0, 0, 0xc0 + 5, 1, 2, 3, 4, 5]; - - assert_eq!(interpreter.stack(), expected_stack); - assert_eq!(interpreter.get_rlp_memory(), expected_rlp); - - Ok(()) -} - -#[test] -fn test_prepend_rlp_list_prefix_large() -> Result<()> { - let prepend_rlp_list_prefix = KERNEL.global_labels["prepend_rlp_list_prefix"]; - - let retdest = 0xDEADBEEFu32.into(); - let start_pos = U256::from(Segment::RlpRaw as usize + 9); - let end_pos = U256::from(Segment::RlpRaw as usize + 9 + 60); - let initial_stack = vec![retdest, start_pos, end_pos]; - let mut interpreter = Interpreter::new_with_kernel(prepend_rlp_list_prefix, initial_stack); - - #[rustfmt::skip] - interpreter.set_rlp_memory(vec![ - // Nine 0s to leave room for the longest possible RLP list prefix. - 0, 0, 0, 0, 0, 0, 0, 0, 0, - // The actual RLP list payload, consisting of 60 tiny strings. - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, - 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, - 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, - 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, - 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, - 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, - ]); - - interpreter.run()?; - - let expected_rlp_len = 62.into(); - let expected_start_pos = U256::from(Segment::RlpRaw as usize + 7); - let expected_stack = vec![expected_rlp_len, expected_start_pos]; - - #[rustfmt::skip] - let expected_rlp = vec![ - 0, 0, 0, 0, 0, 0, 0, 0xf7 + 1, 60, - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, - 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, - 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, - 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, - 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, - 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, - ]; - - assert_eq!(interpreter.stack(), expected_stack); - assert_eq!(interpreter.get_rlp_memory(), expected_rlp); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/rlp/mod.rs b/evm/src/cpu/kernel/tests/rlp/mod.rs deleted file mode 100644 index 3629434f6e..0000000000 --- a/evm/src/cpu/kernel/tests/rlp/mod.rs +++ /dev/null @@ -1,3 +0,0 @@ -mod decode; -mod encode; -mod num_bytes; diff --git a/evm/src/cpu/kernel/tests/rlp/num_bytes.rs b/evm/src/cpu/kernel/tests/rlp/num_bytes.rs deleted file mode 100644 index fa4066fe55..0000000000 --- a/evm/src/cpu/kernel/tests/rlp/num_bytes.rs +++ /dev/null @@ -1,46 +0,0 @@ -use anyhow::Result; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::interpreter::Interpreter; - -#[test] -fn test_num_bytes_0() -> Result<()> { - let num_bytes = KERNEL.global_labels["num_bytes"]; - - let retdest = 0xDEADBEEFu32.into(); - let x = 0.into(); - let initial_stack = vec![retdest, x]; - let mut interpreter = Interpreter::new_with_kernel(num_bytes, initial_stack); - - interpreter.run()?; - assert_eq!(interpreter.stack(), vec![1.into()]); - Ok(()) -} - -#[test] -fn test_num_bytes_small() -> Result<()> { - let num_bytes = KERNEL.global_labels["num_bytes"]; - - let retdest = 0xDEADBEEFu32.into(); - let x = 42.into(); - let initial_stack = vec![retdest, x]; - let mut interpreter = Interpreter::new_with_kernel(num_bytes, initial_stack); - - interpreter.run()?; - assert_eq!(interpreter.stack(), vec![1.into()]); - Ok(()) -} - -#[test] -fn test_num_bytes_medium() -> Result<()> { - let num_bytes = KERNEL.global_labels["num_bytes"]; - - let retdest = 0xDEADBEEFu32.into(); - let x = 0xAABBCCDDu32.into(); - let initial_stack = vec![retdest, x]; - let mut interpreter = Interpreter::new_with_kernel(num_bytes, initial_stack); - - interpreter.run()?; - assert_eq!(interpreter.stack(), vec![4.into()]); - Ok(()) -} diff --git a/evm/src/cpu/kernel/tests/signed_syscalls.rs b/evm/src/cpu/kernel/tests/signed_syscalls.rs deleted file mode 100644 index 74b3524b00..0000000000 --- a/evm/src/cpu/kernel/tests/signed_syscalls.rs +++ /dev/null @@ -1,168 +0,0 @@ -use ethereum_types::U256; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::interpreter::Interpreter; - -/// Generate a list of inputs suitable for testing the signed operations -/// -/// The result includes 0, ±1, ±2^(16i ± 1) for i = 0..15, and ±2^255 -/// and then each of those ±1. Little attempt has been made to avoid -/// duplicates. Total length is 279. -fn test_inputs() -> Vec { - let mut res = vec![U256::zero()]; - for i in 1..16 { - res.push(U256::one() << (16 * i)); - res.push(U256::one() << (16 * i + 1)); - res.push(U256::one() << (16 * i - 1)); - } - res.push(U256::one() << 255); - - let n = res.len(); - for i in 1..n { - // push -res[i] - res.push(res[i].overflowing_neg().0); - } - - let n = res.len(); - for i in 0..n { - res.push(res[i].overflowing_add(U256::one()).0); - res.push(res[i].overflowing_sub(U256::one()).0); - } - - res -} - -// U256_TOP_BIT == 2^255. -const U256_TOP_BIT: U256 = U256([0x0, 0x0, 0x0, 0x8000000000000000]); - -/// Given a U256 `value`, interpret as a signed 256-bit number and -/// return the arithmetic right shift of `value` by `shift` bit -/// positions, i.e. the right shift of `value` with sign extension. -fn u256_sar(shift: U256, value: U256) -> U256 { - // Reference: Hacker's Delight, 2013, 2nd edition, §2-7. - let shift = shift.min(U256::from(255)); - ((value ^ U256_TOP_BIT) >> shift) - .overflowing_sub(U256_TOP_BIT >> shift) - .0 -} - -/// Given a U256 x, interpret it as a signed 256-bit number and return -/// the pair abs(x) and sign(x), where sign(x) = 1 if x < 0, and 0 -/// otherwise. NB: abs(x) is interpreted as an unsigned value, so -/// u256_abs_sgn(-2^255) = (2^255, -1). -fn u256_abs_sgn(x: U256) -> (U256, bool) { - let is_neg = x.bit(255); - - // negate x if it's negative - let x = if is_neg { x.overflowing_neg().0 } else { x }; - (x, is_neg) -} - -fn u256_sdiv(x: U256, y: U256) -> U256 { - let (abs_x, x_is_neg) = u256_abs_sgn(x); - let (abs_y, y_is_neg) = u256_abs_sgn(y); - if y.is_zero() { - U256::zero() - } else { - let quot = abs_x / abs_y; - // negate the quotient if arguments had opposite signs - if x_is_neg != y_is_neg { - quot.overflowing_neg().0 - } else { - quot - } - } -} - -fn u256_smod(x: U256, y: U256) -> U256 { - let (abs_x, x_is_neg) = u256_abs_sgn(x); - let (abs_y, _) = u256_abs_sgn(y); - - if y.is_zero() { - U256::zero() - } else { - let rem = abs_x % abs_y; - // negate the remainder if dividend was negative - if x_is_neg { - rem.overflowing_neg().0 - } else { - rem - } - } -} - -// signextend is just a SHL followed by SAR. -fn u256_signextend(byte: U256, value: U256) -> U256 { - // byte = min(31, byte) - let byte: u32 = byte.min(U256::from(31)).try_into().unwrap(); - let bit_offset = 256 - 8 * (byte + 1); - u256_sar(U256::from(bit_offset), value << bit_offset) -} - -// Reference: Hacker's Delight, 2013, 2nd edition, §2-12. -fn u256_slt(x: U256, y: U256) -> U256 { - let top_bit: U256 = U256::one() << 255; - U256::from(((x ^ top_bit) < (y ^ top_bit)) as u32) -} - -fn u256_sgt(x: U256, y: U256) -> U256 { - u256_slt(y, x) -} - -fn run_test(fn_label: &str, expected_fn: fn(U256, U256) -> U256, opname: &str) { - let inputs = test_inputs(); - let fn_label = KERNEL.global_labels[fn_label]; - let retdest = U256::from(0xDEADBEEFu32); - - for &x in &inputs { - for &y in &inputs { - let stack = vec![retdest, y, x]; - let mut interpreter = Interpreter::new_with_kernel(fn_label, stack); - interpreter.run().unwrap(); - assert_eq!(interpreter.stack_len(), 1usize, "unexpected stack size"); - let output = interpreter - .stack_top() - .expect("The stack should not be empty."); - let expected_output = expected_fn(x, y); - assert_eq!( - output, expected_output, - "{opname}({x}, {y}): expected {expected_output} but got {output}" - ); - } - } -} - -#[test] -fn test_sdiv() { - // Double-check that the expected output calculation is correct in the special case. - let x = U256::one() << 255; // -2^255 - let y = U256::one().overflowing_neg().0; // -1 - assert_eq!(u256_sdiv(x, y), x); // SDIV(-2^255, -1) = -2^255. - - run_test("_sys_sdiv", u256_sdiv, "SDIV"); -} - -#[test] -fn test_smod() { - run_test("_sys_smod", u256_smod, "SMOD"); -} - -#[test] -fn test_signextend() { - run_test("_sys_signextend", u256_signextend, "SIGNEXTEND"); -} - -#[test] -fn test_sar() { - run_test("_sys_sar", u256_sar, "SAR"); -} - -#[test] -fn test_slt() { - run_test("_sys_slt", u256_slt, "SLT"); -} - -#[test] -fn test_sgt() { - run_test("_sys_sgt", u256_sgt, "SGT"); -} diff --git a/evm/src/cpu/kernel/tests/transaction_parsing/mod.rs b/evm/src/cpu/kernel/tests/transaction_parsing/mod.rs deleted file mode 100644 index fb50625f9e..0000000000 --- a/evm/src/cpu/kernel/tests/transaction_parsing/mod.rs +++ /dev/null @@ -1 +0,0 @@ -mod parse_type_0_txn; diff --git a/evm/src/cpu/kernel/tests/transaction_parsing/parse_type_0_txn.rs b/evm/src/cpu/kernel/tests/transaction_parsing/parse_type_0_txn.rs deleted file mode 100644 index 5976acaf65..0000000000 --- a/evm/src/cpu/kernel/tests/transaction_parsing/parse_type_0_txn.rs +++ /dev/null @@ -1,66 +0,0 @@ -use anyhow::Result; -use ethereum_types::U256; -use hex_literal::hex; -use NormalizedTxnField::*; - -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::txn_fields::NormalizedTxnField; -use crate::cpu::kernel::interpreter::Interpreter; - -#[test] -fn process_type_0_txn() -> Result<()> { - let process_type_0_txn = KERNEL.global_labels["process_type_0_txn"]; - let process_normalized_txn = KERNEL.global_labels["process_normalized_txn"]; - - let retaddr = 0xDEADBEEFu32.into(); - let mut interpreter = Interpreter::new_with_kernel(process_type_0_txn, vec![retaddr]); - - // When we reach process_normalized_txn, we're done with parsing and normalizing. - // Processing normalized transactions is outside the scope of this test. - interpreter.halt_offsets.push(process_normalized_txn); - - // Generated with py-evm: - // import eth, eth_keys, eth_utils, rlp - // genesis_params = { 'difficulty': eth.constants.GENESIS_DIFFICULTY } - // chain = eth.chains.mainnet.MainnetChain.from_genesis(eth.db.atomic.AtomicDB(), genesis_params, {}) - // unsigned_txn = chain.create_unsigned_transaction( - // nonce=5, - // gas_price=10, - // gas=22_000, - // to=eth.constants.ZERO_ADDRESS, - // value=100, - // data=b'\x42\x42', - // ) - // sk = eth_keys.keys.PrivateKey(eth_utils.decode_hex('4c0883a69102937d6231471b5dbb6204fe5129617082792ae468d01a3f362318')) - // signed_txn = unsigned_txn.as_signed_transaction(sk) - // rlp.encode(signed_txn).hex() - interpreter.set_rlp_memory(hex!("f861050a8255f0940000000000000000000000000000000000000000648242421ca07c5c61ed975ebd286f6b027b8c504842e50a47d318e1e801719dd744fe93e6c6a01e7b5119b57dd54e175ff2f055c91f3ab1b53eba0b2c184f347cdff0e745aca2").to_vec()); - - interpreter.run()?; - - assert_eq!(interpreter.get_txn_field(ChainIdPresent), 0.into()); - assert_eq!(interpreter.get_txn_field(ChainId), 0.into()); - assert_eq!(interpreter.get_txn_field(Nonce), 5.into()); - assert_eq!(interpreter.get_txn_field(MaxPriorityFeePerGas), 10.into()); - assert_eq!(interpreter.get_txn_field(MaxPriorityFeePerGas), 10.into()); - assert_eq!(interpreter.get_txn_field(MaxFeePerGas), 10.into()); - assert_eq!(interpreter.get_txn_field(To), 0.into()); - assert_eq!(interpreter.get_txn_field(Value), 100.into()); - assert_eq!(interpreter.get_txn_field(DataLen), 2.into()); - assert_eq!(interpreter.get_txn_data(), &[0x42.into(), 0x42.into()]); - assert_eq!(interpreter.get_txn_field(YParity), 1.into()); - assert_eq!( - interpreter.get_txn_field(R), - U256::from_big_endian(&hex!( - "7c5c61ed975ebd286f6b027b8c504842e50a47d318e1e801719dd744fe93e6c6" - )) - ); - assert_eq!( - interpreter.get_txn_field(S), - U256::from_big_endian(&hex!( - "1e7b5119b57dd54e175ff2f055c91f3ab1b53eba0b2c184f347cdff0e745aca2" - )) - ); - - Ok(()) -} diff --git a/evm/src/cpu/kernel/utils.rs b/evm/src/cpu/kernel/utils.rs deleted file mode 100644 index 18b5f54822..0000000000 --- a/evm/src/cpu/kernel/utils.rs +++ /dev/null @@ -1,73 +0,0 @@ -use core::fmt::Debug; - -use ethereum_types::U256; -use plonky2_util::ceil_div_usize; - -/// Enumerate the length `W` windows of `vec`, and run `maybe_replace` on each one. -/// -/// Whenever `maybe_replace` returns `Some(replacement)`, the given replacement will be applied. -pub(crate) fn replace_windows(vec: &mut Vec, maybe_replace: F) -where - T: Clone + Debug, - F: Fn([T; W]) -> Option>, -{ - let mut start = 0; - while start + W <= vec.len() { - let range = start..start + W; - let window = vec[range.clone()].to_vec().try_into().unwrap(); - if let Some(replacement) = maybe_replace(window) { - vec.splice(range, replacement); - // Go back to the earliest window that changed. - start = start.saturating_sub(W - 1); - } else { - start += 1; - } - } -} - -pub(crate) fn u256_to_trimmed_be_bytes(u256: &U256) -> Vec { - let num_bytes = ceil_div_usize(u256.bits(), 8); - // `byte` is little-endian, so we manually reverse it. - (0..num_bytes).rev().map(|i| u256.byte(i)).collect() -} - -pub(crate) const fn u256_from_bool(b: bool) -> U256 { - if b { - U256::one() - } else { - U256::zero() - } -} - -#[cfg(test)] -mod tests { - use super::*; - - #[test] - fn test_replace_windows() { - // This replacement function adds pairs of integers together. - let mut vec = vec![1, 2, 3, 4, 5]; - replace_windows(&mut vec, |[x, y]| Some(vec![x + y])); - assert_eq!(vec, vec![15u32]); - - // This replacement function splits each composite integer into two factors. - let mut vec = vec![9, 1, 6, 8, 15, 7, 9]; - replace_windows(&mut vec, |[n]| { - (2..n).find(|d| n % d == 0).map(|d| vec![d, n / d]) - }); - assert_eq!(vec, vec![3, 3, 1, 2, 3, 2, 2, 2, 3, 5, 7, 3, 3]); - } - - #[test] - fn literal_to_be_bytes() { - assert_eq!(u256_to_trimmed_be_bytes(&0.into()), Vec::::new()); - - assert_eq!(u256_to_trimmed_be_bytes(&1.into()), vec![0x01]); - - assert_eq!(u256_to_trimmed_be_bytes(&768.into()), vec![0x03, 0x00]); - - assert_eq!(u256_to_trimmed_be_bytes(&0xa1b2.into()), vec![0xa1, 0xb2]); - - assert_eq!(u256_to_trimmed_be_bytes(&0x1b2.into()), vec![0x1, 0xb2]); - } -} diff --git a/evm/src/cpu/membus.rs b/evm/src/cpu/membus.rs deleted file mode 100644 index 6ce845613d..0000000000 --- a/evm/src/cpu/membus.rs +++ /dev/null @@ -1,84 +0,0 @@ -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; - -/// General-purpose memory channels; they can read and write to all contexts/segments/addresses. -pub(crate) const NUM_GP_CHANNELS: usize = 3; - -/// Indices for code and general purpose memory channels. -pub mod channel_indices { - use core::ops::Range; - - pub(crate) const CODE: usize = 0; - pub(crate) const GP: Range = CODE + 1..(CODE + 1) + super::NUM_GP_CHANNELS; -} - -/// Total memory channels used by the CPU table. This includes all the `GP_MEM_CHANNELS` as well as -/// all special-purpose memory channels. -/// -/// Currently, there is one special-purpose memory channel, which reads the opcode from memory. Its -/// limitations are: -/// - it is enabled by `is_cpu_cycle`, -/// - it always reads and cannot write, -/// - the context is derived from the current context and the `is_kernel_mode` flag, -/// - the segment is hard-wired to the code segment, -/// - the address is `program_counter`, -/// - the value must fit in one byte (in the least-significant position) and its eight bits are -/// found in `opcode_bits`. -/// -/// There is also a partial channel, which shares its values with another general purpose channel. -/// -/// These limitations save us numerous columns in the CPU table. -pub(crate) const NUM_CHANNELS: usize = channel_indices::GP.end + 1; - -/// Evaluates constraints regarding the membus. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - // Validate `lv.code_context`. - // It should be 0 if in kernel mode and `lv.context` if in user mode. - yield_constr.constraint(lv.code_context - (P::ONES - lv.is_kernel_mode) * lv.context); - - // Validate `channel.used`. It should be binary. - for channel in lv.mem_channels { - yield_constr.constraint(channel.used * (channel.used - P::ONES)); - } - - // Validate `partial_channel.used`. It should be binary. - yield_constr.constraint(lv.partial_channel.used * (lv.partial_channel.used - P::ONES)); -} - -/// Circuit version of `eval_packed`. -/// Evaluates constraints regarding the membus. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - // Validate `lv.code_context`. - // It should be 0 if in kernel mode and `lv.context` if in user mode. - let diff = builder.sub_extension(lv.context, lv.code_context); - let constr = builder.mul_sub_extension(lv.is_kernel_mode, lv.context, diff); - yield_constr.constraint(builder, constr); - - // Validate `channel.used`. It should be binary. - for channel in lv.mem_channels { - let constr = builder.mul_sub_extension(channel.used, channel.used, channel.used); - yield_constr.constraint(builder, constr); - } - - // Validate `partial_channel.used`. It should be binary. - { - let constr = builder.mul_sub_extension( - lv.partial_channel.used, - lv.partial_channel.used, - lv.partial_channel.used, - ); - yield_constr.constraint(builder, constr); - } -} diff --git a/evm/src/cpu/memio.rs b/evm/src/cpu/memio.rs deleted file mode 100644 index 924f030f5f..0000000000 --- a/evm/src/cpu/memio.rs +++ /dev/null @@ -1,367 +0,0 @@ -use itertools::izip; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use super::cpu_stark::get_addr; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; -use crate::cpu::stack; -use crate::memory::segments::Segment; - -const fn get_addr_load(lv: &CpuColumnsView) -> (T, T, T) { - get_addr(lv, 0) -} -const fn get_addr_store(lv: &CpuColumnsView) -> (T, T, T) { - get_addr(lv, 1) -} - -/// Evaluates constraints for MLOAD_GENERAL. -fn eval_packed_load( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - // The opcode for MLOAD_GENERAL is 0xfb. If the operation is MLOAD_GENERAL, lv.opcode_bits[0] = 1. - let filter = lv.op.m_op_general * lv.opcode_bits[0]; - - let (addr_context, addr_segment, addr_virtual) = get_addr_load(lv); - - // Check that we are loading the correct value from the correct address. - let load_channel = lv.mem_channels[1]; - yield_constr.constraint(filter * (load_channel.used - P::ONES)); - yield_constr.constraint(filter * (load_channel.is_read - P::ONES)); - yield_constr.constraint(filter * (load_channel.addr_context - addr_context)); - yield_constr.constraint(filter * (load_channel.addr_segment - addr_segment)); - yield_constr.constraint(filter * (load_channel.addr_virtual - addr_virtual)); - - // Constrain the new top of the stack. - for (&limb_loaded, &limb_new_top) in load_channel - .value - .iter() - .zip(nv.mem_channels[0].value.iter()) - { - yield_constr.constraint(filter * (limb_loaded - limb_new_top)); - } - - // Disable remaining memory channels, if any. - for &channel in &lv.mem_channels[2..] { - yield_constr.constraint(filter * channel.used); - } - yield_constr.constraint(filter * lv.partial_channel.used); - - // Stack constraints - stack::eval_packed_one( - lv, - nv, - filter, - stack::MLOAD_GENERAL_OP.unwrap(), - yield_constr, - ); -} - -/// Circuit version for `eval_packed_load`. -/// Evaluates constraints for MLOAD_GENERAL. -fn eval_ext_circuit_load, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - // The opcode for MLOAD_GENERAL is 0xfb. If the operation is MLOAD_GENERAL, lv.opcode_bits[0] = 1. - let mut filter = lv.op.m_op_general; - filter = builder.mul_extension(filter, lv.opcode_bits[0]); - - let (addr_context, addr_segment, addr_virtual) = get_addr_load(lv); - - // Check that we are loading the correct value from the correct channel. - let load_channel = lv.mem_channels[1]; - { - let constr = builder.mul_sub_extension(filter, load_channel.used, filter); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.mul_sub_extension(filter, load_channel.is_read, filter); - yield_constr.constraint(builder, constr); - } - for (channel_field, target) in izip!( - [ - load_channel.addr_context, - load_channel.addr_segment, - load_channel.addr_virtual, - ], - [addr_context, addr_segment, addr_virtual] - ) { - let diff = builder.sub_extension(channel_field, target); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - - // Constrain the new top of the stack. - for (&limb_loaded, &limb_new_top) in load_channel - .value - .iter() - .zip(nv.mem_channels[0].value.iter()) - { - let diff = builder.sub_extension(limb_loaded, limb_new_top); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - - // Disable remaining memory channels, if any. - for &channel in &lv.mem_channels[2..] { - let constr = builder.mul_extension(filter, channel.used); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.mul_extension(filter, lv.partial_channel.used); - yield_constr.constraint(builder, constr); - } - - // Stack constraints - stack::eval_ext_circuit_one( - builder, - lv, - nv, - filter, - stack::MLOAD_GENERAL_OP.unwrap(), - yield_constr, - ); -} - -/// Evaluates constraints for MSTORE_GENERAL. -fn eval_packed_store( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - let filter = lv.op.m_op_general * (lv.opcode_bits[0] - P::ONES); - - let (addr_context, addr_segment, addr_virtual) = get_addr_store(lv); - - // The value will be checked with the CTL. - let store_channel = lv.partial_channel; - - yield_constr.constraint(filter * (store_channel.used - P::ONES)); - yield_constr.constraint(filter * store_channel.is_read); - yield_constr.constraint(filter * (store_channel.addr_context - addr_context)); - yield_constr.constraint(filter * (store_channel.addr_segment - addr_segment)); - yield_constr.constraint(filter * (store_channel.addr_virtual - addr_virtual)); - - // Disable remaining memory channels, if any. - for &channel in &lv.mem_channels[2..] { - yield_constr.constraint(filter * channel.used); - } - - // Stack constraints. - // Pops. - for i in 1..2 { - let channel = lv.mem_channels[i]; - - yield_constr.constraint(filter * (channel.used - P::ONES)); - yield_constr.constraint(filter * (channel.is_read - P::ONES)); - - yield_constr.constraint(filter * (channel.addr_context - lv.context)); - yield_constr.constraint( - filter - * (channel.addr_segment - - P::Scalar::from_canonical_usize(Segment::Stack.unscale())), - ); - // Remember that the first read (`i == 1`) is for the second stack element at `stack[stack_len - 1]`. - let addr_virtual = lv.stack_len - P::Scalar::from_canonical_usize(i + 1); - yield_constr.constraint(filter * (channel.addr_virtual - addr_virtual)); - } - // Constrain `stack_inv_aux`. - let len_diff = lv.stack_len - P::Scalar::from_canonical_usize(2); - yield_constr.constraint( - lv.op.m_op_general - * (len_diff * lv.general.stack().stack_inv - lv.general.stack().stack_inv_aux), - ); - // If stack_len != 2 and MSTORE, read new top of the stack in nv.mem_channels[0]. - let top_read_channel = nv.mem_channels[0]; - let is_top_read = lv.general.stack().stack_inv_aux * (P::ONES - lv.opcode_bits[0]); - // Constrain `stack_inv_aux_2`. It contains `stack_inv_aux * opcode_bits[0]`. - yield_constr - .constraint(lv.op.m_op_general * (lv.general.stack().stack_inv_aux_2 - is_top_read)); - let new_filter = lv.op.m_op_general * lv.general.stack().stack_inv_aux_2; - yield_constr.constraint_transition(new_filter * (top_read_channel.used - P::ONES)); - yield_constr.constraint_transition(new_filter * (top_read_channel.is_read - P::ONES)); - yield_constr.constraint_transition(new_filter * (top_read_channel.addr_context - nv.context)); - yield_constr.constraint_transition( - new_filter - * (top_read_channel.addr_segment - - P::Scalar::from_canonical_usize(Segment::Stack.unscale())), - ); - let addr_virtual = nv.stack_len - P::ONES; - yield_constr.constraint_transition(new_filter * (top_read_channel.addr_virtual - addr_virtual)); - // If stack_len == 2 or MLOAD, disable the channel. - yield_constr.constraint( - lv.op.m_op_general * (lv.general.stack().stack_inv_aux - P::ONES) * top_read_channel.used, - ); - yield_constr.constraint(lv.op.m_op_general * lv.opcode_bits[0] * top_read_channel.used); -} - -/// Circuit version of `eval_packed_store`. -/// Evaluates constraints for MSTORE_GENERAL. -fn eval_ext_circuit_store, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let filter = - builder.mul_sub_extension(lv.op.m_op_general, lv.opcode_bits[0], lv.op.m_op_general); - - let (addr_context, addr_segment, addr_virtual) = get_addr_store(lv); - - // The value will be checked with the CTL. - let store_channel = lv.partial_channel; - { - let constr = builder.mul_sub_extension(filter, store_channel.used, filter); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.mul_extension(filter, store_channel.is_read); - yield_constr.constraint(builder, constr); - } - for (channel_field, target) in izip!( - [ - store_channel.addr_context, - store_channel.addr_segment, - store_channel.addr_virtual, - ], - [addr_context, addr_segment, addr_virtual] - ) { - let diff = builder.sub_extension(channel_field, target); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - - // Disable remaining memory channels, if any. - for &channel in &lv.mem_channels[2..] { - let constr = builder.mul_extension(filter, channel.used); - yield_constr.constraint(builder, constr); - } - - // Stack constraints - // Pops. - for i in 1..2 { - let channel = lv.mem_channels[i]; - - { - let constr = builder.mul_sub_extension(filter, channel.used, filter); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.mul_sub_extension(filter, channel.is_read, filter); - yield_constr.constraint(builder, constr); - } - { - let diff = builder.sub_extension(channel.addr_context, lv.context); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - { - let diff = builder.add_const_extension( - channel.addr_segment, - -F::from_canonical_usize(Segment::Stack.unscale()), - ); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - // Remember that the first read (`i == 1`) is for the second stack element at `stack[stack_len - 1]`. - let addr_virtual = - builder.add_const_extension(lv.stack_len, -F::from_canonical_usize(i + 1)); - let diff = builder.sub_extension(channel.addr_virtual, addr_virtual); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - // Constrain `stack_inv_aux`. - { - let len_diff = builder.add_const_extension(lv.stack_len, -F::from_canonical_usize(2)); - let diff = builder.mul_sub_extension( - len_diff, - lv.general.stack().stack_inv, - lv.general.stack().stack_inv_aux, - ); - let constr = builder.mul_extension(lv.op.m_op_general, diff); - yield_constr.constraint(builder, constr); - } - // If stack_len != 2 and MSTORE, read new top of the stack in nv.mem_channels[0]. - let top_read_channel = nv.mem_channels[0]; - let is_top_read = builder.mul_extension(lv.general.stack().stack_inv_aux, lv.opcode_bits[0]); - let is_top_read = builder.sub_extension(lv.general.stack().stack_inv_aux, is_top_read); - // Constrain `stack_inv_aux_2`. It contains `stack_inv_aux * (1 - opcode_bits[0])`. - { - let diff = builder.sub_extension(lv.general.stack().stack_inv_aux_2, is_top_read); - let constr = builder.mul_extension(lv.op.m_op_general, diff); - yield_constr.constraint(builder, constr); - } - let new_filter = builder.mul_extension(lv.op.m_op_general, lv.general.stack().stack_inv_aux_2); - { - let constr = builder.mul_sub_extension(new_filter, top_read_channel.used, new_filter); - yield_constr.constraint_transition(builder, constr); - } - { - let constr = builder.mul_sub_extension(new_filter, top_read_channel.is_read, new_filter); - yield_constr.constraint_transition(builder, constr); - } - { - let diff = builder.sub_extension(top_read_channel.addr_context, nv.context); - let constr = builder.mul_extension(new_filter, diff); - yield_constr.constraint_transition(builder, constr); - } - { - let diff = builder.add_const_extension( - top_read_channel.addr_segment, - -F::from_canonical_usize(Segment::Stack.unscale()), - ); - let constr = builder.mul_extension(new_filter, diff); - yield_constr.constraint_transition(builder, constr); - } - { - let addr_virtual = builder.add_const_extension(nv.stack_len, -F::ONE); - let diff = builder.sub_extension(top_read_channel.addr_virtual, addr_virtual); - let constr = builder.mul_extension(new_filter, diff); - yield_constr.constraint_transition(builder, constr); - } - // If stack_len == 2 or MLOAD, disable the channel. - { - let diff = builder.mul_sub_extension( - lv.op.m_op_general, - lv.general.stack().stack_inv_aux, - lv.op.m_op_general, - ); - let constr = builder.mul_extension(diff, top_read_channel.used); - yield_constr.constraint(builder, constr); - } - { - let mul = builder.mul_extension(lv.op.m_op_general, lv.opcode_bits[0]); - let constr = builder.mul_extension(mul, top_read_channel.used); - yield_constr.constraint(builder, constr); - } -} - -/// Evaluates constraints for MLOAD_GENERAL and MSTORE_GENERAL. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - eval_packed_load(lv, nv, yield_constr); - eval_packed_store(lv, nv, yield_constr); -} - -/// Circuit version of `eval_packed`. -/// Evaluates constraints for MLOAD_GENERAL and MSTORE_GENERAL. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - eval_ext_circuit_load(builder, lv, nv, yield_constr); - eval_ext_circuit_store(builder, lv, nv, yield_constr); -} diff --git a/evm/src/cpu/mod.rs b/evm/src/cpu/mod.rs deleted file mode 100644 index 3d5124ba2b..0000000000 --- a/evm/src/cpu/mod.rs +++ /dev/null @@ -1,21 +0,0 @@ -mod byte_unpacking; -mod clock; -pub(crate) mod columns; -mod contextops; -pub(crate) mod control_flow; -pub mod cpu_stark; -pub(crate) mod decode; -mod dup_swap; -mod gas; -mod halt; -mod jumps; -pub mod kernel; -pub(crate) mod membus; -mod memio; -mod modfp254; -mod pc; -mod push0; -mod shift; -pub(crate) mod simple_logic; -pub(crate) mod stack; -mod syscalls_exceptions; diff --git a/evm/src/cpu/modfp254.rs b/evm/src/cpu/modfp254.rs deleted file mode 100644 index 95bab8d655..0000000000 --- a/evm/src/cpu/modfp254.rs +++ /dev/null @@ -1,53 +0,0 @@ -use itertools::izip; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; - -// Python: -// >>> P = 21888242871839275222246405745257275088696311157297823662689037894645226208583 -// >>> "[" + ", ".join(hex((P >> n) % 2**32) for n in range(0, 256, 32)) + "]" -const P_LIMBS: [u32; 8] = [ - 0xd87cfd47, 0x3c208c16, 0x6871ca8d, 0x97816a91, 0x8181585d, 0xb85045b6, 0xe131a029, 0x30644e72, -]; - -/// Evaluates constraints to check the modulus in mem_channel[2]. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - let filter = lv.op.fp254_op; - - // We want to use all the same logic as the usual mod operations, but without needing to read - // the modulus from the stack. We simply constrain `mem_channels[1]` to be our prime (that's - // where the modulus goes in the generalized operations). - let channel_val = lv.mem_channels[2].value; - for (channel_limb, p_limb) in izip!(channel_val, P_LIMBS) { - let p_limb = P::Scalar::from_canonical_u32(p_limb); - yield_constr.constraint(filter * (channel_limb - p_limb)); - } -} - -/// Circuit version of `eval_packed`. -/// Evaluates constraints to check the modulus in mem_channel[2]. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let filter = lv.op.fp254_op; - - // We want to use all the same logic as the usual mod operations, but without needing to read - // the modulus from the stack. We simply constrain `mem_channels[1]` to be our prime (that's - // where the modulus goes in the generalized operations). - let channel_val = lv.mem_channels[2].value; - for (channel_limb, p_limb) in izip!(channel_val, P_LIMBS) { - let p_limb = F::from_canonical_u32(p_limb); - let constr = builder.arithmetic_extension(F::ONE, -p_limb, filter, channel_limb, filter); - yield_constr.constraint(builder, constr); - } -} diff --git a/evm/src/cpu/pc.rs b/evm/src/cpu/pc.rs deleted file mode 100644 index 9635534e50..0000000000 --- a/evm/src/cpu/pc.rs +++ /dev/null @@ -1,46 +0,0 @@ -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; - -/// Evaluates constraints to check that we are storing the correct PC. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - // `PUSH0`'s opcode is odd, while `PC`'s opcode is even. - let filter = lv.op.pc_push0 * (P::ONES - lv.opcode_bits[0]); - let new_stack_top = nv.mem_channels[0].value; - yield_constr.constraint(filter * (new_stack_top[0] - lv.program_counter)); - for &limb in &new_stack_top[1..] { - yield_constr.constraint(filter * limb); - } -} - -/// Circuit version if `eval_packed`. -/// Evaluates constraints to check that we are storing the correct PC. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - // `PUSH0`'s opcode is odd, while `PC`'s opcode is even. - let one = builder.one_extension(); - let mut filter = builder.sub_extension(one, lv.opcode_bits[0]); - filter = builder.mul_extension(lv.op.pc_push0, filter); - let new_stack_top = nv.mem_channels[0].value; - { - let diff = builder.sub_extension(new_stack_top[0], lv.program_counter); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - for &limb in &new_stack_top[1..] { - let constr = builder.mul_extension(filter, limb); - yield_constr.constraint(builder, constr); - } -} diff --git a/evm/src/cpu/push0.rs b/evm/src/cpu/push0.rs deleted file mode 100644 index ed9f6c10f2..0000000000 --- a/evm/src/cpu/push0.rs +++ /dev/null @@ -1,36 +0,0 @@ -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; - -/// Evaluates constraints to check that we are not pushing anything. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - // `PUSH0`'s opcode is odd, while `PC`'s opcode is even. - let filter = lv.op.pc_push0 * lv.opcode_bits[0]; - for limb in nv.mem_channels[0].value { - yield_constr.constraint(filter * limb); - } -} - -/// Circuit version of `eval_packed`. -/// Evaluates constraints to check that we are not pushing anything. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - // `PUSH0`'s opcode is odd, while `PC`'s opcode is even. - let filter = builder.mul_extension(lv.op.pc_push0, lv.opcode_bits[0]); - for limb in nv.mem_channels[0].value { - let constr = builder.mul_extension(filter, limb); - yield_constr.constraint(builder, constr); - } -} diff --git a/evm/src/cpu/shift.rs b/evm/src/cpu/shift.rs deleted file mode 100644 index 9e751421ff..0000000000 --- a/evm/src/cpu/shift.rs +++ /dev/null @@ -1,123 +0,0 @@ -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; -use crate::cpu::membus::NUM_GP_CHANNELS; -use crate::memory::segments::Segment; - -/// Evaluates constraints for shift operations on the CPU side: -/// the shifting factor is read from memory when displacement < 2^32. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - let is_shift = lv.op.shift; - let displacement = lv.mem_channels[0]; // holds the shift displacement d - let two_exp = lv.mem_channels[2]; // holds 2^d - - // Not needed here; val is the input and we're verifying that output is - // val * 2^d (mod 2^256) - // let val = lv.mem_channels[0]; - // let output = lv.mem_channels[NUM_GP_CHANNELS - 1]; - - let shift_table_segment = P::Scalar::from_canonical_usize(Segment::ShiftTable.unscale()); - - // Only lookup the shifting factor when displacement is < 2^32. - // two_exp.used is true (1) if the high limbs of the displacement are - // zero and false (0) otherwise. - let high_limbs_are_zero = two_exp.used; - yield_constr.constraint(is_shift * high_limbs_are_zero * (two_exp.is_read - P::ONES)); - - let high_limbs_sum: P = displacement.value[1..].iter().copied().sum(); - let high_limbs_sum_inv = lv.general.shift().high_limb_sum_inv; - // Verify that high_limbs_are_zero = 0 implies high_limbs_sum != 0 and - // high_limbs_are_zero = 1 implies high_limbs_sum = 0. - let t = high_limbs_sum * high_limbs_sum_inv - (P::ONES - high_limbs_are_zero); - yield_constr.constraint(is_shift * t); - yield_constr.constraint(is_shift * high_limbs_sum * high_limbs_are_zero); - - // When the shift displacement is < 2^32, constrain the two_exp - // mem_channel to be the entry corresponding to `displacement` in - // the shift table lookup (will be zero if displacement >= 256). - yield_constr.constraint(is_shift * two_exp.addr_context); // read from kernel memory - yield_constr.constraint(is_shift * (two_exp.addr_segment - shift_table_segment)); - yield_constr.constraint(is_shift * (two_exp.addr_virtual - displacement.value[0])); - - // Other channels must be unused - for chan in &lv.mem_channels[3..NUM_GP_CHANNELS] { - yield_constr.constraint(is_shift * chan.used); // channel is not used - } - - // Cross-table lookup must connect the memory channels here to MUL - // (in the case of left shift) or DIV (in the case of right shift) - // in the arithmetic table. Specifically, the mapping is - // - // 1 -> 0 (value to be shifted is the same) - // 2 -> 1 (two_exp becomes the multiplicand (resp. divisor)) - // next_0 -> next_0 (output is the same) -} - -/// Circuit version. -/// Evaluates constraints for shift operations on the CPU side: -/// the shifting factor is read from memory when displacement < 2^32. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let is_shift = lv.op.shift; - let displacement = lv.mem_channels[0]; - let two_exp = lv.mem_channels[2]; - - let shift_table_segment = F::from_canonical_usize(Segment::ShiftTable.unscale()); - - // Only lookup the shifting factor when displacement is < 2^32. - // two_exp.used is true (1) if the high limbs of the displacement are - // zero and false (0) otherwise. - let high_limbs_are_zero = two_exp.used; - let one = builder.one_extension(); - let t = builder.sub_extension(two_exp.is_read, one); - let t = builder.mul_extension(high_limbs_are_zero, t); - let t = builder.mul_extension(is_shift, t); - yield_constr.constraint(builder, t); - - let high_limbs_sum = builder.add_many_extension(&displacement.value[1..]); - let high_limbs_sum_inv = lv.general.shift().high_limb_sum_inv; - // Verify that high_limbs_are_zero = 0 implies high_limbs_sum != 0 and - // high_limbs_are_zero = 1 implies high_limbs_sum = 0. - let t = builder.one_extension(); - let t = builder.sub_extension(t, high_limbs_are_zero); - let t = builder.mul_sub_extension(high_limbs_sum, high_limbs_sum_inv, t); - let t = builder.mul_extension(is_shift, t); - yield_constr.constraint(builder, t); - - let t = builder.mul_many_extension([is_shift, high_limbs_sum, high_limbs_are_zero]); - yield_constr.constraint(builder, t); - - // When the shift displacement is < 2^32, constrain the two_exp - // mem_channel to be the entry corresponding to `displacement` in - // the shift table lookup (will be zero if displacement >= 256). - let t = builder.mul_extension(is_shift, two_exp.addr_context); - yield_constr.constraint(builder, t); - let t = builder.arithmetic_extension( - F::ONE, - -shift_table_segment, - is_shift, - two_exp.addr_segment, - is_shift, - ); - yield_constr.constraint(builder, t); - let t = builder.sub_extension(two_exp.addr_virtual, displacement.value[0]); - let t = builder.mul_extension(is_shift, t); - yield_constr.constraint(builder, t); - - // Other channels must be unused - for chan in &lv.mem_channels[3..NUM_GP_CHANNELS] { - let t = builder.mul_extension(is_shift, chan.used); - yield_constr.constraint(builder, t); - } -} diff --git a/evm/src/cpu/simple_logic/eq_iszero.rs b/evm/src/cpu/simple_logic/eq_iszero.rs deleted file mode 100644 index fd811ae7f7..0000000000 --- a/evm/src/cpu/simple_logic/eq_iszero.rs +++ /dev/null @@ -1,188 +0,0 @@ -use ethereum_types::U256; -use itertools::izip; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; -use crate::cpu::stack::{self, EQ_STACK_BEHAVIOR, IS_ZERO_STACK_BEHAVIOR}; - -fn limbs(x: U256) -> [u32; 8] { - let mut res = [0; 8]; - let x_u64: [u64; 4] = x.0; - for i in 0..4 { - res[2 * i] = x_u64[i] as u32; - res[2 * i + 1] = (x_u64[i] >> 32) as u32; - } - res -} -/// Form `diff_pinv`. -/// Let `diff = val0 - val1`. Consider `x[i] = diff[i]^-1` if `diff[i] != 0` and 0 otherwise. -/// Then `diff @ x = num_unequal_limbs`, where `@` denotes the dot product. We set -/// `diff_pinv = num_unequal_limbs^-1 * x` if `num_unequal_limbs != 0` and 0 otherwise. We have -/// `diff @ diff_pinv = 1 - equal` as desired. -pub(crate) fn generate_pinv_diff(val0: U256, val1: U256, lv: &mut CpuColumnsView) { - let val0_limbs = limbs(val0).map(F::from_canonical_u32); - let val1_limbs = limbs(val1).map(F::from_canonical_u32); - - let num_unequal_limbs = izip!(val0_limbs, val1_limbs) - .map(|(limb0, limb1)| (limb0 != limb1) as usize) - .sum(); - - // Form `diff_pinv`. - let logic = lv.general.logic_mut(); - let num_unequal_limbs_inv = F::from_canonical_usize(num_unequal_limbs) - .try_inverse() - .unwrap_or(F::ZERO); - for (limb_pinv, limb0, limb1) in izip!(logic.diff_pinv.iter_mut(), val0_limbs, val1_limbs) { - *limb_pinv = (limb0 - limb1).try_inverse().unwrap_or(F::ZERO) * num_unequal_limbs_inv; - } -} - -/// Evaluates the constraints for EQ and ISZERO. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - let logic = lv.general.logic(); - let input0 = lv.mem_channels[0].value; - let input1 = lv.mem_channels[1].value; - let output = nv.mem_channels[0].value; - - // EQ (0x14) and ISZERO (0x15) are differentiated by their first opcode bit. - let eq_filter = lv.op.eq_iszero * (P::ONES - lv.opcode_bits[0]); - let iszero_filter = lv.op.eq_iszero * lv.opcode_bits[0]; - let eq_or_iszero_filter = lv.op.eq_iszero; - - let equal = output[0]; - let unequal = P::ONES - equal; - - // Handle `EQ` and `ISZERO`. Most limbs of the output are 0, but the least-significant one is - // either 0 or 1. - yield_constr.constraint(eq_or_iszero_filter * equal * unequal); - for &limb in &output[1..] { - yield_constr.constraint(eq_or_iszero_filter * limb); - } - - // If `ISZERO`, constrain input1 to be zero, effectively implementing ISZERO(x) as EQ(x, 0). - for limb in input1 { - yield_constr.constraint(iszero_filter * limb); - } - - // `equal` implies `input0[i] == input1[i]` for all `i`. - for (limb0, limb1) in izip!(input0, input1) { - let diff = limb0 - limb1; - yield_constr.constraint(eq_or_iszero_filter * equal * diff); - } - - // `input0[i] == input1[i]` for all `i` implies `equal`. - // If `unequal`, find `diff_pinv` such that `(input0 - input1) @ diff_pinv == 1`, where `@` - // denotes the dot product (there will be many such `diff_pinv`). This can only be done if - // `input0 != input1`. - let dot: P = izip!(input0, input1, logic.diff_pinv) - .map(|(limb0, limb1, diff_pinv_el)| (limb0 - limb1) * diff_pinv_el) - .sum(); - yield_constr.constraint(eq_or_iszero_filter * (dot - unequal)); - - // Stack constraints. - stack::eval_packed_one(lv, nv, eq_filter, EQ_STACK_BEHAVIOR.unwrap(), yield_constr); - stack::eval_packed_one( - lv, - nv, - iszero_filter, - IS_ZERO_STACK_BEHAVIOR.unwrap(), - yield_constr, - ); -} - -/// Circuit version of `eval_packed`. -/// Evaluates the constraints for EQ and ISZERO. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let zero = builder.zero_extension(); - let one = builder.one_extension(); - - let logic = lv.general.logic(); - let input0 = lv.mem_channels[0].value; - let input1 = lv.mem_channels[1].value; - let output = nv.mem_channels[0].value; - - // EQ (0x14) and ISZERO (0x15) are differentiated by their first opcode bit. - let eq_filter = builder.mul_extension(lv.op.eq_iszero, lv.opcode_bits[0]); - let eq_filter = builder.sub_extension(lv.op.eq_iszero, eq_filter); - - let iszero_filter = builder.mul_extension(lv.op.eq_iszero, lv.opcode_bits[0]); - let eq_or_iszero_filter = lv.op.eq_iszero; - - let equal = output[0]; - let unequal = builder.sub_extension(one, equal); - - // Handle `EQ` and `ISZERO`. Most limbs of the output are 0, but the least-significant one is - // either 0 or 1. - { - let constr = builder.mul_extension(equal, unequal); - let constr = builder.mul_extension(eq_or_iszero_filter, constr); - yield_constr.constraint(builder, constr); - } - for &limb in &output[1..] { - let constr = builder.mul_extension(eq_or_iszero_filter, limb); - yield_constr.constraint(builder, constr); - } - - // If `ISZERO`, constrain input1 to be zero, effectively implementing ISZERO(x) as EQ(x, 0). - for limb in input1 { - let constr = builder.mul_extension(iszero_filter, limb); - yield_constr.constraint(builder, constr); - } - - // `equal` implies `input0[i] == input1[i]` for all `i`. - for (limb0, limb1) in izip!(input0, input1) { - let diff = builder.sub_extension(limb0, limb1); - let constr = builder.mul_extension(equal, diff); - let constr = builder.mul_extension(eq_or_iszero_filter, constr); - yield_constr.constraint(builder, constr); - } - - // `input0[i] == input1[i]` for all `i` implies `equal`. - // If `unequal`, find `diff_pinv` such that `(input0 - input1) @ diff_pinv == 1`, where `@` - // denotes the dot product (there will be many such `diff_pinv`). This can only be done if - // `input0 != input1`. - { - let dot: ExtensionTarget = izip!(input0, input1, logic.diff_pinv).fold( - zero, - |cumul, (limb0, limb1, diff_pinv_el)| { - let diff = builder.sub_extension(limb0, limb1); - builder.mul_add_extension(diff, diff_pinv_el, cumul) - }, - ); - let constr = builder.sub_extension(dot, unequal); - let constr = builder.mul_extension(eq_or_iszero_filter, constr); - yield_constr.constraint(builder, constr); - } - - // Stack constraints. - stack::eval_ext_circuit_one( - builder, - lv, - nv, - eq_filter, - EQ_STACK_BEHAVIOR.unwrap(), - yield_constr, - ); - stack::eval_ext_circuit_one( - builder, - lv, - nv, - iszero_filter, - IS_ZERO_STACK_BEHAVIOR.unwrap(), - yield_constr, - ); -} diff --git a/evm/src/cpu/simple_logic/mod.rs b/evm/src/cpu/simple_logic/mod.rs deleted file mode 100644 index 04f8bcc2da..0000000000 --- a/evm/src/cpu/simple_logic/mod.rs +++ /dev/null @@ -1,32 +0,0 @@ -pub(crate) mod eq_iszero; -mod not; - -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; - -/// Evaluates constraints for NOT, EQ and ISZERO. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - not::eval_packed(lv, nv, yield_constr); - eq_iszero::eval_packed(lv, nv, yield_constr); -} - -/// Circuit version of `eval_packed`. -/// Evaluates constraints for NOT, EQ and ISZERO. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - not::eval_ext_circuit(builder, lv, nv, yield_constr); - eq_iszero::eval_ext_circuit(builder, lv, nv, yield_constr); -} diff --git a/evm/src/cpu/simple_logic/not.rs b/evm/src/cpu/simple_logic/not.rs deleted file mode 100644 index 3798606de3..0000000000 --- a/evm/src/cpu/simple_logic/not.rs +++ /dev/null @@ -1,66 +0,0 @@ -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; -use crate::cpu::stack; - -const LIMB_SIZE: usize = 32; -const ALL_1_LIMB: u64 = (1 << LIMB_SIZE) - 1; - -/// Evaluates constraints for NOT. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - // This is simple: just do output = 0xffffffff - input. - let input = lv.mem_channels[0].value; - let output = nv.mem_channels[0].value; - let filter = lv.op.not_pop * lv.opcode_bits[0]; - for (input_limb, output_limb) in input.into_iter().zip(output) { - yield_constr.constraint( - filter * (output_limb + input_limb - P::Scalar::from_canonical_u64(ALL_1_LIMB)), - ); - } - - // Stack constraints. - stack::eval_packed_one(lv, nv, filter, stack::BASIC_UNARY_OP.unwrap(), yield_constr); -} - -/// Circuit version of `eval_packed`. -/// Evaluates constraints for NOT. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let input = lv.mem_channels[0].value; - let output = nv.mem_channels[0].value; - let filter = builder.mul_extension(lv.op.not_pop, lv.opcode_bits[0]); - for (input_limb, output_limb) in input.into_iter().zip(output) { - let constr = builder.add_extension(output_limb, input_limb); - let constr = builder.arithmetic_extension( - F::ONE, - -F::from_canonical_u64(ALL_1_LIMB), - filter, - constr, - filter, - ); - yield_constr.constraint(builder, constr); - } - - // Stack constraints. - stack::eval_ext_circuit_one( - builder, - lv, - nv, - filter, - stack::BASIC_UNARY_OP.unwrap(), - yield_constr, - ); -} diff --git a/evm/src/cpu/stack.rs b/evm/src/cpu/stack.rs deleted file mode 100644 index 87ca7ee1c4..0000000000 --- a/evm/src/cpu/stack.rs +++ /dev/null @@ -1,718 +0,0 @@ -use core::cmp::max; - -use itertools::izip; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::ops::OpsColumnsView; -use crate::cpu::columns::CpuColumnsView; -use crate::cpu::membus::NUM_GP_CHANNELS; -use crate::memory::segments::Segment; - -pub(crate) const MAX_USER_STACK_SIZE: usize = 1024; - -// We check for stack overflows here. An overflow occurs when the stack length is 1025 in user mode, -// which can happen after a non-kernel-only, non-popping, pushing instruction/syscall. -// The check uses `stack_len_bounds_aux`, which is either 0 if next row's `stack_len` is 1025 or -// next row is in kernel mode, or the inverse of `nv.stack_len - 1025` otherwise. -pub(crate) const MIGHT_OVERFLOW: OpsColumnsView = OpsColumnsView { - binary_op: false, - ternary_op: false, - fp254_op: false, - eq_iszero: false, - logic_op: false, - not_pop: false, - shift: false, - jumpdest_keccak_general: false, - push_prover_input: true, // PROVER_INPUT doesn't require the check, but PUSH does. - jumps: false, - pc_push0: true, - dup_swap: true, - context_op: false, - m_op_32bytes: false, - exit_kernel: true, // Doesn't directly push, but the syscall it's returning from might. - m_op_general: false, - syscall: false, - exception: false, -}; - -/// Structure to represent opcodes stack behaviours: -/// - number of pops -/// - whether the opcode(s) push -/// - whether unused channels should be disabled. -#[derive(Clone, Copy)] -pub(crate) struct StackBehavior { - pub(crate) num_pops: usize, - pub(crate) pushes: bool, - disable_other_channels: bool, -} - -/// `StackBehavior` for unary operations. -pub(crate) const BASIC_UNARY_OP: Option = Some(StackBehavior { - num_pops: 1, - pushes: true, - disable_other_channels: true, -}); -/// `StackBehavior` for binary operations. -const BASIC_BINARY_OP: Option = Some(StackBehavior { - num_pops: 2, - pushes: true, - disable_other_channels: true, -}); -/// `StackBehavior` for ternary operations. -const BASIC_TERNARY_OP: Option = Some(StackBehavior { - num_pops: 3, - pushes: true, - disable_other_channels: true, -}); -/// `StackBehavior` for JUMP. -pub(crate) const JUMP_OP: Option = Some(StackBehavior { - num_pops: 1, - pushes: false, - disable_other_channels: false, -}); -/// `StackBehavior` for JUMPI. -pub(crate) const JUMPI_OP: Option = Some(StackBehavior { - num_pops: 2, - pushes: false, - disable_other_channels: false, -}); -/// `StackBehavior` for MLOAD_GENERAL. -pub(crate) const MLOAD_GENERAL_OP: Option = Some(StackBehavior { - num_pops: 1, - pushes: true, - disable_other_channels: false, -}); - -pub(crate) const KECCAK_GENERAL_OP: StackBehavior = StackBehavior { - num_pops: 2, - pushes: true, - disable_other_channels: true, -}; - -pub(crate) const JUMPDEST_OP: StackBehavior = StackBehavior { - num_pops: 0, - pushes: false, - disable_other_channels: true, -}; - -// AUDITORS: If the value below is `None`, then the operation must be manually checked to ensure -// that every general-purpose memory channel is either disabled or has its read flag and address -// properly constrained. The same applies when `disable_other_channels` is set to `false`, -// except the first `num_pops` and the last `pushes as usize` channels have their read flag and -// address constrained automatically in this file. -pub(crate) const STACK_BEHAVIORS: OpsColumnsView> = OpsColumnsView { - binary_op: BASIC_BINARY_OP, - ternary_op: BASIC_TERNARY_OP, - fp254_op: BASIC_BINARY_OP, - eq_iszero: None, // EQ is binary, IS_ZERO is unary. - logic_op: BASIC_BINARY_OP, - not_pop: None, - shift: Some(StackBehavior { - num_pops: 2, - pushes: true, - disable_other_channels: false, - }), - jumpdest_keccak_general: None, - push_prover_input: Some(StackBehavior { - num_pops: 0, - pushes: true, - disable_other_channels: true, - }), - jumps: None, // Depends on whether it's a JUMP or a JUMPI. - pc_push0: Some(StackBehavior { - num_pops: 0, - pushes: true, - disable_other_channels: true, - }), - dup_swap: None, - context_op: None, - m_op_32bytes: Some(StackBehavior { - num_pops: 2, - pushes: true, - disable_other_channels: false, - }), - exit_kernel: Some(StackBehavior { - num_pops: 1, - pushes: false, - disable_other_channels: true, - }), - m_op_general: None, - syscall: Some(StackBehavior { - num_pops: 0, - pushes: true, - disable_other_channels: false, - }), - exception: Some(StackBehavior { - num_pops: 0, - pushes: true, - disable_other_channels: false, - }), -}; - -/// Stack behavior for EQ. -pub(crate) const EQ_STACK_BEHAVIOR: Option = Some(StackBehavior { - num_pops: 2, - pushes: true, - disable_other_channels: true, -}); -/// Stack behavior for ISZERO. -pub(crate) const IS_ZERO_STACK_BEHAVIOR: Option = Some(StackBehavior { - num_pops: 1, - pushes: true, - disable_other_channels: true, -}); - -/// Evaluates constraints for one `StackBehavior`. -pub(crate) fn eval_packed_one( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - filter: P, - stack_behavior: StackBehavior, - yield_constr: &mut ConstraintConsumer

, -) { - // If you have pops. - if stack_behavior.num_pops > 0 { - for i in 1..stack_behavior.num_pops { - let channel = lv.mem_channels[i]; - - yield_constr.constraint(filter * (channel.used - P::ONES)); - yield_constr.constraint(filter * (channel.is_read - P::ONES)); - - yield_constr.constraint(filter * (channel.addr_context - lv.context)); - yield_constr.constraint( - filter - * (channel.addr_segment - - P::Scalar::from_canonical_usize(Segment::Stack.unscale())), - ); - // Remember that the first read (`i == 1`) is for the second stack element at `stack[stack_len - 1]`. - let addr_virtual = lv.stack_len - P::Scalar::from_canonical_usize(i + 1); - yield_constr.constraint(filter * (channel.addr_virtual - addr_virtual)); - } - - // You can't have a write of the top of the stack, so you disable the corresponding flag. - yield_constr.constraint(filter * lv.partial_channel.used); - - // If you also push, you don't need to read the new top of the stack. - // If you don't: - // - if the stack isn't empty after the pops, you read the new top from an extra pop. - // - if not, the extra read is disabled. - // These are transition constraints: they don't apply to the last row. - if !stack_behavior.pushes { - // If stack_len != N... - let len_diff = lv.stack_len - P::Scalar::from_canonical_usize(stack_behavior.num_pops); - let new_filter = len_diff * filter; - // Read an extra element. - let channel = nv.mem_channels[0]; - yield_constr.constraint_transition(new_filter * (channel.used - P::ONES)); - yield_constr.constraint_transition(new_filter * (channel.is_read - P::ONES)); - yield_constr.constraint_transition(new_filter * (channel.addr_context - nv.context)); - yield_constr.constraint_transition( - new_filter - * (channel.addr_segment - - P::Scalar::from_canonical_usize(Segment::Stack.unscale())), - ); - let addr_virtual = nv.stack_len - P::ONES; - yield_constr.constraint_transition(new_filter * (channel.addr_virtual - addr_virtual)); - // Constrain `stack_inv_aux`. - yield_constr.constraint( - filter - * (len_diff * lv.general.stack().stack_inv - lv.general.stack().stack_inv_aux), - ); - // Disable channel if stack_len == N. - let empty_stack_filter = filter * (lv.general.stack().stack_inv_aux - P::ONES); - yield_constr.constraint_transition(empty_stack_filter * channel.used); - } - } - // If the op only pushes, you only need to constrain the top of the stack if the stack isn't empty. - else if stack_behavior.pushes { - // If len > 0... - let new_filter = lv.stack_len * filter; - // You write the previous top of the stack in memory, in the partial channel. - // The value will be checked with the CTL. - let channel = lv.partial_channel; - yield_constr.constraint(new_filter * (channel.used - P::ONES)); - yield_constr.constraint(new_filter * channel.is_read); - yield_constr.constraint(new_filter * (channel.addr_context - lv.context)); - yield_constr.constraint( - new_filter - * (channel.addr_segment - - P::Scalar::from_canonical_usize(Segment::Stack.unscale())), - ); - let addr_virtual = lv.stack_len - P::ONES; - yield_constr.constraint(new_filter * (channel.addr_virtual - addr_virtual)); - // Else you disable the channel. - yield_constr.constraint( - filter - * (lv.stack_len * lv.general.stack().stack_inv - lv.general.stack().stack_inv_aux), - ); - let empty_stack_filter = filter * (lv.general.stack().stack_inv_aux - P::ONES); - yield_constr.constraint(empty_stack_filter * channel.used); - } - // If the op doesn't pop nor push, the top of the stack must not change. - else { - yield_constr.constraint(filter * nv.mem_channels[0].used); - for (limb_old, limb_new) in lv.mem_channels[0] - .value - .iter() - .zip(nv.mem_channels[0].value.iter()) - { - yield_constr.constraint(filter * (*limb_old - *limb_new)); - } - - // You can't have a write of the top of the stack, so you disable the corresponding flag. - yield_constr.constraint(filter * lv.partial_channel.used); - } - - // Unused channels - if stack_behavior.disable_other_channels { - // The first channel contains (or not) the top of the stack and is constrained elsewhere. - for i in max(1, stack_behavior.num_pops)..NUM_GP_CHANNELS - (stack_behavior.pushes as usize) - { - let channel = lv.mem_channels[i]; - yield_constr.constraint(filter * channel.used); - } - } - - // Constrain new stack length. - let num_pops = P::Scalar::from_canonical_usize(stack_behavior.num_pops); - let push = P::Scalar::from_canonical_usize(stack_behavior.pushes as usize); - yield_constr.constraint_transition(filter * (nv.stack_len - (lv.stack_len - num_pops + push))); -} - -/// Evaluates constraints for all opcodes' `StackBehavior`s. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - for (op, stack_behavior, might_overflow) in izip!( - lv.op.into_iter(), - STACK_BEHAVIORS.into_iter(), - MIGHT_OVERFLOW.into_iter() - ) { - if let Some(stack_behavior) = stack_behavior { - eval_packed_one(lv, nv, op, stack_behavior, yield_constr); - } - - if might_overflow { - // Check for stack overflow in the next row. - let diff = nv.stack_len - P::Scalar::from_canonical_usize(MAX_USER_STACK_SIZE + 1); - let lhs = diff * lv.general.stack().stack_len_bounds_aux; - let rhs = P::ONES - nv.is_kernel_mode; - yield_constr.constraint_transition(op * (lhs - rhs)); - } - } - - // Constrain stack for JUMPDEST. - let jumpdest_filter = lv.op.jumpdest_keccak_general * lv.opcode_bits[1]; - eval_packed_one(lv, nv, jumpdest_filter, JUMPDEST_OP, yield_constr); - - // Constrain stack for KECCAK_GENERAL. - let keccak_general_filter = lv.op.jumpdest_keccak_general * (P::ONES - lv.opcode_bits[1]); - eval_packed_one( - lv, - nv, - keccak_general_filter, - KECCAK_GENERAL_OP, - yield_constr, - ); - - // Stack constraints for POP. - // The only constraints POP has are stack constraints. - // Since POP and NOT are combined into one flag and they have - // different stack behaviors, POP needs special stack constraints. - // Constrain `stack_inv_aux`. - let len_diff = lv.stack_len - P::Scalar::ONES; - yield_constr.constraint( - lv.op.not_pop - * (len_diff * lv.general.stack().stack_inv - lv.general.stack().stack_inv_aux), - ); - - // If stack_len != 1 and POP, read new top of the stack in nv.mem_channels[0]. - let top_read_channel = nv.mem_channels[0]; - let is_top_read = lv.general.stack().stack_inv_aux * (P::ONES - lv.opcode_bits[0]); - - // Constrain `stack_inv_aux_2`. It contains `stack_inv_aux * (1 - opcode_bits[0])`. - yield_constr.constraint(lv.op.not_pop * (lv.general.stack().stack_inv_aux_2 - is_top_read)); - let new_filter = lv.op.not_pop * lv.general.stack().stack_inv_aux_2; - yield_constr.constraint_transition(new_filter * (top_read_channel.used - P::ONES)); - yield_constr.constraint_transition(new_filter * (top_read_channel.is_read - P::ONES)); - yield_constr.constraint_transition(new_filter * (top_read_channel.addr_context - nv.context)); - yield_constr.constraint_transition( - new_filter - * (top_read_channel.addr_segment - - P::Scalar::from_canonical_usize(Segment::Stack.unscale())), - ); - let addr_virtual = nv.stack_len - P::ONES; - yield_constr.constraint_transition(new_filter * (top_read_channel.addr_virtual - addr_virtual)); - // If stack_len == 1 or NOT, disable the channel. - // If NOT or (len==1 and POP), then `stack_inv_aux_2` = 0. - yield_constr.constraint( - lv.op.not_pop * (lv.general.stack().stack_inv_aux_2 - P::ONES) * top_read_channel.used, - ); - - // Disable remaining memory channels. - for &channel in &lv.mem_channels[1..] { - yield_constr.constraint(lv.op.not_pop * (lv.opcode_bits[0] - P::ONES) * channel.used); - } - yield_constr - .constraint(lv.op.not_pop * (lv.opcode_bits[0] - P::ONES) * lv.partial_channel.used); - - // Constrain the new stack length for POP. - yield_constr.constraint_transition( - lv.op.not_pop * (lv.opcode_bits[0] - P::ONES) * (nv.stack_len - lv.stack_len + P::ONES), - ); -} - -/// Circuit version of `eval_packed_one`. -/// Evaluates constraints for one `StackBehavior`. -pub(crate) fn eval_ext_circuit_one, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - filter: ExtensionTarget, - stack_behavior: StackBehavior, - yield_constr: &mut RecursiveConstraintConsumer, -) { - // If you have pops. - if stack_behavior.num_pops > 0 { - for i in 1..stack_behavior.num_pops { - let channel = lv.mem_channels[i]; - - { - let constr = builder.mul_sub_extension(filter, channel.used, filter); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.mul_sub_extension(filter, channel.is_read, filter); - yield_constr.constraint(builder, constr); - } - { - let diff = builder.sub_extension(channel.addr_context, lv.context); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.arithmetic_extension( - F::ONE, - -F::from_canonical_usize(Segment::Stack.unscale()), - filter, - channel.addr_segment, - filter, - ); - yield_constr.constraint(builder, constr); - } - // Remember that the first read (`i == 1`) is for the second stack element at `stack[stack_len - 1]`. - { - let diff = builder.sub_extension(channel.addr_virtual, lv.stack_len); - let constr = builder.arithmetic_extension( - F::ONE, - F::from_canonical_usize(i + 1), - filter, - diff, - filter, - ); - yield_constr.constraint(builder, constr); - } - } - - // You can't have a write of the top of the stack, so you disable the corresponding flag. - { - let constr = builder.mul_extension(filter, lv.partial_channel.used); - yield_constr.constraint(builder, constr); - } - - // If you also push, you don't need to read the new top of the stack. - // If you don't: - // - if the stack isn't empty after the pops, you read the new top from an extra pop. - // - if not, the extra read is disabled. - // These are transition constraints: they don't apply to the last row. - if !stack_behavior.pushes { - // If stack_len != N... - let target_num_pops = - builder.constant_extension(F::from_canonical_usize(stack_behavior.num_pops).into()); - let len_diff = builder.sub_extension(lv.stack_len, target_num_pops); - let new_filter = builder.mul_extension(filter, len_diff); - // Read an extra element. - let channel = nv.mem_channels[0]; - - { - let constr = builder.mul_sub_extension(new_filter, channel.used, new_filter); - yield_constr.constraint_transition(builder, constr); - } - { - let constr = builder.mul_sub_extension(new_filter, channel.is_read, new_filter); - yield_constr.constraint_transition(builder, constr); - } - { - let diff = builder.sub_extension(channel.addr_context, nv.context); - let constr = builder.mul_extension(new_filter, diff); - yield_constr.constraint_transition(builder, constr); - } - { - let constr = builder.arithmetic_extension( - F::ONE, - -F::from_canonical_usize(Segment::Stack.unscale()), - new_filter, - channel.addr_segment, - new_filter, - ); - yield_constr.constraint_transition(builder, constr); - } - { - let diff = builder.sub_extension(channel.addr_virtual, nv.stack_len); - let constr = - builder.arithmetic_extension(F::ONE, F::ONE, new_filter, diff, new_filter); - yield_constr.constraint_transition(builder, constr); - } - // Constrain `stack_inv_aux`. - { - let prod = builder.mul_extension(len_diff, lv.general.stack().stack_inv); - let diff = builder.sub_extension(prod, lv.general.stack().stack_inv_aux); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - // Disable channel if stack_len == N. - { - let empty_stack_filter = - builder.mul_sub_extension(filter, lv.general.stack().stack_inv_aux, filter); - let constr = builder.mul_extension(empty_stack_filter, channel.used); - yield_constr.constraint_transition(builder, constr); - } - } - } - // If the op only pushes, you only need to constrain the top of the stack if the stack isn't empty. - else if stack_behavior.pushes { - // If len > 0... - let new_filter = builder.mul_extension(lv.stack_len, filter); - // You write the previous top of the stack in memory, in the last channel. - // The value will be checked with the CTL - let channel = lv.partial_channel; - { - let constr = builder.mul_sub_extension(new_filter, channel.used, new_filter); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.mul_extension(new_filter, channel.is_read); - yield_constr.constraint(builder, constr); - } - - { - let diff = builder.sub_extension(channel.addr_context, lv.context); - let constr = builder.mul_extension(new_filter, diff); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.arithmetic_extension( - F::ONE, - -F::from_canonical_usize(Segment::Stack.unscale()), - new_filter, - channel.addr_segment, - new_filter, - ); - yield_constr.constraint(builder, constr); - } - { - let diff = builder.sub_extension(channel.addr_virtual, lv.stack_len); - let constr = builder.arithmetic_extension(F::ONE, F::ONE, new_filter, diff, new_filter); - yield_constr.constraint(builder, constr); - } - // Else you disable the channel. - { - let diff = builder.mul_extension(lv.stack_len, lv.general.stack().stack_inv); - let diff = builder.sub_extension(diff, lv.general.stack().stack_inv_aux); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - { - let empty_stack_filter = - builder.mul_sub_extension(filter, lv.general.stack().stack_inv_aux, filter); - let constr = builder.mul_extension(empty_stack_filter, channel.used); - yield_constr.constraint(builder, constr); - } - } - // If the op doesn't pop nor push, the top of the stack must not change. - else { - { - let constr = builder.mul_extension(filter, nv.mem_channels[0].used); - yield_constr.constraint(builder, constr); - } - { - for (limb_old, limb_new) in lv.mem_channels[0] - .value - .iter() - .zip(nv.mem_channels[0].value.iter()) - { - let diff = builder.sub_extension(*limb_old, *limb_new); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint(builder, constr); - } - } - - // You can't have a write of the top of the stack, so you disable the corresponding flag. - { - let constr = builder.mul_extension(filter, lv.partial_channel.used); - yield_constr.constraint(builder, constr); - } - } - - // Unused channels - if stack_behavior.disable_other_channels { - // The first channel contains (or not) the top of the stack and is constrained elsewhere. - for i in max(1, stack_behavior.num_pops)..NUM_GP_CHANNELS - (stack_behavior.pushes as usize) - { - let channel = lv.mem_channels[i]; - let constr = builder.mul_extension(filter, channel.used); - yield_constr.constraint(builder, constr); - } - } - - // Constrain new stack length. - let diff = builder.constant_extension( - F::Extension::from_canonical_usize(stack_behavior.num_pops) - - F::Extension::from_canonical_usize(stack_behavior.pushes as usize), - ); - let diff = builder.sub_extension(lv.stack_len, diff); - let diff = builder.sub_extension(nv.stack_len, diff); - let constr = builder.mul_extension(filter, diff); - yield_constr.constraint_transition(builder, constr); -} - -/// Circuit version of `eval_packed`. -/// Evaluates constraints for all opcodes' `StackBehavior`s. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - for (op, stack_behavior, might_overflow) in izip!( - lv.op.into_iter(), - STACK_BEHAVIORS.into_iter(), - MIGHT_OVERFLOW.into_iter() - ) { - if let Some(stack_behavior) = stack_behavior { - eval_ext_circuit_one(builder, lv, nv, op, stack_behavior, yield_constr); - } - - if might_overflow { - // Check for stack overflow in the next row. - let diff = builder.add_const_extension( - nv.stack_len, - -F::from_canonical_usize(MAX_USER_STACK_SIZE + 1), - ); - let prod = builder.mul_add_extension( - diff, - lv.general.stack().stack_len_bounds_aux, - nv.is_kernel_mode, - ); - let rhs = builder.add_const_extension(prod, -F::ONE); - let constr = builder.mul_extension(op, rhs); - yield_constr.constraint_transition(builder, constr); - } - } - - // Constrain stack for JUMPDEST. - let jumpdest_filter = builder.mul_extension(lv.op.jumpdest_keccak_general, lv.opcode_bits[1]); - eval_ext_circuit_one(builder, lv, nv, jumpdest_filter, JUMPDEST_OP, yield_constr); - - // Constrain stack for KECCAK_GENERAL. - let one = builder.one_extension(); - let mut keccak_general_filter = builder.sub_extension(one, lv.opcode_bits[1]); - keccak_general_filter = - builder.mul_extension(lv.op.jumpdest_keccak_general, keccak_general_filter); - eval_ext_circuit_one( - builder, - lv, - nv, - keccak_general_filter, - KECCAK_GENERAL_OP, - yield_constr, - ); - - // Stack constraints for POP. - // The only constraints POP has are stack constraints. - // Since POP and NOT are combined into one flag and they have - // different stack behaviors, POP needs special stack constraints. - // Constrain `stack_inv_aux`. - { - let len_diff = builder.add_const_extension(lv.stack_len, F::NEG_ONE); - let diff = builder.mul_sub_extension( - len_diff, - lv.general.stack().stack_inv, - lv.general.stack().stack_inv_aux, - ); - let constr = builder.mul_extension(lv.op.not_pop, diff); - yield_constr.constraint(builder, constr); - } - // If stack_len != 4 and MSTORE, read new top of the stack in nv.mem_channels[0]. - let top_read_channel = nv.mem_channels[0]; - let is_top_read = builder.mul_extension(lv.general.stack().stack_inv_aux, lv.opcode_bits[0]); - let is_top_read = builder.sub_extension(lv.general.stack().stack_inv_aux, is_top_read); - // Constrain `stack_inv_aux_2`. It contains `stack_inv_aux * opcode_bits[0]`. - { - let diff = builder.sub_extension(lv.general.stack().stack_inv_aux_2, is_top_read); - let constr = builder.mul_extension(lv.op.not_pop, diff); - yield_constr.constraint(builder, constr); - } - let new_filter = builder.mul_extension(lv.op.not_pop, lv.general.stack().stack_inv_aux_2); - { - let constr = builder.mul_sub_extension(new_filter, top_read_channel.used, new_filter); - yield_constr.constraint_transition(builder, constr); - } - { - let constr = builder.mul_sub_extension(new_filter, top_read_channel.is_read, new_filter); - yield_constr.constraint_transition(builder, constr); - } - { - let diff = builder.sub_extension(top_read_channel.addr_context, nv.context); - let constr = builder.mul_extension(new_filter, diff); - yield_constr.constraint_transition(builder, constr); - } - { - let diff = builder.add_const_extension( - top_read_channel.addr_segment, - -F::from_canonical_usize(Segment::Stack.unscale()), - ); - let constr = builder.mul_extension(new_filter, diff); - yield_constr.constraint_transition(builder, constr); - } - { - let addr_virtual = builder.add_const_extension(nv.stack_len, -F::ONE); - let diff = builder.sub_extension(top_read_channel.addr_virtual, addr_virtual); - let constr = builder.mul_extension(new_filter, diff); - yield_constr.constraint_transition(builder, constr); - } - // If stack_len == 1 or NOT, disable the channel. - { - let diff = builder.mul_sub_extension( - lv.op.not_pop, - lv.general.stack().stack_inv_aux_2, - lv.op.not_pop, - ); - let constr = builder.mul_extension(diff, top_read_channel.used); - yield_constr.constraint(builder, constr); - } - - // Disable remaining memory channels. - let filter = builder.mul_sub_extension(lv.op.not_pop, lv.opcode_bits[0], lv.op.not_pop); - for &channel in &lv.mem_channels[1..] { - let constr = builder.mul_extension(filter, channel.used); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.mul_extension(filter, lv.partial_channel.used); - yield_constr.constraint(builder, constr); - } - - // Constrain the new stack length for POP. - let diff = builder.sub_extension(nv.stack_len, lv.stack_len); - let mut constr = builder.add_const_extension(diff, F::ONES); - constr = builder.mul_extension(filter, constr); - yield_constr.constraint_transition(builder, constr); -} diff --git a/evm/src/cpu/syscalls_exceptions.rs b/evm/src/cpu/syscalls_exceptions.rs deleted file mode 100644 index 1dfdb8fa2c..0000000000 --- a/evm/src/cpu/syscalls_exceptions.rs +++ /dev/null @@ -1,308 +0,0 @@ -//! Handle instructions that are implemented in terms of system calls. -//! -//! These are usually the ones that are too complicated to implement in one CPU table row. - -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::columns::CpuColumnsView; -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::membus::NUM_GP_CHANNELS; -use crate::memory::segments::Segment; - -// Copy the constant but make it `usize`. -const BYTES_PER_OFFSET: usize = crate::cpu::kernel::assembler::BYTES_PER_OFFSET as usize; - -/// Evaluates constraints for syscalls and exceptions. -pub(crate) fn eval_packed( - lv: &CpuColumnsView

, - nv: &CpuColumnsView

, - yield_constr: &mut ConstraintConsumer

, -) { - let filter_syscall = lv.op.syscall; - let filter_exception = lv.op.exception; - let total_filter = filter_syscall + filter_exception; - - // First, constrain filters to be boolean. - // Ensuring they are mutually exclusive is done in other modules - // through the `is_cpu_cycle` variable. - yield_constr.constraint(filter_syscall * (filter_syscall - P::ONES)); - yield_constr.constraint(filter_exception * (filter_exception - P::ONES)); - - // If exception, ensure we are not in kernel mode - yield_constr.constraint(filter_exception * lv.is_kernel_mode); - - // Get the exception code as an value in {0, ..., 7}. - let exc_code_bits = lv.general.exception().exc_code_bits; - let exc_code: P = exc_code_bits - .into_iter() - .enumerate() - .map(|(i, bit)| bit * P::Scalar::from_canonical_u64(1 << i)) - .sum(); - // Ensure that all bits are either 0 or 1. - for bit in exc_code_bits { - yield_constr.constraint(filter_exception * bit * (bit - P::ONES)); - } - - // Look up the handler in memory - let code_segment = P::Scalar::from_canonical_usize(Segment::Code.unscale()); - - let opcode: P = lv - .opcode_bits - .into_iter() - .enumerate() - .map(|(i, bit)| bit * P::Scalar::from_canonical_u64(1 << i)) - .sum(); - - // Syscall handler - let syscall_jumptable_start = - P::Scalar::from_canonical_usize(KERNEL.global_labels["syscall_jumptable"]); - let opcode_handler_addr_start = - syscall_jumptable_start + opcode * P::Scalar::from_canonical_usize(BYTES_PER_OFFSET); - // Exceptions handler - let exc_jumptable_start = - P::Scalar::from_canonical_usize(KERNEL.global_labels["exception_jumptable"]); - let exc_handler_addr_start = - exc_jumptable_start + exc_code * P::Scalar::from_canonical_usize(BYTES_PER_OFFSET); - - let jumpdest_channel = lv.mem_channels[1]; - - // Set `used` and `is_read`. - // The channel is not used: the reads will be done with the byte packing CTL. - yield_constr.constraint(total_filter * (jumpdest_channel.used)); - yield_constr.constraint(total_filter * (jumpdest_channel.is_read - P::ONES)); - - // Set kernel context and code segment - yield_constr.constraint(total_filter * jumpdest_channel.addr_context); - yield_constr.constraint(total_filter * (jumpdest_channel.addr_segment - code_segment)); - - // Set address. - yield_constr - .constraint(filter_syscall * (jumpdest_channel.addr_virtual - opcode_handler_addr_start)); - yield_constr - .constraint(filter_exception * (jumpdest_channel.addr_virtual - exc_handler_addr_start)); - - // Set higher limbs to zero. - for &limb in &jumpdest_channel.value[1..] { - yield_constr.constraint(total_filter * limb); - } - - // Disable unused channels - for channel in &lv.mem_channels[2..NUM_GP_CHANNELS] { - yield_constr.constraint(total_filter * channel.used); - } - - // Set program counter to the handler address - yield_constr - .constraint_transition(total_filter * (nv.program_counter - jumpdest_channel.value[0])); - // Set kernel mode - yield_constr.constraint_transition(total_filter * (nv.is_kernel_mode - P::ONES)); - // Reset gas counter to zero. - yield_constr.constraint_transition(total_filter * nv.gas); - - let output = nv.mem_channels[0].value; - // New top of the stack: current PC + 1 (limb 0), kernel flag (limb 1), gas counter (limbs 6 and 7). - yield_constr.constraint(filter_syscall * (output[0] - (lv.program_counter + P::ONES))); - yield_constr.constraint(filter_exception * (output[0] - lv.program_counter)); - // Check the kernel mode, for syscalls only - yield_constr.constraint(filter_syscall * (output[1] - lv.is_kernel_mode)); - yield_constr.constraint(total_filter * (output[6] - lv.gas)); - yield_constr.constraint(total_filter * output[7]); // High limb of gas is zero. - - // Zero the rest of that register - // output[1] is 0 for exceptions, but not for syscalls - yield_constr.constraint(filter_exception * output[1]); - for &limb in &output[2..6] { - yield_constr.constraint(total_filter * limb); - } -} - -/// Circuit version of `eval_packed`. -/// Evaluates constraints for syscalls and exceptions. -pub(crate) fn eval_ext_circuit, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - lv: &CpuColumnsView>, - nv: &CpuColumnsView>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let filter_syscall = lv.op.syscall; - let filter_exception = lv.op.exception; - let total_filter = builder.add_extension(filter_syscall, filter_exception); - - // First, constrain filters to be boolean. - // Ensuring they are mutually exclusive is done in other modules - // through the `is_cpu_cycle` variable. - let constr = builder.mul_sub_extension(filter_syscall, filter_syscall, filter_syscall); - yield_constr.constraint(builder, constr); - let constr = builder.mul_sub_extension(filter_exception, filter_exception, filter_exception); - yield_constr.constraint(builder, constr); - - // Ensure that, if exception, we are not in kernel mode - let constr = builder.mul_extension(filter_exception, lv.is_kernel_mode); - yield_constr.constraint(builder, constr); - - let exc_code_bits = lv.general.exception().exc_code_bits; - let exc_code = - exc_code_bits - .into_iter() - .enumerate() - .fold(builder.zero_extension(), |cumul, (i, bit)| { - builder.mul_const_add_extension(F::from_canonical_u64(1 << i), bit, cumul) - }); - - // Ensure that all bits are either 0 or 1. - for bit in exc_code_bits { - let constr = builder.mul_sub_extension(bit, bit, bit); - let constr = builder.mul_extension(filter_exception, constr); - yield_constr.constraint(builder, constr); - } - - // Look up the handler in memory - let code_segment = F::from_canonical_usize(Segment::Code.unscale()); - - let opcode = lv - .opcode_bits - .into_iter() - .rev() - .fold(builder.zero_extension(), |cumul, bit| { - builder.mul_const_add_extension(F::TWO, cumul, bit) - }); - - // Syscall handler - let syscall_jumptable_start = builder.constant_extension( - F::from_canonical_usize(KERNEL.global_labels["syscall_jumptable"]).into(), - ); - let opcode_handler_addr_start = builder.mul_const_add_extension( - F::from_canonical_usize(BYTES_PER_OFFSET), - opcode, - syscall_jumptable_start, - ); - - // Exceptions handler - let exc_jumptable_start = builder.constant_extension( - F::from_canonical_usize(KERNEL.global_labels["exception_jumptable"]).into(), - ); - let exc_handler_addr_start = builder.mul_const_add_extension( - F::from_canonical_usize(BYTES_PER_OFFSET), - exc_code, - exc_jumptable_start, - ); - - let jumpdest_channel = lv.mem_channels[1]; - - // Set `used` and `is_read`. - // The channel is not used: the reads will be done with the byte packing CTL. - { - let constr = builder.mul_extension(total_filter, jumpdest_channel.used); - yield_constr.constraint(builder, constr); - } - { - let constr = - builder.mul_sub_extension(total_filter, jumpdest_channel.is_read, total_filter); - yield_constr.constraint(builder, constr); - } - - // Set kernel context and code segment - { - let constr = builder.mul_extension(total_filter, jumpdest_channel.addr_context); - yield_constr.constraint(builder, constr); - } - { - let constr = builder.arithmetic_extension( - F::ONE, - -code_segment, - total_filter, - jumpdest_channel.addr_segment, - total_filter, - ); - yield_constr.constraint(builder, constr); - } - - // Set address. - { - let diff_syscall = - builder.sub_extension(jumpdest_channel.addr_virtual, opcode_handler_addr_start); - let constr = builder.mul_extension(filter_syscall, diff_syscall); - yield_constr.constraint(builder, constr); - } - { - let diff_exception = - builder.sub_extension(jumpdest_channel.addr_virtual, exc_handler_addr_start); - let constr = builder.mul_extension(filter_exception, diff_exception); - yield_constr.constraint(builder, constr); - } - - // Set higher limbs to zero. - for &limb in &jumpdest_channel.value[1..] { - let constr = builder.mul_extension(total_filter, limb); - yield_constr.constraint(builder, constr); - } - - // Disable unused channels - for channel in &lv.mem_channels[2..NUM_GP_CHANNELS] { - let constr = builder.mul_extension(total_filter, channel.used); - yield_constr.constraint(builder, constr); - } - - // Set program counter to the handler address - // The addresses are big-endian in memory - { - let diff = builder.sub_extension(nv.program_counter, jumpdest_channel.value[0]); - let constr = builder.mul_extension(total_filter, diff); - yield_constr.constraint_transition(builder, constr); - } - // Set kernel mode - { - let constr = builder.mul_sub_extension(total_filter, nv.is_kernel_mode, total_filter); - yield_constr.constraint_transition(builder, constr); - } - // Reset gas counter to zero. - { - let constr = builder.mul_extension(total_filter, nv.gas); - yield_constr.constraint_transition(builder, constr); - } - - // New top of the stack. - let output = nv.mem_channels[0].value; - // Push to stack (syscall): current PC + 1 (limb 0), kernel flag (limb 1), gas counter (limbs 6 and 7). - { - let pc_plus_1 = builder.add_const_extension(lv.program_counter, F::ONE); - let diff = builder.sub_extension(output[0], pc_plus_1); - let constr = builder.mul_extension(filter_syscall, diff); - yield_constr.constraint(builder, constr); - } - // Push to stack (exception): current PC (limb 0), kernel flag (limb 1), gas counter (limbs 6 and 7). - { - let diff = builder.sub_extension(output[0], lv.program_counter); - let constr = builder.mul_extension(filter_exception, diff); - yield_constr.constraint(builder, constr); - } - // Push to stack(exception): current PC (limb 0), gas counter (limbs 6 and 7). - { - let diff = builder.sub_extension(output[1], lv.is_kernel_mode); - let constr = builder.mul_extension(filter_syscall, diff); - yield_constr.constraint(builder, constr); - } - { - let diff = builder.sub_extension(output[6], lv.gas); - let constr = builder.mul_extension(total_filter, diff); - yield_constr.constraint(builder, constr); - } - { - // High limb of gas is zero. - let constr = builder.mul_extension(total_filter, output[7]); - yield_constr.constraint(builder, constr); - } - - // Zero the rest of that register - let constr = builder.mul_extension(filter_exception, output[1]); - yield_constr.constraint(builder, constr); - for &limb in &output[2..6] { - let constr = builder.mul_extension(total_filter, limb); - yield_constr.constraint(builder, constr); - } -} diff --git a/evm/src/curve_pairings.rs b/evm/src/curve_pairings.rs deleted file mode 100644 index af155cc506..0000000000 --- a/evm/src/curve_pairings.rs +++ /dev/null @@ -1,513 +0,0 @@ -use core::ops::{Add, Mul, Neg}; - -use ethereum_types::U256; -use rand::distributions::Standard; -use rand::prelude::Distribution; -use rand::Rng; - -use crate::extension_tower::{FieldExt, Fp12, Fp2, Fp6, Stack, BN254}; - -#[derive(Debug, Copy, Clone, PartialEq)] -pub(crate) struct Curve -where - T: FieldExt, -{ - pub x: T, - pub y: T, -} - -impl Curve { - pub(crate) const fn unit() -> Self { - Curve { - x: T::ZERO, - y: T::ZERO, - } - } -} - -impl Stack for Curve { - const SIZE: usize = 2 * T::SIZE; - - fn to_stack(&self) -> Vec { - let mut stack = self.x.to_stack(); - stack.extend(self.y.to_stack()); - stack - } - - fn from_stack(stack: &[U256]) -> Self { - Curve { - x: T::from_stack(&stack[0..T::SIZE]), - y: T::from_stack(&stack[T::SIZE..2 * T::SIZE]), - } - } -} - -impl Curve -where - T: FieldExt, - Curve: CyclicGroup, -{ - pub(crate) fn int(z: i32) -> Self { - Curve::::GENERATOR * z - } -} - -impl Distribution> for Standard -where - T: FieldExt, - Curve: CyclicGroup, -{ - fn sample(&self, rng: &mut R) -> Curve { - Curve::::GENERATOR * rng.gen::() - } -} - -/// Standard addition formula for elliptic curves, restricted to the cases -/// -impl Add for Curve { - type Output = Self; - - fn add(self, other: Self) -> Self { - if self == Curve::::unit() { - return other; - } - if other == Curve::::unit() { - return self; - } - if self == -other { - return Curve::::unit(); - } - let m = if self == other { - T::new(3) * self.x * self.x / (T::new(2) * self.y) - } else { - (other.y - self.y) / (other.x - self.x) - }; - let x = m * m - (self.x + other.x); - Curve { - x, - y: m * (self.x - x) - self.y, - } - } -} - -impl Neg for Curve { - type Output = Curve; - - fn neg(self) -> Self { - Curve { - x: self.x, - y: -self.y, - } - } -} - -pub trait CyclicGroup { - const GENERATOR: Self; -} - -/// The BN curve consists of pairs -/// (x, y): (BN254, BN254) | y^2 = x^3 + 2 -// with generator given by (1, 2) -impl CyclicGroup for Curve { - const GENERATOR: Curve = Curve { - x: BN254 { val: U256::one() }, - y: BN254 { - val: U256([2, 0, 0, 0]), - }, - }; -} - -impl Mul for Curve -where - T: FieldExt, - Curve: CyclicGroup, -{ - type Output = Curve; - - fn mul(self, other: i32) -> Self { - if other == 0 { - return Curve::::unit(); - } - if self == Curve::::unit() { - return Curve::::unit(); - } - - let mut x: Curve = self; - if other.is_negative() { - x = -x; - } - let mut result = Curve::::unit(); - - let mut exp = other.unsigned_abs() as usize; - while exp > 0 { - if exp % 2 == 1 { - result = result + x; - } - exp >>= 1; - x = x + x; - } - result - } -} - -/// The twisted curve consists of pairs -/// (x, y): (Fp2, Fp2) | y^2 = x^3 + 3/(9 + i) -/// with generator given as follows -impl CyclicGroup for Curve> { - const GENERATOR: Curve> = Curve { - x: Fp2 { - re: BN254 { - val: U256([ - 0x46debd5cd992f6ed, - 0x674322d4f75edadd, - 0x426a00665e5c4479, - 0x1800deef121f1e76, - ]), - }, - im: BN254 { - val: U256([ - 0x97e485b7aef312c2, - 0xf1aa493335a9e712, - 0x7260bfb731fb5d25, - 0x198e9393920d483a, - ]), - }, - }, - y: Fp2 { - re: BN254 { - val: U256([ - 0x4ce6cc0166fa7daa, - 0xe3d1e7690c43d37b, - 0x4aab71808dcb408f, - 0x12c85ea5db8c6deb, - ]), - }, - im: BN254 { - val: U256([ - 0x55acdadcd122975b, - 0xbc4b313370b38ef3, - 0xec9e99ad690c3395, - 0x090689d0585ff075, - ]), - }, - }, - }; -} - -// The tate pairing takes a point each from the curve and its twist and outputs an Fp12 element -pub(crate) fn bn_tate(p: Curve, q: Curve>) -> Fp12 { - let miller_output = bn_miller_loop(p, q); - bn_final_exponent(miller_output) -} - -/// Standard code for miller loop, can be found on page 99 at this url: -/// -/// where BN_EXP is a hardcoding of the array of Booleans that the loop traverses -pub(crate) fn bn_miller_loop(p: Curve, q: Curve>) -> Fp12 { - let mut r = p; - let mut acc: Fp12 = Fp12::::UNIT; - let mut line: Fp12; - - for i in BN_EXP { - line = bn_tangent(r, q); - r = r + r; - acc = line * acc * acc; - if i { - line = bn_cord(p, r, q); - r = r + p; - acc = line * acc; - } - } - acc -} - -/// The sloped line function for doubling a point -pub(crate) fn bn_tangent(p: Curve, q: Curve>) -> Fp12 { - let cx = -BN254::new(3) * p.x * p.x; - let cy = BN254::new(2) * p.y; - bn_sparse_embed(p.y * p.y - BN254::new(9), q.x * cx, q.y * cy) -} - -/// The sloped line function for adding two points -pub(crate) fn bn_cord(p1: Curve, p2: Curve, q: Curve>) -> Fp12 { - let cx = p2.y - p1.y; - let cy = p1.x - p2.x; - bn_sparse_embed(p1.y * p2.x - p2.y * p1.x, q.x * cx, q.y * cy) -} - -/// The tangent and cord functions output sparse Fp12 elements. -/// This map embeds the nonzero coefficients into an Fp12. -pub(crate) const fn bn_sparse_embed(g000: BN254, g01: Fp2, g11: Fp2) -> Fp12 { - let g0 = Fp6 { - t0: Fp2 { - re: g000, - im: BN254::ZERO, - }, - t1: g01, - t2: Fp2::::ZERO, - }; - - let g1 = Fp6 { - t0: Fp2::::ZERO, - t1: g11, - t2: Fp2::::ZERO, - }; - - Fp12 { z0: g0, z1: g1 } -} - -pub(crate) fn gen_bn_fp12_sparse(rng: &mut R) -> Fp12 { - bn_sparse_embed( - rng.gen::(), - rng.gen::>(), - rng.gen::>(), - ) -} - -/// The output y of the miller loop is not an invariant, -/// but one gets an invariant by raising y to the power -/// (p^12 - 1)/N = (p^6 - 1)(p^2 + 1)(p^4 - p^2 + 1)/N -/// where N is the cyclic group order of the curve. -/// To achieve this, we first exponentiate y by p^6 - 1 via -/// y = y_6 / y -/// and then exponentiate the result by p^2 + 1 via -/// y = y_2 * y -/// We then note that (p^4 - p^2 + 1)/N can be rewritten as -/// (p^4 - p^2 + 1)/N = p^3 + (a2)p^2 - (a1)p - a0 -/// where 0 < a0, a1, a2 < p. Then the final power is given by -/// y = y_3 * (y^a2)_2 * (y^-a1)_1 * (y^-a0) -pub(crate) fn bn_final_exponent(f: Fp12) -> Fp12 { - let mut y = f.frob(6) / f; - y = y.frob(2) * y; - let (y_a2, y_a1, y_a0) = get_bn_custom_powers(y); - y.frob(3) * y_a2.frob(2) * y_a1.frob(1) * y_a0 -} - -/// We first together (so as to avoid repeated steps) compute -/// y^a4, y^a2, y^a0 -/// where a1 is given by -/// a1 = a4 + 2a2 - a0 -/// we then invert y^a0 and return -/// y^a2, y^a1 = y^a4 * y^a2 * y^a2 * y^(-a0), y^(-a0) -/// -/// Representing a4, a2, a0 in *little endian* binary, define -/// BN_EXPS4 = [(a4[i], a2[i], a0[i]) for i in 0..len(a4)] -/// BN_EXPS2 = [ (a2[i], a0[i]) for i in len(a4)..len(a2)] -/// BN_EXPS0 = [ a0[i] for i in len(a2)..len(a0)] -fn get_bn_custom_powers(f: Fp12) -> (Fp12, Fp12, Fp12) { - let mut sq: Fp12 = f; - let mut y0: Fp12 = Fp12::::UNIT; - let mut y2: Fp12 = Fp12::::UNIT; - let mut y4: Fp12 = Fp12::::UNIT; - - // proceed via standard squaring algorithm for exponentiation - - // must keep multiplying all three values: a4, a2, a0 - for (a, b, c) in BN_EXPS4 { - if a { - y4 = y4 * sq; - } - if b { - y2 = y2 * sq; - } - if c { - y0 = y0 * sq; - } - sq = sq * sq; - } - // leading term of a4 is always 1 - y4 = y4 * sq; - - // must keep multiplying remaining two values: a2, a0 - for (a, b) in BN_EXPS2 { - if a { - y2 = y2 * sq; - } - if b { - y0 = y0 * sq; - } - sq = sq * sq; - } - // leading term of a2 is always 1 - y2 = y2 * sq; - - // must keep multiplying final remaining value: a0 - for a in BN_EXPS0 { - if a { - y0 = y0 * sq; - } - sq = sq * sq; - } - // leading term of a0 is always 1 - y0 = y0 * sq; - - // invert y0 to compute y^(-a0) - let y0_inv = y0.inv(); - - // return y^a2 = y2, y^a1 = y4 * y2^2 * y^(-a0), y^(-a0) - (y2, y4 * y2 * y2 * y0_inv, y0_inv) -} - -const BN_EXP: [bool; 253] = [ - true, false, false, false, false, false, true, true, false, false, true, false, false, false, - true, false, false, true, true, true, false, false, true, true, true, false, false, true, - false, true, true, true, false, false, false, false, true, false, false, true, true, false, - false, false, true, true, false, true, false, false, false, false, false, false, false, true, - false, true, false, false, true, true, false, true, true, true, false, false, false, false, - true, false, true, false, false, false, false, false, true, false, false, false, true, false, - true, true, false, true, true, false, true, true, false, true, false, false, false, false, - false, false, true, true, false, false, false, false, false, false, true, false, true, false, - true, true, false, false, false, false, true, false, true, true, true, false, true, false, - false, true, false, true, false, false, false, false, false, true, true, false, false, true, - true, true, true, true, false, true, false, false, false, false, true, false, false, true, - false, false, false, false, true, true, true, true, false, false, true, true, false, true, - true, true, false, false, true, false, true, true, true, false, false, false, false, true, - false, false, true, false, false, false, true, false, true, false, false, false, false, true, - true, true, true, true, false, false, false, false, true, true, true, true, true, false, true, - false, true, true, false, false, true, false, false, true, true, true, true, true, true, false, - false, false, false, false, false, false, false, false, false, false, false, false, false, - false, false, false, false, false, false, false, false, false, false, false, false, false, - false, -]; - -// The following constants are defined above get_custom_powers - -const BN_EXPS4: [(bool, bool, bool); 64] = [ - (true, true, false), - (true, true, true), - (true, true, true), - (false, false, false), - (false, false, true), - (true, false, true), - (false, true, false), - (true, false, true), - (true, true, false), - (true, false, true), - (false, true, false), - (true, true, false), - (true, true, false), - (true, true, false), - (false, true, false), - (false, true, false), - (false, false, true), - (true, false, true), - (true, true, false), - (false, true, false), - (true, true, false), - (true, true, false), - (true, true, false), - (false, false, true), - (false, false, true), - (true, false, true), - (true, false, true), - (true, true, false), - (true, false, false), - (true, true, false), - (false, true, false), - (true, true, false), - (true, false, false), - (false, true, false), - (false, false, false), - (true, false, false), - (true, false, false), - (true, false, true), - (false, false, true), - (false, true, true), - (false, false, true), - (false, true, true), - (false, true, true), - (false, false, false), - (true, true, true), - (true, false, true), - (true, false, true), - (false, true, true), - (true, false, true), - (false, true, true), - (false, true, true), - (true, true, false), - (true, true, false), - (true, true, false), - (true, false, false), - (false, false, true), - (true, false, false), - (false, false, true), - (true, false, true), - (true, true, false), - (true, true, true), - (false, true, true), - (false, true, false), - (true, true, true), -]; - -const BN_EXPS2: [(bool, bool); 62] = [ - (true, false), - (true, true), - (false, false), - (true, false), - (true, false), - (true, true), - (true, false), - (true, true), - (true, false), - (false, true), - (false, true), - (true, true), - (true, true), - (false, false), - (true, true), - (false, false), - (false, false), - (false, true), - (false, true), - (true, true), - (true, true), - (true, true), - (false, true), - (true, true), - (false, false), - (true, true), - (true, false), - (true, true), - (false, false), - (true, true), - (true, true), - (true, false), - (false, false), - (false, true), - (false, false), - (true, true), - (false, true), - (false, false), - (true, false), - (false, true), - (false, true), - (true, false), - (false, true), - (false, false), - (false, false), - (false, false), - (false, true), - (true, false), - (true, true), - (false, true), - (true, true), - (true, false), - (false, true), - (false, false), - (true, false), - (false, true), - (true, false), - (true, true), - (true, false), - (true, true), - (false, true), - (true, true), -]; - -const BN_EXPS0: [bool; 65] = [ - false, false, true, false, false, true, true, false, true, false, true, true, true, false, - true, false, false, false, true, false, false, true, false, true, false, true, true, false, - false, false, false, false, true, false, true, false, true, true, true, false, false, true, - true, true, true, false, true, false, true, true, false, false, true, false, false, false, - true, true, true, true, false, false, true, true, false, -]; diff --git a/evm/src/evaluation_frame.rs b/evm/src/evaluation_frame.rs deleted file mode 100644 index 0f6bbe2ceb..0000000000 --- a/evm/src/evaluation_frame.rs +++ /dev/null @@ -1,47 +0,0 @@ -/// A trait for viewing an evaluation frame of a STARK table. -/// -/// It allows to access the current and next rows at a given step -/// and can be used to implement constraint evaluation both natively -/// and recursively. -pub trait StarkEvaluationFrame: Sized { - /// The number of columns for the STARK table this evaluation frame views. - const COLUMNS: usize; - - /// Returns the local values (i.e. current row) for this evaluation frame. - fn get_local_values(&self) -> &[T]; - /// Returns the next values (i.e. next row) for this evaluation frame. - fn get_next_values(&self) -> &[T]; - - /// Outputs a new evaluation frame from the provided local and next values. - /// - /// **NOTE**: Concrete implementations of this method SHOULD ensure that - /// the provided slices lengths match the `Self::COLUMNS` value. - fn from_values(lv: &[T], nv: &[T]) -> Self; -} - -pub struct StarkFrame { - local_values: [T; N], - next_values: [T; N], -} - -impl StarkEvaluationFrame for StarkFrame { - const COLUMNS: usize = N; - - fn get_local_values(&self) -> &[T] { - &self.local_values - } - - fn get_next_values(&self) -> &[T] { - &self.next_values - } - - fn from_values(lv: &[T], nv: &[T]) -> Self { - assert_eq!(lv.len(), Self::COLUMNS); - assert_eq!(nv.len(), Self::COLUMNS); - - Self { - local_values: lv.try_into().unwrap(), - next_values: nv.try_into().unwrap(), - } - } -} diff --git a/evm/src/extension_tower.rs b/evm/src/extension_tower.rs deleted file mode 100644 index ea4e317641..0000000000 --- a/evm/src/extension_tower.rs +++ /dev/null @@ -1,1321 +0,0 @@ -use core::fmt::Debug; -use core::ops::{Add, Div, Mul, Neg, Sub}; - -use ethereum_types::{U256, U512}; -use rand::distributions::{Distribution, Standard}; -use rand::Rng; - -pub trait FieldExt: - Copy - + std::fmt::Debug - + std::cmp::PartialEq - + std::ops::Add - + std::ops::Neg - + std::ops::Sub - + std::ops::Mul - + std::ops::Div -{ - const ZERO: Self; - const UNIT: Self; - fn new(val: usize) -> Self; - fn inv(self) -> Self; -} - -pub(crate) const BN_BASE: U256 = U256([ - 0x3c208c16d87cfd47, - 0x97816a916871ca8d, - 0xb85045b68181585d, - 0x30644e72e131a029, -]); - -#[derive(Debug, Copy, Clone, PartialEq)] -pub(crate) struct BN254 { - pub val: U256, -} - -impl Distribution for Standard { - fn sample(&self, rng: &mut R) -> BN254 { - let xs = rng.gen::<[u64; 4]>(); - BN254 { - val: U256(xs) % BN_BASE, - } - } -} - -impl Add for BN254 { - type Output = Self; - - fn add(self, other: Self) -> Self { - BN254 { - val: (self.val + other.val) % BN_BASE, - } - } -} - -impl Neg for BN254 { - type Output = Self; - - fn neg(self) -> Self::Output { - BN254 { - val: (BN_BASE - self.val) % BN_BASE, - } - } -} - -impl Sub for BN254 { - type Output = Self; - - fn sub(self, other: Self) -> Self { - BN254 { - val: (BN_BASE + self.val - other.val) % BN_BASE, - } - } -} - -#[allow(clippy::suspicious_arithmetic_impl)] -impl Mul for BN254 { - type Output = Self; - - fn mul(self, other: Self) -> Self { - BN254 { - val: U256::try_from((self.val).full_mul(other.val) % BN_BASE).unwrap(), - } - } -} - -impl FieldExt for BN254 { - const ZERO: Self = BN254 { val: U256::zero() }; - const UNIT: Self = BN254 { val: U256::one() }; - fn new(val: usize) -> BN254 { - BN254 { - val: U256::from(val), - } - } - fn inv(self) -> BN254 { - let exp = BN_BASE - 2; - let mut current = self; - let mut product = BN254 { val: U256::one() }; - for j in 0..256 { - if exp.bit(j) { - product = product * current; - } - current = current * current; - } - product - } -} - -#[allow(clippy::suspicious_arithmetic_impl)] -impl Div for BN254 { - type Output = Self; - - fn div(self, rhs: Self) -> Self::Output { - self * rhs.inv() - } -} - -pub(crate) const BLS_BASE: U512 = U512([ - 0xb9feffffffffaaab, - 0x1eabfffeb153ffff, - 0x6730d2a0f6b0f624, - 0x64774b84f38512bf, - 0x4b1ba7b6434bacd7, - 0x1a0111ea397fe69a, - 0x0, - 0x0, -]); - -#[derive(Debug, Copy, Clone, PartialEq)] -pub(crate) struct BLS381 { - pub val: U512, -} - -impl BLS381 { - pub(crate) fn lo(self) -> U256 { - U256(self.val.0[..4].try_into().unwrap()) - } - - pub(crate) fn hi(self) -> U256 { - U256(self.val.0[4..].try_into().unwrap()) - } -} - -impl Distribution for Standard { - fn sample(&self, rng: &mut R) -> BLS381 { - let xs = rng.gen::<[u64; 8]>(); - BLS381 { - val: U512(xs) % BLS_BASE, - } - } -} - -impl Add for BLS381 { - type Output = Self; - - fn add(self, other: Self) -> Self { - BLS381 { - val: (self.val + other.val) % BLS_BASE, - } - } -} - -impl Neg for BLS381 { - type Output = Self; - - fn neg(self) -> Self::Output { - BLS381 { - val: (BLS_BASE - self.val) % BLS_BASE, - } - } -} - -impl Sub for BLS381 { - type Output = Self; - - fn sub(self, other: Self) -> Self { - BLS381 { - val: (BLS_BASE + self.val - other.val) % BLS_BASE, - } - } -} - -impl BLS381 { - fn lsh_128(self) -> BLS381 { - let b128: U512 = U512([0, 0, 1, 0, 0, 0, 0, 0]); - // since BLS_BASE < 2^384, multiplying by 2^128 doesn't overflow the U512 - BLS381 { - val: self.val.saturating_mul(b128) % BLS_BASE, - } - } - - fn lsh_256(self) -> BLS381 { - self.lsh_128().lsh_128() - } - - fn lsh_512(self) -> BLS381 { - self.lsh_256().lsh_256() - } -} - -#[allow(clippy::suspicious_arithmetic_impl)] -impl Mul for BLS381 { - type Output = Self; - - fn mul(self, other: Self) -> Self { - // x1, y1 are at most ((q-1) // 2^256) < 2^125 - let x0 = U512::from(self.lo()); - let x1 = U512::from(self.hi()); - let y0 = U512::from(other.lo()); - let y1 = U512::from(other.hi()); - - let z00 = BLS381 { - val: x0.saturating_mul(y0) % BLS_BASE, - }; - let z01 = BLS381 { - val: x0.saturating_mul(y1), - }; - let z10 = BLS381 { - val: x1.saturating_mul(y0), - }; - let z11 = BLS381 { - val: x1.saturating_mul(y1), - }; - - z00 + (z01 + z10).lsh_256() + z11.lsh_512() - } -} - -impl FieldExt for BLS381 { - const ZERO: Self = BLS381 { val: U512::zero() }; - const UNIT: Self = BLS381 { val: U512::one() }; - fn new(val: usize) -> BLS381 { - BLS381 { - val: U512::from(val), - } - } - fn inv(self) -> BLS381 { - let exp = BLS_BASE - 2; - let mut current = self; - let mut product = BLS381 { val: U512::one() }; - - for j in 0..512 { - if exp.bit(j) { - product = product * current; - } - current = current * current; - } - product - } -} - -#[allow(clippy::suspicious_arithmetic_impl)] -impl Div for BLS381 { - type Output = Self; - - fn div(self, rhs: Self) -> Self::Output { - self * rhs.inv() - } -} - -/// The degree 2 field extension Fp2 is given by adjoining i, the square root of -1, to BN254 -/// The arithmetic in this extension is standard complex arithmetic -#[derive(Debug, Copy, Clone, PartialEq)] -pub(crate) struct Fp2 -where - T: FieldExt, -{ - pub re: T, - pub im: T, -} - -impl Distribution> for Standard -where - T: FieldExt, - Standard: Distribution, -{ - fn sample(&self, rng: &mut R) -> Fp2 { - let (re, im) = rng.gen::<(T, T)>(); - Fp2 { re, im } - } -} - -impl Add for Fp2 { - type Output = Self; - - fn add(self, other: Self) -> Self { - Fp2 { - re: self.re + other.re, - im: self.im + other.im, - } - } -} - -impl Neg for Fp2 { - type Output = Self; - - fn neg(self) -> Self::Output { - Fp2 { - re: -self.re, - im: -self.im, - } - } -} - -impl Sub for Fp2 { - type Output = Self; - - fn sub(self, other: Self) -> Self { - Fp2 { - re: self.re - other.re, - im: self.im - other.im, - } - } -} - -impl Mul for Fp2 { - type Output = Self; - - fn mul(self, other: Self) -> Self { - Fp2 { - re: self.re * other.re - self.im * other.im, - im: self.re * other.im + self.im * other.re, - } - } -} - -/// This function scalar multiplies an Fp2 by an Fp -impl Mul for Fp2 { - type Output = Fp2; - - fn mul(self, other: T) -> Self { - Fp2 { - re: other * self.re, - im: other * self.im, - } - } -} - -impl Fp2 { - /// Return the complex conjugate z' of z: Fp2 - /// This also happens to be the frobenius map - /// z -> z^p - /// since p == 3 mod 4 and hence - /// i^p = i^(4k) * i^3 = 1*(-i) = -i - fn conj(self) -> Self { - Fp2 { - re: self.re, - im: -self.im, - } - } - - // Return the magnitude squared of a complex number - fn norm_sq(self) -> T { - self.re * self.re + self.im * self.im - } -} - -impl FieldExt for Fp2 { - const ZERO: Fp2 = Fp2 { - re: T::ZERO, - im: T::ZERO, - }; - - const UNIT: Fp2 = Fp2 { - re: T::UNIT, - im: T::ZERO, - }; - - fn new(val: usize) -> Fp2 { - Fp2 { - re: T::new(val), - im: T::ZERO, - } - } - - /// The inverse of z is given by z'/||z||^2 since ||z||^2 = zz' - fn inv(self) -> Fp2 { - let norm_sq = self.norm_sq(); - self.conj() * norm_sq.inv() - } -} - -#[allow(clippy::suspicious_arithmetic_impl)] -impl Div for Fp2 { - type Output = Self; - - fn div(self, rhs: Self) -> Self::Output { - self * rhs.inv() - } -} - -/// This trait defines the method which multiplies -/// by the Fp2 element t^3 whose cube root we will -/// adjoin in the subsequent cubic extension. -/// For BN254 this is 9+i, and for BLS381 it is 1+i. -/// It also defines the relevant FROB constants, -/// given by t^(p^n) and t^(p^2n) for various n, -/// used to compute the frobenius operations. -pub trait Adj: Sized { - fn mul_adj(self) -> Self; - const FROB_T: [[Self; 6]; 2]; - const FROB_Z: [Self; 12]; -} - -impl Adj for Fp2 { - fn mul_adj(self) -> Self { - let nine = BN254::new(9); - Fp2 { - re: nine * self.re - self.im, - im: self.re + nine * self.im, - } - } - - const FROB_T: [[Fp2; 6]; 2] = [ - [ - Fp2 { - re: BN254 { val: U256::one() }, - im: BN254 { val: U256::zero() }, - }, - Fp2 { - re: BN254 { - val: U256([ - 0x99e39557176f553d, - 0xb78cc310c2c3330c, - 0x4c0bec3cf559b143, - 0x2fb347984f7911f7, - ]), - }, - im: BN254 { - val: U256([ - 0x1665d51c640fcba2, - 0x32ae2a1d0b7c9dce, - 0x4ba4cc8bd75a0794, - 0x16c9e55061ebae20, - ]), - }, - }, - Fp2 { - re: BN254 { - val: U256([ - 0xe4bd44e5607cfd48, - 0xc28f069fbb966e3d, - 0x5e6dd9e7e0acccb0, - 0x30644e72e131a029, - ]), - }, - im: BN254 { val: U256::zero() }, - }, - Fp2 { - re: BN254 { - val: U256([ - 0x7b746ee87bdcfb6d, - 0x805ffd3d5d6942d3, - 0xbaff1c77959f25ac, - 0x0856e078b755ef0a, - ]), - }, - im: BN254 { - val: U256([ - 0x380cab2baaa586de, - 0x0fdf31bf98ff2631, - 0xa9f30e6dec26094f, - 0x04f1de41b3d1766f, - ]), - }, - }, - Fp2 { - re: BN254 { - val: U256([ - 0x5763473177fffffe, - 0xd4f263f1acdb5c4f, - 0x59e26bcea0d48bac, - 0x0, - ]), - }, - im: BN254 { val: U256::zero() }, - }, - Fp2 { - re: BN254 { - val: U256([ - 0x62e913ee1dada9e4, - 0xf71614d4b0b71f3a, - 0x699582b87809d9ca, - 0x28be74d4bb943f51, - ]), - }, - im: BN254 { - val: U256([ - 0xedae0bcec9c7aac7, - 0x54f40eb4c3f6068d, - 0xc2b86abcbe01477a, - 0x14a88ae0cb747b99, - ]), - }, - }, - ], - [ - Fp2 { - re: BN254 { val: U256::one() }, - im: BN254 { val: U256::zero() }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0x848a1f55921ea762, - 0xd33365f7be94ec72, - 0x80f3c0b75a181e84, - 0x05b54f5e64eea801, - ]), - } - }, - im: { - BN254 { - val: U256([ - 0xc13b4711cd2b8126, - 0x3685d2ea1bdec763, - 0x9f3a80b03b0b1c92, - 0x2c145edbe7fd8aee, - ]), - } - }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0x5763473177fffffe, - 0xd4f263f1acdb5c4f, - 0x59e26bcea0d48bac, - 0x0, - ]), - } - }, - im: { BN254 { val: U256::zero() } }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0x0e1a92bc3ccbf066, - 0xe633094575b06bcb, - 0x19bee0f7b5b2444e, - 0xbc58c6611c08dab, - ]), - } - }, - im: { - BN254 { - val: U256([ - 0x5fe3ed9d730c239f, - 0xa44a9e08737f96e5, - 0xfeb0f6ef0cd21d04, - 0x23d5e999e1910a12, - ]), - } - }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0xe4bd44e5607cfd48, - 0xc28f069fbb966e3d, - 0x5e6dd9e7e0acccb0, - 0x30644e72e131a029, - ]), - } - }, - im: { BN254 { val: U256::zero() } }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0xa97bda050992657f, - 0xde1afb54342c724f, - 0x1d9da40771b6f589, - 0x1ee972ae6a826a7d, - ]), - } - }, - im: { - BN254 { - val: U256([ - 0x5721e37e70c255c9, - 0x54326430418536d1, - 0xd2b513cdbb257724, - 0x10de546ff8d4ab51, - ]), - } - }, - }, - ], - ]; - - const FROB_Z: [Fp2; 12] = [ - Fp2 { - re: { BN254 { val: U256::one() } }, - im: { BN254 { val: U256::zero() } }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0xd60b35dadcc9e470, - 0x5c521e08292f2176, - 0xe8b99fdd76e68b60, - 0x1284b71c2865a7df, - ]), - } - }, - im: { - BN254 { - val: U256([ - 0xca5cf05f80f362ac, - 0x747992778eeec7e5, - 0xa6327cfe12150b8e, - 0x246996f3b4fae7e6, - ]), - } - }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0xe4bd44e5607cfd49, - 0xc28f069fbb966e3d, - 0x5e6dd9e7e0acccb0, - 0x30644e72e131a029, - ]), - } - }, - im: { BN254 { val: U256::zero() } }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0xe86f7d391ed4a67f, - 0x894cb38dbe55d24a, - 0xefe9608cd0acaa90, - 0x19dc81cfcc82e4bb, - ]), - } - }, - im: { - BN254 { - val: U256([ - 0x7694aa2bf4c0c101, - 0x7f03a5e397d439ec, - 0x06cbeee33576139d, - 0xabf8b60be77d73, - ]), - } - }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0xe4bd44e5607cfd48, - 0xc28f069fbb966e3d, - 0x5e6dd9e7e0acccb0, - 0x30644e72e131a029, - ]), - } - }, - im: { BN254 { val: U256::zero() } }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0x1264475e420ac20f, - 0x2cfa95859526b0d4, - 0x072fc0af59c61f30, - 0x757cab3a41d3cdc, - ]), - } - }, - im: { - BN254 { - val: U256([ - 0xe85845e34c4a5b9c, - 0xa20b7dfd71573c93, - 0x18e9b79ba4e2606c, - 0xca6b035381e35b6, - ]), - } - }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0x3c208c16d87cfd46, - 0x97816a916871ca8d, - 0xb85045b68181585d, - 0x30644e72e131a029, - ]), - } - }, - im: { BN254 { val: U256::zero() } }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0x6615563bfbb318d7, - 0x3b2f4c893f42a916, - 0xcf96a5d90a9accfd, - 0x1ddf9756b8cbf849, - ]), - } - }, - im: { - BN254 { - val: U256([ - 0x71c39bb757899a9b, - 0x2307d819d98302a7, - 0x121dc8b86f6c4ccf, - 0x0bfab77f2c36b843, - ]), - } - }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0x5763473177fffffe, - 0xd4f263f1acdb5c4f, - 0x59e26bcea0d48bac, - 0x0, - ]), - } - }, - im: { BN254 { val: U256::zero() } }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0x53b10eddb9a856c8, - 0x0e34b703aa1bf842, - 0xc866e529b0d4adcd, - 0x1687cca314aebb6d, - ]), - } - }, - im: { - BN254 { - val: U256([ - 0xc58be1eae3bc3c46, - 0x187dc4add09d90a0, - 0xb18456d34c0b44c0, - 0x2fb855bcd54a22b6, - ]), - } - }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0x5763473177ffffff, - 0xd4f263f1acdb5c4f, - 0x59e26bcea0d48bac, - 0x0, - ]), - } - }, - im: { BN254 { val: U256::zero() } }, - }, - Fp2 { - re: { - BN254 { - val: U256([ - 0x29bc44b896723b38, - 0x6a86d50bd34b19b9, - 0xb120850727bb392d, - 0x290c83bf3d14634d, - ]), - } - }, - im: { - BN254 { - val: U256([ - 0x53c846338c32a1ab, - 0xf575ec93f71a8df9, - 0x9f668e1adc9ef7f0, - 0x23bd9e3da9136a73, - ]), - } - }, - }, - ]; -} - -impl Adj for Fp2 { - fn mul_adj(self) -> Self { - Fp2 { - re: self.re - self.im, - im: self.re + self.im, - } - } - const FROB_T: [[Fp2; 6]; 2] = [[Fp2::::ZERO; 6]; 2]; - const FROB_Z: [Fp2; 12] = [Fp2::::ZERO; 12]; -} - -/// The degree 3 field extension Fp6 over Fp2 is given by adjoining t, where t^3 = 1 + i -/// Fp6 has basis 1, t, t^2 over Fp2 -#[derive(Debug, Copy, Clone, PartialEq)] -pub(crate) struct Fp6 -where - T: FieldExt, - Fp2: Adj, -{ - pub t0: Fp2, - pub t1: Fp2, - pub t2: Fp2, -} - -impl Distribution> for Standard -where - T: FieldExt, - Fp2: Adj, - Standard: Distribution, -{ - fn sample(&self, rng: &mut R) -> Fp6 { - let (t0, t1, t2) = rng.gen::<(Fp2, Fp2, Fp2)>(); - Fp6 { t0, t1, t2 } - } -} - -impl Add for Fp6 -where - T: FieldExt, - Fp2: Adj, -{ - type Output = Self; - - fn add(self, other: Self) -> Self { - Fp6 { - t0: self.t0 + other.t0, - t1: self.t1 + other.t1, - t2: self.t2 + other.t2, - } - } -} - -impl Neg for Fp6 -where - T: FieldExt, - Fp2: Adj, -{ - type Output = Self; - - fn neg(self) -> Self::Output { - Fp6 { - t0: -self.t0, - t1: -self.t1, - t2: -self.t2, - } - } -} - -impl Sub for Fp6 -where - T: FieldExt, - Fp2: Adj, -{ - type Output = Self; - - fn sub(self, other: Self) -> Self { - Fp6 { - t0: self.t0 - other.t0, - t1: self.t1 - other.t1, - t2: self.t2 - other.t2, - } - } -} - -impl Mul for Fp6 -where - T: FieldExt, - Fp2: Adj, -{ - type Output = Self; - - fn mul(self, other: Self) -> Self { - Fp6 { - t0: self.t0 * other.t0 + (self.t1 * other.t2 + self.t2 * other.t1).mul_adj(), - t1: self.t0 * other.t1 + self.t1 * other.t0 + (self.t2 * other.t2).mul_adj(), - t2: self.t0 * other.t2 + self.t1 * other.t1 + self.t2 * other.t0, - } - } -} - -/// This function scalar multiplies an Fp6 by an Fp2 -impl Mul> for Fp6 -where - T: FieldExt, - Fp2: Adj, -{ - type Output = Fp6; - - fn mul(self, other: Fp2) -> Self { - Fp6 { - t0: other * self.t0, - t1: other * self.t1, - t2: other * self.t2, - } - } -} - -impl Fp6 -where - T: FieldExt, - Fp2: Adj, -{ - /// This function multiplies an Fp6 element by t, and hence shifts the bases, - /// where the t^2 coefficient picks up a factor of 1+i as the 1 coefficient of the output - fn sh(self) -> Fp6 { - Fp6 { - t0: self.t2.mul_adj(), - t1: self.t0, - t2: self.t1, - } - } -} - -impl Fp6 -where - T: FieldExt, - Fp2: Adj, -{ - /// The nth frobenius endomorphism of a p^q field is given by mapping - /// x to x^(p^n) - /// which sends a + bt + ct^2: Fp6 to - /// a^(p^n) + b^(p^n) * t^(p^n) + c^(p^n) * t^(2p^n) - /// The Fp2 coefficients are determined by the comment in the conj method, - /// while the values of - /// t^(p^n) and t^(2p^n) - /// are precomputed in the constant arrays FROB_T1 and FROB_T2 - pub(crate) fn frob(self, n: usize) -> Fp6 { - let n = n % 6; - let frob_t1 = Fp2::::FROB_T[0][n]; - let frob_t2 = Fp2::::FROB_T[1][n]; - - if n % 2 != 0 { - Fp6 { - t0: self.t0.conj(), - t1: frob_t1 * self.t1.conj(), - t2: frob_t2 * self.t2.conj(), - } - } else { - Fp6 { - t0: self.t0, - t1: frob_t1 * self.t1, - t2: frob_t2 * self.t2, - } - } - } -} - -impl FieldExt for Fp6 -where - T: FieldExt, - Fp2: Adj, -{ - const ZERO: Fp6 = Fp6 { - t0: Fp2::::ZERO, - t1: Fp2::::ZERO, - t2: Fp2::::ZERO, - }; - - const UNIT: Fp6 = Fp6 { - t0: Fp2::::UNIT, - t1: Fp2::::ZERO, - t2: Fp2::::ZERO, - }; - - fn new(val: usize) -> Fp6 { - Fp6 { - t0: Fp2::::new(val), - t1: Fp2::::ZERO, - t2: Fp2::::ZERO, - } - } - - /// Let x_n = x^(p^n) and note that - /// x_0 = x^(p^0) = x^1 = x - /// (x_n)_m = (x^(p^n))^(p^m) = x^(p^n * p^m) = x^(p^(n+m)) = x_{n+m} - /// By Galois Theory, given x: Fp6, the product - /// phi = x_0 * x_1 * x_2 * x_3 * x_4 * x_5 - /// lands in BN254, and hence the inverse of x is given by - /// (x_1 * x_2 * x_3 * x_4 * x_5) / phi - /// We can save compute by rearranging the numerator: - /// (x_1 * x_3) * x_5 * (x_1 * x_3)_1 - /// By Galois theory, the following are in Fp2 and are complex conjugates - /// x_1 * x_3 * x_5, x_0 * x_2 * x_4 - /// and therefore - /// phi = ||x_1 * x_3 * x_5||^2 - /// and hence the inverse is given by - /// ([x_1 * x_3] * x_5) * [x_1 * x_3]_1 / ||[x_1 * x_3] * x_5||^2 - fn inv(self) -> Fp6 { - let prod_13 = self.frob(1) * self.frob(3); - let prod_135 = (prod_13 * self.frob(5)).t0; - let phi = prod_135.norm_sq(); - let prod_odds_over_phi = prod_135 * phi.inv(); - let prod_24 = prod_13.frob(1); - prod_24 * prod_odds_over_phi - } -} - -#[allow(clippy::suspicious_arithmetic_impl)] -impl Div for Fp6 -where - T: FieldExt, - Fp2: Adj, -{ - type Output = Self; - - fn div(self, rhs: Self) -> Self::Output { - self * rhs.inv() - } -} - -/// The degree 2 field extension Fp12 over Fp6 is given by -/// adjoining z, where z^2 = t. It thus has basis 1, z over Fp6 -#[derive(Debug, Copy, Clone, PartialEq)] -pub(crate) struct Fp12 -where - T: FieldExt, - Fp2: Adj, -{ - pub z0: Fp6, - pub z1: Fp6, -} - -impl FieldExt for Fp12 -where - T: FieldExt, - Fp2: Adj, -{ - const ZERO: Fp12 = Fp12 { - z0: Fp6::::ZERO, - z1: Fp6::::ZERO, - }; - - const UNIT: Fp12 = Fp12 { - z0: Fp6::::UNIT, - z1: Fp6::::ZERO, - }; - - fn new(val: usize) -> Fp12 { - Fp12 { - z0: Fp6::::new(val), - z1: Fp6::::ZERO, - } - } - - /// By Galois Theory, given x: Fp12, the product - /// phi = Prod_{i=0}^11 x_i - /// lands in BN254, and hence the inverse of x is given by - /// (Prod_{i=1}^11 x_i) / phi - /// The 6th Frob map is nontrivial but leaves Fp6 fixed and hence must be the conjugate: - /// x_6 = (a + bz)_6 = a - bz = x.conj() - /// Letting prod_17 = x_1 * x_7, the remaining factors in the numerator can be expressed as: - /// [(prod_17) * (prod_17)_2] * (prod_17)_4 * [(prod_17) * (prod_17)_2]_1 - /// By Galois theory, both the following are in Fp2 and are complex conjugates - /// prod_odds, prod_evens - /// Thus phi = ||prod_odds||^2, and hence the inverse is given by - /// prod_odds * prod_evens_except_six * x.conj() / ||prod_odds||^2 - fn inv(self) -> Fp12 { - let prod_17 = (self.frob(1) * self.frob(7)).z0; - let prod_1379 = prod_17 * prod_17.frob(2); - let prod_odds = (prod_1379 * prod_17.frob(4)).t0; - let phi = prod_odds.norm_sq(); - let prod_odds_over_phi = prod_odds * phi.inv(); - let prod_evens_except_six = prod_1379.frob(1); - let prod_except_six = prod_evens_except_six * prod_odds_over_phi; - self.conj() * prod_except_six - } -} - -impl Distribution> for Standard -where - T: FieldExt, - Fp2: Adj, - Standard: Distribution, -{ - fn sample(&self, rng: &mut R) -> Fp12 { - let (z0, z1) = rng.gen::<(Fp6, Fp6)>(); - Fp12 { z0, z1 } - } -} - -impl Add for Fp12 -where - T: FieldExt, - Fp2: Adj, -{ - type Output = Self; - - fn add(self, other: Self) -> Self { - Fp12 { - z0: self.z0 + other.z0, - z1: self.z1 + other.z1, - } - } -} - -impl Neg for Fp12 -where - T: FieldExt, - Fp2: Adj, -{ - type Output = Self; - - fn neg(self) -> Self::Output { - Fp12 { - z0: -self.z0, - z1: -self.z1, - } - } -} - -impl Sub for Fp12 -where - T: FieldExt, - Fp2: Adj, -{ - type Output = Self; - - fn sub(self, other: Self) -> Self { - Fp12 { - z0: self.z0 - other.z0, - z1: self.z1 - other.z1, - } - } -} - -impl Mul for Fp12 -where - T: FieldExt, - Fp2: Adj, -{ - type Output = Self; - - fn mul(self, other: Self) -> Self { - let h0 = self.z0 * other.z0; - let h1 = self.z1 * other.z1; - let h01 = (self.z0 + self.z1) * (other.z0 + other.z1); - Fp12 { - z0: h0 + h1.sh(), - z1: h01 - (h0 + h1), - } - } -} - -/// This function scalar multiplies an Fp12 by an Fp6 -impl Mul> for Fp12 -where - T: FieldExt, - Fp2: Adj, -{ - type Output = Fp12; - - fn mul(self, other: Fp6) -> Self { - Fp12 { - z0: other * self.z0, - z1: other * self.z1, - } - } -} - -impl Fp12 -where - T: FieldExt, - Fp2: Adj, -{ - fn conj(self) -> Fp12 { - Fp12 { - z0: self.z0, - z1: -self.z1, - } - } -} - -impl Fp12 -where - T: FieldExt, - Fp2: Adj, -{ - /// The nth frobenius endomorphism of a p^q field is given by mapping - /// x to x^(p^n) - /// which sends a + bz: Fp12 to - /// a^(p^n) + b^(p^n) * z^(p^n) - /// where the values of z^(p^n) are precomputed in the constant array FROB_Z - pub(crate) fn frob(self, n: usize) -> Fp12 { - let n = n % 12; - Fp12 { - z0: self.z0.frob(n), - z1: self.z1.frob(n) * (Fp2::::FROB_Z[n]), - } - } -} - -#[allow(clippy::suspicious_arithmetic_impl)] -impl Div for Fp12 -where - T: FieldExt, - Fp2: Adj, -{ - type Output = Self; - - fn div(self, rhs: Self) -> Self::Output { - self * rhs.inv() - } -} - -pub trait Stack { - const SIZE: usize; - - fn to_stack(&self) -> Vec; - - fn from_stack(stack: &[U256]) -> Self; -} - -impl Stack for BN254 { - const SIZE: usize = 1; - - fn to_stack(&self) -> Vec { - vec![self.val] - } - - fn from_stack(stack: &[U256]) -> BN254 { - BN254 { val: stack[0] } - } -} - -impl Stack for BLS381 { - const SIZE: usize = 2; - - fn to_stack(&self) -> Vec { - vec![self.lo(), self.hi()] - } - - fn from_stack(stack: &[U256]) -> BLS381 { - let mut val = [0u64; 8]; - val[..4].copy_from_slice(&stack[0].0); - val[4..].copy_from_slice(&stack[1].0); - BLS381 { val: U512(val) } - } -} - -impl Stack for Fp2 { - const SIZE: usize = 2 * T::SIZE; - - fn to_stack(&self) -> Vec { - let mut stack = self.re.to_stack(); - stack.extend(self.im.to_stack()); - stack - } - - fn from_stack(stack: &[U256]) -> Fp2 { - let field_size = T::SIZE; - let re = T::from_stack(&stack[0..field_size]); - let im = T::from_stack(&stack[field_size..2 * field_size]); - Fp2 { re, im } - } -} - -impl Stack for Fp6 -where - T: FieldExt, - Fp2: Adj, - Fp2: Stack, -{ - const SIZE: usize = 3 * Fp2::::SIZE; - - fn to_stack(&self) -> Vec { - let mut stack = self.t0.to_stack(); - stack.extend(self.t1.to_stack()); - stack.extend(self.t2.to_stack()); - stack - } - - fn from_stack(stack: &[U256]) -> Self { - let field_size = Fp2::::SIZE; - let t0 = Fp2::::from_stack(&stack[0..field_size]); - let t1 = Fp2::::from_stack(&stack[field_size..2 * field_size]); - let t2 = Fp2::::from_stack(&stack[2 * field_size..3 * field_size]); - Fp6 { t0, t1, t2 } - } -} - -impl Stack for Fp12 -where - T: FieldExt, - Fp2: Adj, - Fp6: Stack, -{ - const SIZE: usize = 2 * Fp6::::SIZE; - - fn to_stack(&self) -> Vec { - let mut stack = self.z0.to_stack(); - stack.extend(self.z1.to_stack()); - stack - } - - fn from_stack(stack: &[U256]) -> Self { - let field_size = Fp6::::SIZE; - let z0 = Fp6::::from_stack(&stack[0..field_size]); - let z1 = Fp6::::from_stack(&stack[field_size..2 * field_size]); - Fp12 { z0, z1 } - } -} diff --git a/evm/src/fixed_recursive_verifier.rs b/evm/src/fixed_recursive_verifier.rs index b8f618fbbe..41890bb56f 100644 --- a/evm/src/fixed_recursive_verifier.rs +++ b/evm/src/fixed_recursive_verifier.rs @@ -1,10 +1,7 @@ use core::mem::{self, MaybeUninit}; -use core::ops::Range; use std::collections::BTreeMap; -use std::sync::atomic::AtomicBool; -use std::sync::Arc; +use std::ops::Range; -use anyhow::anyhow; use eth_trie_utils::partial_trie::{HashedPartialTrie, Node, PartialTrie}; use hashbrown::HashMap; use itertools::{zip_eq, Itertools}; @@ -18,7 +15,7 @@ use plonky2::iop::target::{BoolTarget, Target}; use plonky2::iop::witness::{PartialWitness, WitnessWrite}; use plonky2::plonk::circuit_builder::CircuitBuilder; use plonky2::plonk::circuit_data::{ - CircuitConfig, CircuitData, CommonCircuitData, VerifierCircuitData, VerifierCircuitTarget, + CircuitConfig, CircuitData, CommonCircuitData, VerifierCircuitTarget, }; use plonky2::plonk::config::{AlgebraicHasher, GenericConfig}; use plonky2::plonk::proof::{ProofWithPublicInputs, ProofWithPublicInputsTarget}; @@ -39,14 +36,14 @@ use crate::cross_table_lookup::{ use crate::generation::GenerationInputs; use crate::get_challenges::observe_public_values_target; use crate::proof::{ - AllProof, BlockHashesTarget, BlockMetadataTarget, ExtraBlockData, ExtraBlockDataTarget, - PublicValues, PublicValuesTarget, StarkProofWithMetadata, TrieRoots, TrieRootsTarget, + BlockHashesTarget, BlockMetadataTarget, ExtraBlockDataTarget, PublicValues, PublicValuesTarget, + StarkProofWithMetadata, TrieRootsTarget, }; -use crate::prover::{check_abort_signal, prove}; +use crate::prover::prove; use crate::recursive_verifier::{ - add_common_recursion_gates, add_virtual_public_values, get_memory_extra_looking_sum_circuit, - recursive_stark_circuit, set_public_value_targets, PlonkWrapperCircuit, PublicInputs, - StarkWrapperCircuit, + add_common_recursion_gates, add_virtual_public_values, + get_memory_extra_looking_products_circuit, recursive_stark_circuit, set_public_value_targets, + PlonkWrapperCircuit, PublicInputs, StarkWrapperCircuit, }; use crate::stark::Stark; use crate::util::h256_limbs; @@ -67,13 +64,11 @@ where { /// The EVM root circuit, which aggregates the (shrunk) per-table recursive proofs. pub root: RootCircuitData, - /// The aggregation circuit, which verifies two proofs that can either be root or - /// aggregation proofs. pub aggregation: AggregationCircuitData, - /// The block circuit, which verifies an aggregation root proof and an optional previous block proof. + /// The block circuit, which verifies an aggregation root proof and a previous block proof. pub block: BlockCircuitData, /// Holds chains of circuits for each table and for each initial `degree_bits`. - pub by_table: [RecursiveCircuitsForTable; NUM_TABLES], + by_table: [RecursiveCircuitsForTable; NUM_TABLES], } /// Data for the EVM root circuit, which is used to combine each STARK's shrunk wrapper proof @@ -101,7 +96,7 @@ where F: RichField + Extendable, C: GenericConfig, { - fn to_buffer( + pub fn to_buffer( &self, buffer: &mut Vec, gate_serializer: &dyn GateSerializer, @@ -119,7 +114,7 @@ where Ok(()) } - fn from_buffer( + pub fn from_buffer( buffer: &mut Buffer, gate_serializer: &dyn GateSerializer, generator_serializer: &dyn WitnessGeneratorSerializer, @@ -166,7 +161,7 @@ where F: RichField + Extendable, C: GenericConfig, { - fn to_buffer( + pub fn to_buffer( &self, buffer: &mut Vec, gate_serializer: &dyn GateSerializer, @@ -180,7 +175,7 @@ where Ok(()) } - fn from_buffer( + pub fn from_buffer( buffer: &mut Buffer, gate_serializer: &dyn GateSerializer, generator_serializer: &dyn WitnessGeneratorSerializer, @@ -201,21 +196,21 @@ where } #[derive(Eq, PartialEq, Debug)] -struct AggregationChildTarget { +pub struct AggregationChildTarget { is_agg: BoolTarget, agg_proof: ProofWithPublicInputsTarget, evm_proof: ProofWithPublicInputsTarget, } impl AggregationChildTarget { - fn to_buffer(&self, buffer: &mut Vec) -> IoResult<()> { + pub fn to_buffer(&self, buffer: &mut Vec) -> IoResult<()> { buffer.write_target_bool(self.is_agg)?; buffer.write_target_proof_with_public_inputs(&self.agg_proof)?; buffer.write_target_proof_with_public_inputs(&self.evm_proof)?; Ok(()) } - fn from_buffer(buffer: &mut Buffer) -> IoResult { + pub fn from_buffer(buffer: &mut Buffer) -> IoResult { let is_agg = buffer.read_target_bool()?; let agg_proof = buffer.read_target_proof_with_public_inputs()?; let evm_proof = buffer.read_target_proof_with_public_inputs()?; @@ -226,7 +221,7 @@ impl AggregationChildTarget { }) } - fn public_values>( + pub fn public_values>( &self, builder: &mut CircuitBuilder, ) -> PublicValuesTarget { @@ -236,8 +231,6 @@ impl AggregationChildTarget { } } -/// Data for the block circuit, which is used to generate a final block proof, -/// and compress it with an optional parent proof if present. #[derive(Eq, PartialEq, Debug)] pub struct BlockCircuitData where @@ -257,7 +250,7 @@ where F: RichField + Extendable, C: GenericConfig, { - fn to_buffer( + pub fn to_buffer( &self, buffer: &mut Vec, gate_serializer: &dyn GateSerializer, @@ -272,7 +265,7 @@ where Ok(()) } - fn from_buffer( + pub fn from_buffer( buffer: &mut Buffer, gate_serializer: &dyn GateSerializer, generator_serializer: &dyn WitnessGeneratorSerializer, @@ -300,19 +293,8 @@ where C: GenericConfig + 'static, C::Hasher: AlgebraicHasher, { - /// Serializes all these preprocessed circuits into a sequence of bytes. - /// - /// # Arguments - /// - /// - `skip_tables`: a boolean indicating whether to serialize only the upper circuits - /// or the entire prover state, including recursive circuits to shrink STARK proofs. - /// - `gate_serializer`: a custom gate serializer needed to serialize recursive circuits - /// common data. - /// - `generator_serializer`: a custom generator serializer needed to serialize recursive - /// circuits proving data. pub fn to_bytes( &self, - skip_tables: bool, gate_serializer: &dyn GateSerializer, generator_serializer: &dyn WitnessGeneratorSerializer, ) -> IoResult> { @@ -324,28 +306,14 @@ where .to_buffer(&mut buffer, gate_serializer, generator_serializer)?; self.block .to_buffer(&mut buffer, gate_serializer, generator_serializer)?; - if !skip_tables { - for table in &self.by_table { - table.to_buffer(&mut buffer, gate_serializer, generator_serializer)?; - } + for table in &self.by_table { + table.to_buffer(&mut buffer, gate_serializer, generator_serializer)?; } Ok(buffer) } - /// Deserializes a sequence of bytes into an entire prover state containing all recursive circuits. - /// - /// # Arguments - /// - /// - `bytes`: a slice of bytes to deserialize this prover state from. - /// - `skip_tables`: a boolean indicating whether to deserialize only the upper circuits - /// or the entire prover state, including recursive circuits to shrink STARK proofs. - /// - `gate_serializer`: a custom gate serializer needed to serialize recursive circuits - /// common data. - /// - `generator_serializer`: a custom generator serializer needed to serialize recursive - /// circuits proving data. pub fn from_bytes( bytes: &[u8], - skip_tables: bool, gate_serializer: &dyn GateSerializer, generator_serializer: &dyn WitnessGeneratorSerializer, ) -> IoResult { @@ -360,30 +328,21 @@ where let block = BlockCircuitData::from_buffer(&mut buffer, gate_serializer, generator_serializer)?; - let by_table = match skip_tables { - true => (0..NUM_TABLES) - .map(|_| RecursiveCircuitsForTable { - by_stark_size: BTreeMap::default(), - }) - .collect_vec() - .try_into() - .unwrap(), - false => { - // Tricky use of MaybeUninit to remove the need for implementing Debug - // for all underlying types, necessary to convert a by_table Vec to an array. - let mut by_table: [MaybeUninit>; NUM_TABLES] = - unsafe { MaybeUninit::uninit().assume_init() }; - for table in &mut by_table[..] { - let value = RecursiveCircuitsForTable::from_buffer( - &mut buffer, - gate_serializer, - generator_serializer, - )?; - *table = MaybeUninit::new(value); - } - unsafe { - mem::transmute::<_, [RecursiveCircuitsForTable; NUM_TABLES]>(by_table) - } + // Tricky use of MaybeUninit to remove the need for implementing Debug + // for all underlying types, necessary to convert a by_table Vec to an array. + let by_table = { + let mut by_table: [MaybeUninit>; NUM_TABLES] = + unsafe { MaybeUninit::uninit().assume_init() }; + for table in &mut by_table[..] { + let value = RecursiveCircuitsForTable::from_buffer( + &mut buffer, + gate_serializer, + generator_serializer, + )?; + *table = MaybeUninit::new(value); + } + unsafe { + mem::transmute::<_, [RecursiveCircuitsForTable; NUM_TABLES]>(by_table) } }; @@ -396,19 +355,6 @@ where } /// Preprocess all recursive circuits used by the system. - /// - /// # Arguments - /// - /// - `all_stark`: a structure defining the logic of all STARK modules and their associated - /// cross-table lookups. - /// - `degree_bits_ranges`: the logarithmic ranges to be supported for the recursive tables. - /// Transactions may yield arbitrary trace lengths for each STARK module (within some bounds), - /// unknown prior generating the witness to create a proof. Thus, for each STARK module, we - /// construct a map from `2^{degree_bits} = length` to a chain of shrinking recursion circuits, - /// starting from that length, for each `degree_bits` in the range specified for this STARK module. - /// Specifying a wide enough range allows a prover to cover all possible scenarios. - /// - `stark_config`: the configuration to be used for the STARK prover. It will usually be a fast - /// one yielding large proofs. pub fn new( all_stark: &AllStark, degree_bits_ranges: &[Range; NUM_TABLES], @@ -417,49 +363,49 @@ where let arithmetic = RecursiveCircuitsForTable::new( Table::Arithmetic, &all_stark.arithmetic_stark, - degree_bits_ranges[*Table::Arithmetic].clone(), + degree_bits_ranges[Table::Arithmetic as usize].clone(), &all_stark.cross_table_lookups, stark_config, ); let byte_packing = RecursiveCircuitsForTable::new( Table::BytePacking, &all_stark.byte_packing_stark, - degree_bits_ranges[*Table::BytePacking].clone(), + degree_bits_ranges[Table::BytePacking as usize].clone(), &all_stark.cross_table_lookups, stark_config, ); let cpu = RecursiveCircuitsForTable::new( Table::Cpu, &all_stark.cpu_stark, - degree_bits_ranges[*Table::Cpu].clone(), + degree_bits_ranges[Table::Cpu as usize].clone(), &all_stark.cross_table_lookups, stark_config, ); let keccak = RecursiveCircuitsForTable::new( Table::Keccak, &all_stark.keccak_stark, - degree_bits_ranges[*Table::Keccak].clone(), + degree_bits_ranges[Table::Keccak as usize].clone(), &all_stark.cross_table_lookups, stark_config, ); let keccak_sponge = RecursiveCircuitsForTable::new( Table::KeccakSponge, &all_stark.keccak_sponge_stark, - degree_bits_ranges[*Table::KeccakSponge].clone(), + degree_bits_ranges[Table::KeccakSponge as usize].clone(), &all_stark.cross_table_lookups, stark_config, ); let logic = RecursiveCircuitsForTable::new( Table::Logic, &all_stark.logic_stark, - degree_bits_ranges[*Table::Logic].clone(), + degree_bits_ranges[Table::Logic as usize].clone(), &all_stark.cross_table_lookups, stark_config, ); let memory = RecursiveCircuitsForTable::new( Table::Memory, &all_stark.memory_stark, - degree_bits_ranges[*Table::Memory].clone(), + degree_bits_ranges[Table::Memory as usize].clone(), &all_stark.cross_table_lookups, stark_config, ); @@ -484,25 +430,6 @@ where } } - /// Outputs the `VerifierCircuitData` needed to verify any block proof - /// generated by an honest prover. - /// While the [`AllRecursiveCircuits`] prover state can also verify proofs, verifiers - /// only need a fraction of the state to verify proofs. This allows much less powerful - /// entities to behave as verifiers, by only loading the necessary data to verify block proofs. - /// - /// # Usage - /// - /// ```ignore - /// let prover_state = AllRecursiveCircuits { ... }; - /// let verifier_state = prover_state.final_verifier_data(); - /// - /// // Verify a provided block proof - /// assert!(verifier_state.verify(&block_proof).is_ok()); - /// ``` - pub fn final_verifier_data(&self) -> VerifierCircuitData { - self.block.circuit.verifier_data() - } - fn create_root_circuit( by_table: &[RecursiveCircuitsForTable; NUM_TABLES], stark_config: &StarkConfig, @@ -566,15 +493,15 @@ where } } - // Extra sums to add to the looked last value. + // Extra products to add to the looked last value. // Only necessary for the Memory values. - let mut extra_looking_sums = - vec![vec![builder.zero(); stark_config.num_challenges]; NUM_TABLES]; + let mut extra_looking_products = + vec![vec![builder.one(); stark_config.num_challenges]; NUM_TABLES]; // Memory - extra_looking_sums[*Table::Memory] = (0..stark_config.num_challenges) + extra_looking_products[Table::Memory as usize] = (0..stark_config.num_challenges) .map(|c| { - get_memory_extra_looking_sum_circuit( + get_memory_extra_looking_products_circuit( &mut builder, &public_values, ctl_challenges.challenges[c], @@ -583,11 +510,11 @@ where .collect_vec(); // Verify the CTL checks. - verify_cross_table_lookups_circuit::( + verify_cross_table_lookups_circuit::( &mut builder, all_cross_table_lookups(), pis.map(|p| p.ctl_zs_first), - extra_looking_sums, + extra_looking_products, stark_config, ); @@ -716,18 +643,18 @@ where lhs: &ExtraBlockDataTarget, rhs: &ExtraBlockDataTarget, ) { - // Connect checkpoint state root values. + // Connect genesis state root values. for (&limb0, &limb1) in pvs - .checkpoint_state_trie_root + .genesis_state_trie_root .iter() - .zip(&rhs.checkpoint_state_trie_root) + .zip(&rhs.genesis_state_trie_root) { builder.connect(limb0, limb1); } for (&limb0, &limb1) in pvs - .checkpoint_state_trie_root + .genesis_state_trie_root .iter() - .zip(&lhs.checkpoint_state_trie_root) + .zip(&lhs.genesis_state_trie_root) { builder.connect(limb0, limb1); } @@ -740,11 +667,26 @@ where builder.connect(lhs.txn_number_after, rhs.txn_number_before); // Connect the gas used in public values to the lhs and rhs values correctly. - builder.connect(pvs.gas_used_before, lhs.gas_used_before); - builder.connect(pvs.gas_used_after, rhs.gas_used_after); + builder.connect(pvs.gas_used_before[0], lhs.gas_used_before[0]); + builder.connect(pvs.gas_used_before[1], lhs.gas_used_before[1]); + builder.connect(pvs.gas_used_after[0], rhs.gas_used_after[0]); + builder.connect(pvs.gas_used_after[1], rhs.gas_used_after[1]); // Connect lhs `gas_used_after` with rhs `gas_used_before`. - builder.connect(lhs.gas_used_after, rhs.gas_used_before); + builder.connect(lhs.gas_used_after[0], rhs.gas_used_before[0]); + builder.connect(lhs.gas_used_after[1], rhs.gas_used_before[1]); + + // Connect the `block_bloom` in public values to the lhs and rhs values correctly. + for (&limb0, &limb1) in pvs.block_bloom_after.iter().zip(&rhs.block_bloom_after) { + builder.connect(limb0, limb1); + } + for (&limb0, &limb1) in pvs.block_bloom_before.iter().zip(&lhs.block_bloom_before) { + builder.connect(limb0, limb1); + } + // Connect lhs `block_bloom_after` with rhs `block_bloom_before`. + for (&limb0, &limb1) in lhs.block_bloom_after.iter().zip(&rhs.block_bloom_before) { + builder.connect(limb0, limb1); + } } fn add_agg_child( @@ -791,34 +733,6 @@ where let parent_pv = PublicValuesTarget::from_public_inputs(&parent_block_proof.public_inputs); let agg_pv = PublicValuesTarget::from_public_inputs(&agg_root_proof.public_inputs); - // Connect block `trie_roots_before` with parent_pv `trie_roots_before`. - TrieRootsTarget::connect( - &mut builder, - public_values.trie_roots_before, - parent_pv.trie_roots_before, - ); - // Connect the rest of block `public_values` with agg_pv. - TrieRootsTarget::connect( - &mut builder, - public_values.trie_roots_after, - agg_pv.trie_roots_after, - ); - BlockMetadataTarget::connect( - &mut builder, - public_values.block_metadata, - agg_pv.block_metadata, - ); - BlockHashesTarget::connect( - &mut builder, - public_values.block_hashes, - agg_pv.block_hashes, - ); - ExtraBlockDataTarget::connect( - &mut builder, - public_values.extra_block_data, - agg_pv.extra_block_data, - ); - // Make connections between block proofs, and check initial and final block values. Self::connect_block_proof(&mut builder, has_parent_block, &parent_pv, &agg_pv); @@ -846,7 +760,7 @@ where } /// Connect the 256 block hashes between two blocks - fn connect_block_hashes( + pub fn connect_block_hashes( builder: &mut CircuitBuilder, lhs: &ProofWithPublicInputsTarget, rhs: &ProofWithPublicInputsTarget, @@ -884,12 +798,12 @@ where builder.connect(limb0, limb1); } - // Between blocks, the checkpoint state trie remains unchanged. + // Between blocks, the genesis state trie remains unchanged. for (&limb0, limb1) in lhs .extra_block_data - .checkpoint_state_trie_root + .genesis_state_trie_root .iter() - .zip(rhs.extra_block_data.checkpoint_state_trie_root) + .zip(rhs.extra_block_data.genesis_state_trie_root) { builder.connect(limb0, limb1); } @@ -907,11 +821,15 @@ where let has_not_parent_block = builder.sub(one, has_parent_block.target); - // Check that the checkpoint block has the predetermined state trie root in `ExtraBlockData`. - Self::connect_checkpoint_block(builder, rhs, has_not_parent_block); + // Check that the genesis block number is 0. + let gen_block_constr = builder.mul(has_not_parent_block, rhs.block_metadata.block_number); + builder.assert_zero(gen_block_constr); + + // Check that the genesis block has the predetermined state trie root in `ExtraBlockData`. + Self::connect_genesis_block(builder, rhs, has_not_parent_block); } - fn connect_checkpoint_block( + fn connect_genesis_block( builder: &mut CircuitBuilder, x: &PublicValuesTarget, has_not_parent_block: Target, @@ -922,7 +840,7 @@ where .trie_roots_before .state_root .iter() - .zip(x.extra_block_data.checkpoint_state_trie_root) + .zip(x.extra_block_data.genesis_state_trie_root) { let mut constr = builder.sub(limb0, limb1); constr = builder.mul(has_not_parent_block, constr); @@ -937,9 +855,22 @@ where F: RichField + Extendable, { builder.connect( - x.block_metadata.block_gas_used, - x.extra_block_data.gas_used_after, + x.block_metadata.block_gas_used[0], + x.extra_block_data.gas_used_after[0], + ); + builder.connect( + x.block_metadata.block_gas_used[1], + x.extra_block_data.gas_used_after[1], ); + + for (&limb0, &limb1) in x + .block_metadata + .block_bloom + .iter() + .zip(&x.extra_block_data.block_bloom_after) + { + builder.connect(limb0, limb1); + } } fn connect_initial_values_block(builder: &mut CircuitBuilder, x: &PublicValuesTarget) @@ -949,7 +880,13 @@ where // The initial number of transactions is 0. builder.assert_zero(x.extra_block_data.txn_number_before); // The initial gas used is 0. - builder.assert_zero(x.extra_block_data.gas_used_before); + builder.assert_zero(x.extra_block_data.gas_used_before[0]); + builder.assert_zero(x.extra_block_data.gas_used_before[1]); + + // The initial bloom filter is all zeroes. + for t in x.extra_block_data.block_bloom_before { + builder.assert_zero(t); + } // The transactions and receipts tries are empty at the beginning of the block. let initial_trie = HashedPartialTrie::from(Node::Empty).hash(); @@ -961,44 +898,15 @@ where } } - /// For a given transaction payload passed as [`GenerationInputs`], create a proof - /// for each STARK module, then recursively shrink and combine them, eventually - /// culminating in a transaction proof, also called root proof. - /// - /// # Arguments - /// - /// - `all_stark`: a structure defining the logic of all STARK modules and their associated - /// cross-table lookups. - /// - `config`: the configuration to be used for the STARK prover. It will usually be a fast - /// one yielding large proofs. - /// - `generation_inputs`: a transaction and auxiliary data needed to generate a proof, provided - /// in Intermediary Representation. - /// - `timing`: a profiler defining a scope hierarchy and the time consumed by each one. - /// - `abort_signal`: an optional [`AtomicBool`] wrapped behind an [`Arc`], to send a kill signal - /// early. This is only necessary in a distributed setting where a worker may be blocking the entire - /// queue. - /// - /// # Outputs - /// - /// This method outputs a tuple of [`ProofWithPublicInputs`] and its [`PublicValues`]. Only - /// the proof with public inputs is necessary for a verifier to assert correctness of the computation, - /// but the public values are output for the prover convenience, as these are necessary during proof - /// aggregation. + /// Create a proof for each STARK, then combine them, eventually culminating in a root proof. pub fn prove_root( &self, all_stark: &AllStark, config: &StarkConfig, generation_inputs: GenerationInputs, timing: &mut TimingTree, - abort_signal: Option>, ) -> anyhow::Result<(ProofWithPublicInputs, PublicValues)> { - let all_proof = prove::( - all_stark, - config, - generation_inputs, - timing, - abort_signal.clone(), - )?; + let all_proof = prove::(all_stark, config, generation_inputs, timing)?; let mut root_inputs = PartialWitness::new(); for table in 0..NUM_TABLES { @@ -1009,7 +917,7 @@ where .by_stark_size .get(&original_degree_bits) .ok_or_else(|| { - anyhow!(format!( + anyhow::Error::msg(format!( "Missing preprocessed circuits for {:?} table with size {}.", Table::all()[table], original_degree_bits, @@ -1026,97 +934,6 @@ where F::from_canonical_usize(index_verifier_data), ); root_inputs.set_proof_with_pis_target(&self.root.proof_with_pis[table], &shrunk_proof); - - check_abort_signal(abort_signal.clone())?; - } - - root_inputs.set_verifier_data_target( - &self.root.cyclic_vk, - &self.aggregation.circuit.verifier_only, - ); - - set_public_value_targets( - &mut root_inputs, - &self.root.public_values, - &all_proof.public_values, - ) - .map_err(|_| { - anyhow::Error::msg("Invalid conversion when setting public values targets.") - })?; - - let root_proof = self.root.circuit.prove(root_inputs)?; - - Ok((root_proof, all_proof.public_values)) - } - - /// From an initial set of STARK proofs passed with their associated recursive table circuits, - /// generate a recursive transaction proof. - /// It is aimed at being used when preprocessed table circuits have not been loaded to memory. - /// - /// **Note**: - /// The type of the `table_circuits` passed as arguments is - /// `&[(RecursiveCircuitsForTableSize, u8); NUM_TABLES]`. In particular, for each STARK - /// proof contained within the `AllProof` object provided to this method, we need to pass a tuple - /// of [`RecursiveCircuitsForTableSize`] and a [`u8`]. The former is the recursive chain - /// corresponding to the initial degree size of the associated STARK proof. The latter is the - /// index of this degree in the range that was originally passed when constructing the entire prover - /// state. - /// - /// # Usage - /// - /// ```ignore - /// // Load a prover state without its recursive table circuits. - /// let gate_serializer = DefaultGateSerializer; - /// let generator_serializer = DefaultGeneratorSerializer::::new(); - /// let initial_ranges = [16..25, 10..20, 12..25, 14..25, 9..20, 12..20, 17..30]; - /// let prover_state = AllRecursiveCircuits::::new( - /// &all_stark, - /// &initial_ranges, - /// &config, - /// ); - /// - /// // Generate a proof from the provided inputs. - /// let stark_proof = prove::(&all_stark, &config, inputs, &mut timing, abort_signal).unwrap(); - /// - /// // Read the degrees of the internal STARK proofs. - /// // Indices to be passed along the recursive tables - /// // can be easily recovered as `initial_ranges[i]` - `degrees[i]`. - /// let degrees = proof.degree_bits(&config); - /// - /// // Retrieve the corresponding recursive table circuits for each table with the corresponding degree. - /// let table_circuits = { ... }; - /// - /// // Finally shrink the STARK proof. - /// let (proof, public_values) = prove_root_after_initial_stark( - /// &all_stark, - /// &config, - /// &stark_proof, - /// &table_circuits, - /// &mut timing, - /// abort_signal, - /// ).unwrap(); - /// ``` - pub fn prove_root_after_initial_stark( - &self, - all_proof: AllProof, - table_circuits: &[(RecursiveCircuitsForTableSize, u8); NUM_TABLES], - abort_signal: Option>, - ) -> anyhow::Result<(ProofWithPublicInputs, PublicValues)> { - let mut root_inputs = PartialWitness::new(); - - for table in 0..NUM_TABLES { - let (table_circuit, index_verifier_data) = &table_circuits[table]; - - let stark_proof = &all_proof.stark_proofs[table]; - - let shrunk_proof = table_circuit.shrink(stark_proof, &all_proof.ctl_challenges)?; - root_inputs.set_target( - self.root.index_verifier_data[table], - F::from_canonical_u8(*index_verifier_data), - ); - root_inputs.set_proof_with_pis_target(&self.root.proof_with_pis[table], &shrunk_proof); - - check_abort_signal(abort_signal.clone())?; } root_inputs.set_verifier_data_target( @@ -1142,39 +959,13 @@ where self.root.circuit.verify(agg_proof) } - /// Create an aggregation proof, combining two contiguous proofs into a single one. The combined - /// proofs can either be transaction (aka root) proofs, or other aggregation proofs, as long as - /// their states are contiguous, meaning that the final state of the left child proof is the initial - /// state of the right child proof. - /// - /// While regular transaction proofs can only assert validity of a single transaction, aggregation - /// proofs can cover an arbitrary range, up to an entire block with all its transactions. - /// - /// # Arguments - /// - /// - `lhs_is_agg`: a boolean indicating whether the left child proof is an aggregation proof or - /// a regular transaction proof. - /// - `lhs_proof`: the left child proof. - /// - `lhs_public_values`: the public values associated to the right child proof. - /// - `rhs_is_agg`: a boolean indicating whether the right child proof is an aggregation proof or - /// a regular transaction proof. - /// - `rhs_proof`: the right child proof. - /// - `rhs_public_values`: the public values associated to the right child proof. - /// - /// # Outputs - /// - /// This method outputs a tuple of [`ProofWithPublicInputs`] and its [`PublicValues`]. Only - /// the proof with public inputs is necessary for a verifier to assert correctness of the computation, - /// but the public values are output for the prover convenience, as these are necessary during proof - /// aggregation. pub fn prove_aggregation( &self, lhs_is_agg: bool, lhs_proof: &ProofWithPublicInputs, - lhs_public_values: PublicValues, rhs_is_agg: bool, rhs_proof: &ProofWithPublicInputs, - rhs_public_values: PublicValues, + public_values: PublicValues, ) -> anyhow::Result<(ProofWithPublicInputs, PublicValues)> { let mut agg_inputs = PartialWitness::new(); @@ -1191,34 +982,17 @@ where &self.aggregation.circuit.verifier_only, ); - // Aggregates both `PublicValues` from the provided proofs into a single one. - let agg_public_values = PublicValues { - trie_roots_before: lhs_public_values.trie_roots_before, - trie_roots_after: rhs_public_values.trie_roots_after, - extra_block_data: ExtraBlockData { - checkpoint_state_trie_root: lhs_public_values - .extra_block_data - .checkpoint_state_trie_root, - txn_number_before: lhs_public_values.extra_block_data.txn_number_before, - txn_number_after: rhs_public_values.extra_block_data.txn_number_after, - gas_used_before: lhs_public_values.extra_block_data.gas_used_before, - gas_used_after: rhs_public_values.extra_block_data.gas_used_after, - }, - block_metadata: rhs_public_values.block_metadata, - block_hashes: rhs_public_values.block_hashes, - }; - set_public_value_targets( &mut agg_inputs, &self.aggregation.public_values, - &agg_public_values, + &public_values, ) .map_err(|_| { anyhow::Error::msg("Invalid conversion when setting public values targets.") })?; let aggregation_proof = self.aggregation.circuit.prove(agg_inputs)?; - Ok((aggregation_proof, agg_public_values)) + Ok((aggregation_proof, public_values)) } pub fn verify_aggregation( @@ -1233,23 +1007,6 @@ where ) } - /// Create a final block proof, once all transactions of a given block have been combined into a - /// single aggregation proof. - /// - /// Block proofs can either be generated as standalone, or combined with a previous block proof - /// to assert validity of a range of blocks. - /// - /// # Arguments - /// - /// - `opt_parent_block_proof`: an optional parent block proof. Passing one will generate a proof of - /// validity for both the block range covered by the previous proof and the current block. - /// - `agg_root_proof`: the final aggregation proof containing all transactions within the current block. - /// - `public_values`: the public values associated to the aggregation proof. - /// - /// # Outputs - /// - /// This method outputs a tuple of [`ProofWithPublicInputs`] and its [`PublicValues`]. Only - /// the proof with public inputs is necessary for a verifier to assert correctness of the computation. pub fn prove_block( &self, opt_parent_block_proof: Option<&ProofWithPublicInputs>, @@ -1266,90 +1023,33 @@ where block_inputs .set_proof_with_pis_target(&self.block.parent_block_proof, parent_block_proof); } else { - if public_values.trie_roots_before.state_root - != public_values.extra_block_data.checkpoint_state_trie_root - { - return Err(anyhow::Error::msg(format!( - "Inconsistent pre-state for first block {:?} with checkpoint state {:?}.", - public_values.trie_roots_before.state_root, - public_values.extra_block_data.checkpoint_state_trie_root, - ))); - } - - // Initialize some public inputs for correct connection between the checkpoint block and the current one. + // Initialize genesis_state_trie, state_root_after and the block number for correct connection between blocks. + // Initialize `state_root_after`. + let state_trie_root_after_keys = 24..32; let mut nonzero_pis = HashMap::new(); - - // Initialize the checkpoint block roots before, and state root after. - let state_trie_root_before_keys = 0..TrieRootsTarget::HASH_SIZE; - for (key, &value) in state_trie_root_before_keys - .zip_eq(&h256_limbs::(public_values.trie_roots_before.state_root)) - { - nonzero_pis.insert(key, value); - } - let txn_trie_root_before_keys = - TrieRootsTarget::HASH_SIZE..TrieRootsTarget::HASH_SIZE * 2; - for (key, &value) in txn_trie_root_before_keys.clone().zip_eq(&h256_limbs::( - public_values.trie_roots_before.transactions_root, - )) { - nonzero_pis.insert(key, value); - } - let receipts_trie_root_before_keys = - TrieRootsTarget::HASH_SIZE * 2..TrieRootsTarget::HASH_SIZE * 3; - for (key, &value) in receipts_trie_root_before_keys - .clone() - .zip_eq(&h256_limbs::( - public_values.trie_roots_before.receipts_root, - )) - { - nonzero_pis.insert(key, value); - } - let state_trie_root_after_keys = - TrieRootsTarget::SIZE..TrieRootsTarget::SIZE + TrieRootsTarget::HASH_SIZE; for (key, &value) in state_trie_root_after_keys .zip_eq(&h256_limbs::(public_values.trie_roots_before.state_root)) { nonzero_pis.insert(key, value); } - // Initialize the checkpoint state root extra data. - let checkpoint_state_trie_keys = - TrieRootsTarget::SIZE * 2 + BlockMetadataTarget::SIZE + BlockHashesTarget::SIZE - ..TrieRootsTarget::SIZE * 2 - + BlockMetadataTarget::SIZE - + BlockHashesTarget::SIZE - + 8; - for (key, &value) in checkpoint_state_trie_keys.zip_eq(&h256_limbs::( - public_values.extra_block_data.checkpoint_state_trie_root, + // Initialize the genesis state trie digest. + let genesis_state_trie_keys = TrieRootsTarget::SIZE * 2 + + BlockMetadataTarget::SIZE + + BlockHashesTarget::BLOCK_HASHES_SIZE + ..TrieRootsTarget::SIZE * 2 + + BlockMetadataTarget::SIZE + + BlockHashesTarget::BLOCK_HASHES_SIZE + + 8; + for (key, &value) in genesis_state_trie_keys.zip_eq(&h256_limbs::( + public_values.extra_block_data.genesis_state_trie_root, )) { nonzero_pis.insert(key, value); } - // Initialize checkpoint block hashes. - // These will be all zeros the initial genesis checkpoint. - let block_hashes_keys = TrieRootsTarget::SIZE * 2 + BlockMetadataTarget::SIZE - ..TrieRootsTarget::SIZE * 2 + BlockMetadataTarget::SIZE + BlockHashesTarget::SIZE - - 8; - - for i in 0..public_values.block_hashes.prev_hashes.len() - 1 { - let targets = h256_limbs::(public_values.block_hashes.prev_hashes[i]); - for j in 0..8 { - nonzero_pis.insert(block_hashes_keys.start + 8 * (i + 1) + j, targets[j]); - } - } - let block_hashes_current_start = - TrieRootsTarget::SIZE * 2 + BlockMetadataTarget::SIZE + BlockHashesTarget::SIZE - 8; - let cur_targets = h256_limbs::(public_values.block_hashes.prev_hashes[255]); - for i in 0..8 { - nonzero_pis.insert(block_hashes_current_start + i, cur_targets[i]); - } - - // Initialize the checkpoint block number. - // Subtraction would result in an invalid proof for genesis, but we shouldn't try proving this block anyway. + // Initialize the block number. let block_number_key = TrieRootsTarget::SIZE * 2 + 6; - nonzero_pis.insert( - block_number_key, - F::from_canonical_u64(public_values.block_metadata.block_number.low_u64() - 1), - ); + nonzero_pis.insert(block_number_key, F::NEG_ONE); block_inputs.set_proof_with_pis_target( &self.block.parent_block_proof, @@ -1366,26 +1066,13 @@ where block_inputs .set_verifier_data_target(&self.block.cyclic_vk, &self.block.circuit.verifier_only); - // This is basically identical to this block public values, apart from the `trie_roots_before` - // that may come from the previous proof, if any. - let block_public_values = PublicValues { - trie_roots_before: opt_parent_block_proof - .map(|p| TrieRoots::from_public_inputs(&p.public_inputs[0..TrieRootsTarget::SIZE])) - .unwrap_or(public_values.trie_roots_before), - ..public_values - }; - - set_public_value_targets( - &mut block_inputs, - &self.block.public_values, - &block_public_values, - ) - .map_err(|_| { - anyhow::Error::msg("Invalid conversion when setting public values targets.") - })?; + set_public_value_targets(&mut block_inputs, &self.block.public_values, &public_values) + .map_err(|_| { + anyhow::Error::msg("Invalid conversion when setting public values targets.") + })?; let block_proof = self.block.circuit.prove(block_inputs)?; - Ok((block_proof, block_public_values)) + Ok((block_proof, public_values)) } pub fn verify_block(&self, block_proof: &ProofWithPublicInputs) -> anyhow::Result<()> { @@ -1398,7 +1085,6 @@ where } } -/// A map between initial degree sizes and their associated shrinking recursion circuits. #[derive(Eq, PartialEq, Debug)] pub struct RecursiveCircuitsForTable where @@ -1408,7 +1094,7 @@ where { /// A map from `log_2(height)` to a chain of shrinking recursion circuits starting at that /// height. - pub by_stark_size: BTreeMap>, + by_stark_size: BTreeMap>, } impl RecursiveCircuitsForTable @@ -1417,7 +1103,7 @@ where C: GenericConfig, C::Hasher: AlgebraicHasher, { - fn to_buffer( + pub fn to_buffer( &self, buffer: &mut Vec, gate_serializer: &dyn GateSerializer, @@ -1431,7 +1117,7 @@ where Ok(()) } - fn from_buffer( + pub fn from_buffer( buffer: &mut Buffer, gate_serializer: &dyn GateSerializer, generator_serializer: &dyn WitnessGeneratorSerializer, @@ -1493,7 +1179,7 @@ where /// A chain of shrinking wrapper circuits, ending with a final circuit with `degree_bits` /// `THRESHOLD_DEGREE_BITS`. #[derive(Eq, PartialEq, Debug)] -pub struct RecursiveCircuitsForTableSize +struct RecursiveCircuitsForTableSize where F: RichField + Extendable, C: GenericConfig, @@ -1629,7 +1315,7 @@ where } } - pub fn shrink( + fn shrink( &self, stark_proof_with_metadata: &StarkProofWithMetadata, ctl_challenges: &GrandProductChallengeSet, diff --git a/evm/src/generation/mod.rs b/evm/src/generation/mod.rs deleted file mode 100644 index b63f48a1c7..0000000000 --- a/evm/src/generation/mod.rs +++ /dev/null @@ -1,419 +0,0 @@ -use std::collections::{BTreeSet, HashMap}; - -use anyhow::anyhow; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{Address, BigEndianHash, H256, U256}; -use plonky2::field::extension::Extendable; -use plonky2::field::polynomial::PolynomialValues; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::timed; -use plonky2::util::timing::TimingTree; -use serde::{Deserialize, Serialize}; -use GlobalMetadata::{ - ReceiptTrieRootDigestAfter, ReceiptTrieRootDigestBefore, StateTrieRootDigestAfter, - StateTrieRootDigestBefore, TransactionTrieRootDigestAfter, TransactionTrieRootDigestBefore, -}; - -use crate::all_stark::{AllStark, NUM_TABLES}; -use crate::config::StarkConfig; -use crate::cpu::columns::CpuColumnsView; -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::generation::state::GenerationState; -use crate::generation::trie_extractor::{get_receipt_trie, get_state_trie, get_txn_trie}; -use crate::memory::segments::Segment; -use crate::proof::{BlockHashes, BlockMetadata, ExtraBlockData, PublicValues, TrieRoots}; -use crate::util::{h2u, u256_to_u8, u256_to_usize}; -use crate::witness::memory::{MemoryAddress, MemoryChannel}; -use crate::witness::transition::transition; - -pub mod mpt; -pub(crate) mod prover_input; -pub(crate) mod rlp; -pub(crate) mod state; -mod trie_extractor; - -use crate::witness::util::{mem_write_log, stack_peek}; - -/// Inputs needed for trace generation. -#[derive(Clone, Debug, Deserialize, Serialize, Default)] -pub struct GenerationInputs { - /// The index of the transaction being proven within its block. - pub txn_number_before: U256, - /// The cumulative gas used through the execution of all transactions prior the current one. - pub gas_used_before: U256, - /// The cumulative gas used after the execution of the current transaction. The exact gas used - /// by the current transaction is `gas_used_after` - `gas_used_before`. - pub gas_used_after: U256, - - /// A None would yield an empty proof, otherwise this contains the encoding of a transaction. - pub signed_txn: Option>, - /// Withdrawal pairs `(addr, amount)`. At the end of the txs, `amount` is added to `addr`'s balance. See EIP-4895. - pub withdrawals: Vec<(Address, U256)>, - pub tries: TrieInputs, - /// Expected trie roots after the transactions are executed. - pub trie_roots_after: TrieRoots, - - /// State trie root of the checkpoint block. - /// This could always be the genesis block of the chain, but it allows a prover to continue proving blocks - /// from certain checkpoint heights without requiring proofs for blocks past this checkpoint. - pub checkpoint_state_trie_root: H256, - - /// Mapping between smart contract code hashes and the contract byte code. - /// All account smart contracts that are invoked will have an entry present. - pub contract_code: HashMap>, - - /// Information contained in the block header. - pub block_metadata: BlockMetadata, - - /// The hash of the current block, and a list of the 256 previous block hashes. - pub block_hashes: BlockHashes, -} - -#[derive(Clone, Debug, Deserialize, Serialize, Default)] -pub struct TrieInputs { - /// A partial version of the state trie prior to these transactions. It should include all nodes - /// that will be accessed by these transactions. - pub state_trie: HashedPartialTrie, - - /// A partial version of the transaction trie prior to these transactions. It should include all - /// nodes that will be accessed by these transactions. - pub transactions_trie: HashedPartialTrie, - - /// A partial version of the receipt trie prior to these transactions. It should include all nodes - /// that will be accessed by these transactions. - pub receipts_trie: HashedPartialTrie, - - /// A partial version of each storage trie prior to these transactions. It should include all - /// storage tries, and nodes therein, that will be accessed by these transactions. - pub storage_tries: Vec<(H256, HashedPartialTrie)>, -} - -fn apply_metadata_and_tries_memops, const D: usize>( - state: &mut GenerationState, - inputs: &GenerationInputs, -) { - let metadata = &inputs.block_metadata; - let tries = &inputs.tries; - let trie_roots_after = &inputs.trie_roots_after; - let fields = [ - ( - GlobalMetadata::BlockBeneficiary, - U256::from_big_endian(&metadata.block_beneficiary.0), - ), - (GlobalMetadata::BlockTimestamp, metadata.block_timestamp), - (GlobalMetadata::BlockNumber, metadata.block_number), - (GlobalMetadata::BlockDifficulty, metadata.block_difficulty), - ( - GlobalMetadata::BlockRandom, - metadata.block_random.into_uint(), - ), - (GlobalMetadata::BlockGasLimit, metadata.block_gaslimit), - (GlobalMetadata::BlockChainId, metadata.block_chain_id), - (GlobalMetadata::BlockBaseFee, metadata.block_base_fee), - ( - GlobalMetadata::BlockCurrentHash, - h2u(inputs.block_hashes.cur_hash), - ), - (GlobalMetadata::BlockGasUsed, metadata.block_gas_used), - (GlobalMetadata::BlockGasUsedBefore, inputs.gas_used_before), - (GlobalMetadata::BlockGasUsedAfter, inputs.gas_used_after), - (GlobalMetadata::TxnNumberBefore, inputs.txn_number_before), - ( - GlobalMetadata::TxnNumberAfter, - inputs.txn_number_before + if inputs.signed_txn.is_some() { 1 } else { 0 }, - ), - ( - GlobalMetadata::StateTrieRootDigestBefore, - h2u(tries.state_trie.hash()), - ), - ( - GlobalMetadata::TransactionTrieRootDigestBefore, - h2u(tries.transactions_trie.hash()), - ), - ( - GlobalMetadata::ReceiptTrieRootDigestBefore, - h2u(tries.receipts_trie.hash()), - ), - ( - GlobalMetadata::StateTrieRootDigestAfter, - h2u(trie_roots_after.state_root), - ), - ( - GlobalMetadata::TransactionTrieRootDigestAfter, - h2u(trie_roots_after.transactions_root), - ), - ( - GlobalMetadata::ReceiptTrieRootDigestAfter, - h2u(trie_roots_after.receipts_root), - ), - (GlobalMetadata::KernelHash, h2u(KERNEL.code_hash)), - (GlobalMetadata::KernelLen, KERNEL.code.len().into()), - ]; - - let channel = MemoryChannel::GeneralPurpose(0); - let mut ops = fields - .map(|(field, val)| { - mem_write_log( - channel, - // These fields are already scaled by their segment, and are in context 0 (kernel). - MemoryAddress::new_bundle(U256::from(field as usize)).unwrap(), - state, - val, - ) - }) - .to_vec(); - - // Write the block's final block bloom filter. - ops.extend((0..8).map(|i| { - mem_write_log( - channel, - MemoryAddress::new(0, Segment::GlobalBlockBloom, i), - state, - metadata.block_bloom[i], - ) - })); - - // Write previous block hashes. - ops.extend( - (0..256) - .map(|i| { - mem_write_log( - channel, - MemoryAddress::new(0, Segment::BlockHashes, i), - state, - h2u(inputs.block_hashes.prev_hashes[i]), - ) - }) - .collect::>(), - ); - - state.memory.apply_ops(&ops); - state.traces.memory_ops.extend(ops); -} - -pub fn generate_traces, const D: usize>( - all_stark: &AllStark, - inputs: GenerationInputs, - config: &StarkConfig, - timing: &mut TimingTree, -) -> anyhow::Result<([Vec>; NUM_TABLES], PublicValues)> { - let mut state = GenerationState::::new(inputs.clone(), &KERNEL.code) - .map_err(|err| anyhow!("Failed to parse all the initial prover inputs: {:?}", err))?; - - apply_metadata_and_tries_memops(&mut state, &inputs); - - let cpu_res = timed!(timing, "simulate CPU", simulate_cpu(&mut state)); - if cpu_res.is_err() { - // Retrieve previous PC (before jumping to KernelPanic), to see if we reached `hash_final_tries`. - // We will output debugging information on the final tries only if we got a root mismatch. - let previous_pc = state - .traces - .cpu - .last() - .expect("We should have CPU rows") - .program_counter - .to_canonical_u64() as usize; - - if KERNEL.offset_name(previous_pc).contains("hash_final_tries") { - let state_trie_ptr = u256_to_usize( - state - .memory - .read_global_metadata(GlobalMetadata::StateTrieRoot), - ) - .map_err(|_| anyhow!("State trie pointer is too large to fit in a usize."))?; - log::debug!( - "Computed state trie: {:?}", - get_state_trie::(&state.memory, state_trie_ptr) - ); - - let txn_trie_ptr = u256_to_usize( - state - .memory - .read_global_metadata(GlobalMetadata::TransactionTrieRoot), - ) - .map_err(|_| anyhow!("Transactions trie pointer is too large to fit in a usize."))?; - log::debug!( - "Computed transactions trie: {:?}", - get_txn_trie::(&state.memory, txn_trie_ptr) - ); - - let receipt_trie_ptr = u256_to_usize( - state - .memory - .read_global_metadata(GlobalMetadata::ReceiptTrieRoot), - ) - .map_err(|_| anyhow!("Receipts trie pointer is too large to fit in a usize."))?; - log::debug!( - "Computed receipts trie: {:?}", - get_receipt_trie::(&state.memory, receipt_trie_ptr) - ); - } - - cpu_res?; - } - - log::info!( - "Trace lengths (before padding): {:?}", - state.traces.get_lengths() - ); - - let read_metadata = |field| state.memory.read_global_metadata(field); - let trie_roots_before = TrieRoots { - state_root: H256::from_uint(&read_metadata(StateTrieRootDigestBefore)), - transactions_root: H256::from_uint(&read_metadata(TransactionTrieRootDigestBefore)), - receipts_root: H256::from_uint(&read_metadata(ReceiptTrieRootDigestBefore)), - }; - let trie_roots_after = TrieRoots { - state_root: H256::from_uint(&read_metadata(StateTrieRootDigestAfter)), - transactions_root: H256::from_uint(&read_metadata(TransactionTrieRootDigestAfter)), - receipts_root: H256::from_uint(&read_metadata(ReceiptTrieRootDigestAfter)), - }; - - let gas_used_after = read_metadata(GlobalMetadata::BlockGasUsedAfter); - let txn_number_after = read_metadata(GlobalMetadata::TxnNumberAfter); - - let extra_block_data = ExtraBlockData { - checkpoint_state_trie_root: inputs.checkpoint_state_trie_root, - txn_number_before: inputs.txn_number_before, - txn_number_after, - gas_used_before: inputs.gas_used_before, - gas_used_after, - }; - - let public_values = PublicValues { - trie_roots_before, - trie_roots_after, - block_metadata: inputs.block_metadata, - block_hashes: inputs.block_hashes, - extra_block_data, - }; - - let tables = timed!( - timing, - "convert trace data to tables", - state.traces.into_tables(all_stark, config, timing) - ); - Ok((tables, public_values)) -} - -fn simulate_cpu(state: &mut GenerationState) -> anyhow::Result<()> { - let halt_pc = KERNEL.global_labels["halt"]; - - loop { - // If we've reached the kernel's halt routine, and our trace length is a power of 2, stop. - let pc = state.registers.program_counter; - let halt = state.registers.is_kernel && pc == halt_pc; - if halt { - log::info!("CPU halted after {} cycles", state.traces.clock()); - - // Padding - let mut row = CpuColumnsView::::default(); - row.clock = F::from_canonical_usize(state.traces.clock()); - row.context = F::from_canonical_usize(state.registers.context); - row.program_counter = F::from_canonical_usize(pc); - row.is_kernel_mode = F::ONE; - row.gas = F::from_canonical_u64(state.registers.gas_used); - row.stack_len = F::from_canonical_usize(state.registers.stack_len); - - loop { - state.traces.push_cpu(row); - row.clock += F::ONE; - if state.traces.clock().is_power_of_two() { - break; - } - } - - log::info!("CPU trace padded to {} cycles", state.traces.clock()); - - return Ok(()); - } - - transition(state)?; - } -} - -fn simulate_cpu_between_labels_and_get_user_jumps( - initial_label: &str, - final_label: &str, - state: &mut GenerationState, -) -> Option>> { - if state.jumpdest_table.is_some() { - None - } else { - const JUMP_OPCODE: u8 = 0x56; - const JUMPI_OPCODE: u8 = 0x57; - - let halt_pc = KERNEL.global_labels[final_label]; - let mut jumpdest_addresses: HashMap<_, BTreeSet> = HashMap::new(); - - state.registers.program_counter = KERNEL.global_labels[initial_label]; - let initial_clock = state.traces.clock(); - let initial_context = state.registers.context; - - log::debug!("Simulating CPU for jumpdest analysis."); - - loop { - // skip jumpdest table validations in simulations - if state.registers.is_kernel - && state.registers.program_counter == KERNEL.global_labels["jumpdest_analysis"] - { - state.registers.program_counter = KERNEL.global_labels["jumpdest_analysis_end"] - } - let pc = state.registers.program_counter; - let context = state.registers.context; - let halt = state.registers.is_kernel - && pc == halt_pc - && state.registers.context == initial_context; - let Ok(opcode) = u256_to_u8(state.memory.get(MemoryAddress::new( - context, - Segment::Code, - state.registers.program_counter, - ))) else { - log::debug!( - "Simulated CPU for jumpdest analysis halted after {} cycles", - state.traces.clock() - initial_clock - ); - return Some(jumpdest_addresses); - }; - let cond = if let Ok(cond) = stack_peek(state, 1) { - cond != U256::zero() - } else { - false - }; - if !state.registers.is_kernel - && (opcode == JUMP_OPCODE || (opcode == JUMPI_OPCODE && cond)) - { - // Avoid deeper calls to abort - let Ok(jumpdest) = u256_to_usize(state.registers.stack_top) else { - log::debug!( - "Simulated CPU for jumpdest analysis halted after {} cycles", - state.traces.clock() - initial_clock - ); - return Some(jumpdest_addresses); - }; - state.memory.set( - MemoryAddress::new(context, Segment::JumpdestBits, jumpdest), - U256::one(), - ); - let jumpdest_opcode = - state - .memory - .get(MemoryAddress::new(context, Segment::Code, jumpdest)); - if let Some(ctx_addresses) = jumpdest_addresses.get_mut(&context) { - ctx_addresses.insert(jumpdest); - } else { - jumpdest_addresses.insert(context, BTreeSet::from([jumpdest])); - } - } - if halt || transition(state).is_err() { - log::debug!( - "Simulated CPU for jumpdest analysis halted after {} cycles", - state.traces.clock() - initial_clock - ); - return Some(jumpdest_addresses); - } - } - } -} diff --git a/evm/src/generation/mpt.rs b/evm/src/generation/mpt.rs deleted file mode 100644 index ee530ddef5..0000000000 --- a/evm/src/generation/mpt.rs +++ /dev/null @@ -1,427 +0,0 @@ -use core::ops::Deref; -use std::collections::HashMap; - -use bytes::Bytes; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{Address, BigEndianHash, H256, U256, U512}; -use keccak_hash::keccak; -use rlp::{Decodable, DecoderError, Encodable, PayloadInfo, Rlp, RlpStream}; -use rlp_derive::{RlpDecodable, RlpEncodable}; - -use crate::cpu::kernel::constants::trie_type::PartialTrieType; -use crate::generation::TrieInputs; -use crate::util::h2u; -use crate::witness::errors::{ProgramError, ProverInputError}; -use crate::Node; - -#[derive(RlpEncodable, RlpDecodable, Debug)] -pub struct AccountRlp { - pub nonce: U256, - pub balance: U256, - pub storage_root: H256, - pub code_hash: H256, -} - -#[derive(Clone, Debug)] -pub struct TrieRootPtrs { - pub state_root_ptr: usize, - pub txn_root_ptr: usize, - pub receipt_root_ptr: usize, -} - -impl Default for AccountRlp { - fn default() -> Self { - Self { - nonce: U256::zero(), - balance: U256::zero(), - storage_root: HashedPartialTrie::from(Node::Empty).hash(), - code_hash: keccak([]), - } - } -} - -#[derive(RlpEncodable, RlpDecodable, Debug, Clone)] -pub struct LogRlp { - pub address: Address, - pub topics: Vec, - pub data: Bytes, -} - -#[derive(RlpEncodable, RlpDecodable, Debug, Clone)] -pub struct LegacyReceiptRlp { - pub status: bool, - pub cum_gas_used: U256, - pub bloom: Bytes, - pub logs: Vec, -} - -impl LegacyReceiptRlp { - // RLP encode the receipt and prepend the tx type. - pub fn encode(&self, tx_type: u8) -> Vec { - let mut bytes = rlp::encode(self).to_vec(); - if tx_type != 0 { - bytes.insert(0, tx_type); - } - bytes - } -} - -pub(crate) fn parse_receipts(rlp: &[u8]) -> Result, ProgramError> { - let txn_type = match rlp.first().ok_or(ProgramError::InvalidRlp)? { - 1 => 1, - 2 => 2, - _ => 0, - }; - - // If this is not a legacy transaction, we skip the leading byte. - let rlp = if txn_type == 0 { rlp } else { &rlp[1..] }; - - let payload_info = PayloadInfo::from(rlp).map_err(|_| ProgramError::InvalidRlp)?; - let decoded_receipt: LegacyReceiptRlp = - rlp::decode(rlp).map_err(|_| ProgramError::InvalidRlp)?; - - let mut parsed_receipt = if txn_type == 0 { - Vec::new() - } else { - vec![txn_type.into()] - }; - - parsed_receipt.push(payload_info.value_len.into()); // payload_len of the entire receipt - parsed_receipt.push((decoded_receipt.status as u8).into()); - parsed_receipt.push(decoded_receipt.cum_gas_used); - parsed_receipt.extend(decoded_receipt.bloom.iter().map(|byte| U256::from(*byte))); - let encoded_logs = rlp::encode_list(&decoded_receipt.logs); - let logs_payload_info = - PayloadInfo::from(&encoded_logs).map_err(|_| ProgramError::InvalidRlp)?; - parsed_receipt.push(logs_payload_info.value_len.into()); // payload_len of all the logs - parsed_receipt.push(decoded_receipt.logs.len().into()); - - for log in decoded_receipt.logs { - let encoded_log = rlp::encode(&log); - let log_payload_info = - PayloadInfo::from(&encoded_log).map_err(|_| ProgramError::InvalidRlp)?; - parsed_receipt.push(log_payload_info.value_len.into()); // payload of one log - parsed_receipt.push(U256::from_big_endian(&log.address.to_fixed_bytes())); - parsed_receipt.push(log.topics.len().into()); - parsed_receipt.extend(log.topics.iter().map(|topic| U256::from(topic.as_bytes()))); - parsed_receipt.push(log.data.len().into()); - parsed_receipt.extend(log.data.iter().map(|byte| U256::from(*byte))); - } - - Ok(parsed_receipt) -} - -fn parse_storage_value(value_rlp: &[u8]) -> Result, ProgramError> { - let value: U256 = rlp::decode(value_rlp).map_err(|_| ProgramError::InvalidRlp)?; - Ok(vec![value]) -} - -const fn empty_nibbles() -> Nibbles { - Nibbles { - count: 0, - packed: U512::zero(), - } -} - -fn load_mpt( - trie: &HashedPartialTrie, - trie_data: &mut Vec, - parse_value: &F, -) -> Result -where - F: Fn(&[u8]) -> Result, ProgramError>, -{ - let node_ptr = trie_data.len(); - let type_of_trie = PartialTrieType::of(trie) as u32; - if type_of_trie > 0 { - trie_data.push(type_of_trie.into()); - } - - match trie.deref() { - Node::Empty => Ok(0), - Node::Hash(h) => { - trie_data.push(h2u(*h)); - - Ok(node_ptr) - } - Node::Branch { children, value } => { - // First, set children pointers to 0. - let first_child_ptr = trie_data.len(); - trie_data.extend(vec![U256::zero(); 16]); - // Then, set value. - if value.is_empty() { - trie_data.push(U256::zero()); - } else { - let parsed_value = parse_value(value)?; - trie_data.push((trie_data.len() + 1).into()); - trie_data.extend(parsed_value); - } - - // Now, load all children and update their pointers. - for (i, child) in children.iter().enumerate() { - let child_ptr = load_mpt(child, trie_data, parse_value)?; - trie_data[first_child_ptr + i] = child_ptr.into(); - } - - Ok(node_ptr) - } - - Node::Extension { nibbles, child } => { - trie_data.push(nibbles.count.into()); - trie_data.push( - nibbles - .try_into_u256() - .map_err(|_| ProgramError::IntegerTooLarge)?, - ); - trie_data.push((trie_data.len() + 1).into()); - - let child_ptr = load_mpt(child, trie_data, parse_value)?; - if child_ptr == 0 { - trie_data.push(0.into()); - } - - Ok(node_ptr) - } - Node::Leaf { nibbles, value } => { - trie_data.push(nibbles.count.into()); - trie_data.push( - nibbles - .try_into_u256() - .map_err(|_| ProgramError::IntegerTooLarge)?, - ); - - // Set `value_ptr_ptr`. - trie_data.push((trie_data.len() + 1).into()); - - let leaf = parse_value(value)?; - trie_data.extend(leaf); - - Ok(node_ptr) - } - } -} - -fn load_state_trie( - trie: &HashedPartialTrie, - key: Nibbles, - trie_data: &mut Vec, - storage_tries_by_state_key: &HashMap, -) -> Result { - let node_ptr = trie_data.len(); - let type_of_trie = PartialTrieType::of(trie) as u32; - if type_of_trie > 0 { - trie_data.push(type_of_trie.into()); - } - match trie.deref() { - Node::Empty => Ok(0), - Node::Hash(h) => { - trie_data.push(h2u(*h)); - - Ok(node_ptr) - } - Node::Branch { children, value } => { - if !value.is_empty() { - return Err(ProgramError::ProverInputError( - ProverInputError::InvalidMptInput, - )); - } - // First, set children pointers to 0. - let first_child_ptr = trie_data.len(); - trie_data.extend(vec![U256::zero(); 16]); - // Then, set value pointer to 0. - trie_data.push(U256::zero()); - - // Now, load all children and update their pointers. - for (i, child) in children.iter().enumerate() { - let extended_key = key.merge_nibbles(&Nibbles { - count: 1, - packed: i.into(), - }); - let child_ptr = - load_state_trie(child, extended_key, trie_data, storage_tries_by_state_key)?; - - trie_data[first_child_ptr + i] = child_ptr.into(); - } - - Ok(node_ptr) - } - Node::Extension { nibbles, child } => { - trie_data.push(nibbles.count.into()); - trie_data.push( - nibbles - .try_into_u256() - .map_err(|_| ProgramError::IntegerTooLarge)?, - ); - // Set `value_ptr_ptr`. - trie_data.push((trie_data.len() + 1).into()); - let extended_key = key.merge_nibbles(nibbles); - let child_ptr = - load_state_trie(child, extended_key, trie_data, storage_tries_by_state_key)?; - if child_ptr == 0 { - trie_data.push(0.into()); - } - - Ok(node_ptr) - } - Node::Leaf { nibbles, value } => { - let account: AccountRlp = rlp::decode(value).map_err(|_| ProgramError::InvalidRlp)?; - let AccountRlp { - nonce, - balance, - storage_root, - code_hash, - } = account; - - let storage_hash_only = HashedPartialTrie::new(Node::Hash(storage_root)); - let merged_key = key.merge_nibbles(nibbles); - let storage_trie: &HashedPartialTrie = storage_tries_by_state_key - .get(&merged_key) - .copied() - .unwrap_or(&storage_hash_only); - - assert_eq!(storage_trie.hash(), storage_root, - "In TrieInputs, an account's storage_root didn't match the associated storage trie hash"); - - trie_data.push(nibbles.count.into()); - trie_data.push( - nibbles - .try_into_u256() - .map_err(|_| ProgramError::IntegerTooLarge)?, - ); - // Set `value_ptr_ptr`. - trie_data.push((trie_data.len() + 1).into()); - - trie_data.push(nonce); - trie_data.push(balance); - // Storage trie ptr. - let storage_ptr_ptr = trie_data.len(); - trie_data.push((trie_data.len() + 2).into()); - trie_data.push(code_hash.into_uint()); - let storage_ptr = load_mpt(storage_trie, trie_data, &parse_storage_value)?; - if storage_ptr == 0 { - trie_data[storage_ptr_ptr] = 0.into(); - } - - Ok(node_ptr) - } - } -} - -pub(crate) fn load_all_mpts( - trie_inputs: &TrieInputs, -) -> Result<(TrieRootPtrs, Vec), ProgramError> { - let mut trie_data = vec![U256::zero()]; - let storage_tries_by_state_key = trie_inputs - .storage_tries - .iter() - .map(|(hashed_address, storage_trie)| { - let key = Nibbles::from_bytes_be(hashed_address.as_bytes()) - .expect("An H256 is 32 bytes long"); - (key, storage_trie) - }) - .collect(); - - let state_root_ptr = load_state_trie( - &trie_inputs.state_trie, - empty_nibbles(), - &mut trie_data, - &storage_tries_by_state_key, - )?; - - let txn_root_ptr = load_mpt(&trie_inputs.transactions_trie, &mut trie_data, &|rlp| { - let mut parsed_txn = vec![U256::from(rlp.len())]; - parsed_txn.extend(rlp.iter().copied().map(U256::from)); - Ok(parsed_txn) - })?; - - let receipt_root_ptr = load_mpt(&trie_inputs.receipts_trie, &mut trie_data, &parse_receipts)?; - - let trie_root_ptrs = TrieRootPtrs { - state_root_ptr, - txn_root_ptr, - receipt_root_ptr, - }; - - Ok((trie_root_ptrs, trie_data)) -} - -pub mod transaction_testing { - use super::*; - - #[derive(RlpEncodable, RlpDecodable, Debug, Clone, PartialEq, Eq)] - pub struct AccessListItemRlp { - pub address: Address, - pub storage_keys: Vec, - } - - #[derive(Debug, Clone, PartialEq, Eq)] - pub struct AddressOption(pub Option

); - - impl Encodable for AddressOption { - fn rlp_append(&self, s: &mut RlpStream) { - match self.0 { - None => s.encoder().encode_value(&[]), - Some(value) => { - s.encoder().encode_value(&value.to_fixed_bytes()); - } - } - } - } - - impl Decodable for AddressOption { - fn decode(rlp: &Rlp) -> Result { - if rlp.is_int() && rlp.is_empty() { - return Ok(AddressOption(None)); - } - if rlp.is_data() && rlp.size() == 20 { - return Ok(AddressOption(Some(Address::decode(rlp)?))); - } - Err(DecoderError::RlpExpectedToBeData) - } - } - - #[derive(RlpEncodable, RlpDecodable, Debug, Clone, PartialEq, Eq)] - pub struct LegacyTransactionRlp { - pub nonce: U256, - pub gas_price: U256, - pub gas: U256, - pub to: AddressOption, - pub value: U256, - pub data: Bytes, - pub v: U256, - pub r: U256, - pub s: U256, - } - - #[derive(RlpEncodable, RlpDecodable, Debug, Clone, PartialEq, Eq)] - pub struct AccessListTransactionRlp { - pub chain_id: u64, - pub nonce: U256, - pub gas_price: U256, - pub gas: U256, - pub to: AddressOption, - pub value: U256, - pub data: Bytes, - pub access_list: Vec, - pub y_parity: U256, - pub r: U256, - pub s: U256, - } - - #[derive(RlpEncodable, RlpDecodable, Debug, Clone, PartialEq, Eq)] - pub struct FeeMarketTransactionRlp { - pub chain_id: u64, - pub nonce: U256, - pub max_priority_fee_per_gas: U256, - pub max_fee_per_gas: U256, - pub gas: U256, - pub to: AddressOption, - pub value: U256, - pub data: Bytes, - pub access_list: Vec, - pub y_parity: U256, - pub r: U256, - pub s: U256, - } -} diff --git a/evm/src/generation/prover_input.rs b/evm/src/generation/prover_input.rs deleted file mode 100644 index 9662d6b6b7..0000000000 --- a/evm/src/generation/prover_input.rs +++ /dev/null @@ -1,610 +0,0 @@ -use core::mem::transmute; -use std::collections::{BTreeSet, HashMap}; -use std::str::FromStr; - -use anyhow::{bail, Error}; -use ethereum_types::{BigEndianHash, H256, U256, U512}; -use itertools::Itertools; -use num_bigint::BigUint; -use plonky2::field::types::Field; -use serde::{Deserialize, Serialize}; - -use crate::cpu::kernel::constants::context_metadata::ContextMetadata; -use crate::extension_tower::{FieldExt, Fp12, BLS381, BN254}; -use crate::generation::prover_input::EvmField::{ - Bls381Base, Bls381Scalar, Bn254Base, Bn254Scalar, Secp256k1Base, Secp256k1Scalar, -}; -use crate::generation::prover_input::FieldOp::{Inverse, Sqrt}; -use crate::generation::simulate_cpu_between_labels_and_get_user_jumps; -use crate::generation::state::GenerationState; -use crate::memory::segments::Segment; -use crate::memory::segments::Segment::BnPairing; -use crate::util::{biguint_to_mem_vec, mem_vec_to_biguint, u256_to_u8, u256_to_usize}; -use crate::witness::errors::ProverInputError::*; -use crate::witness::errors::{ProgramError, ProverInputError}; -use crate::witness::memory::MemoryAddress; -use crate::witness::operation::CONTEXT_SCALING_FACTOR; -use crate::witness::util::{current_context_peek, stack_peek}; - -/// Prover input function represented as a scoped function name. -/// Example: `PROVER_INPUT(ff::bn254_base::inverse)` is represented as `ProverInputFn([ff, bn254_base, inverse])`. -#[derive(PartialEq, Eq, Debug, Clone, Serialize, Deserialize)] -pub struct ProverInputFn(Vec); - -impl From> for ProverInputFn { - fn from(v: Vec) -> Self { - Self(v) - } -} - -impl GenerationState { - pub(crate) fn prover_input(&mut self, input_fn: &ProverInputFn) -> Result { - match input_fn.0[0].as_str() { - "no_txn" => self.no_txn(), - "trie_ptr" => self.run_trie_ptr(input_fn), - "ff" => self.run_ff(input_fn), - "sf" => self.run_sf(input_fn), - "ffe" => self.run_ffe(input_fn), - "rlp" => self.run_rlp(), - "current_hash" => self.run_current_hash(), - "account_code" => self.run_account_code(), - "bignum_modmul" => self.run_bignum_modmul(), - "withdrawal" => self.run_withdrawal(), - "num_bits" => self.run_num_bits(), - "jumpdest_table" => self.run_jumpdest_table(input_fn), - _ => Err(ProgramError::ProverInputError(InvalidFunction)), - } - } - - fn no_txn(&mut self) -> Result { - Ok(U256::from(self.inputs.signed_txn.is_none() as u8)) - } - - fn run_trie_ptr(&mut self, input_fn: &ProverInputFn) -> Result { - let trie = input_fn.0[1].as_str(); - match trie { - "state" => Ok(U256::from(self.trie_root_ptrs.state_root_ptr)), - "txn" => Ok(U256::from(self.trie_root_ptrs.txn_root_ptr)), - "receipt" => Ok(U256::from(self.trie_root_ptrs.receipt_root_ptr)), - _ => Err(ProgramError::ProverInputError(InvalidInput)), - } - } - - /// Finite field operations. - fn run_ff(&self, input_fn: &ProverInputFn) -> Result { - let field = EvmField::from_str(input_fn.0[1].as_str()) - .map_err(|_| ProgramError::ProverInputError(InvalidFunction))?; - let op = FieldOp::from_str(input_fn.0[2].as_str()) - .map_err(|_| ProgramError::ProverInputError(InvalidFunction))?; - let x = stack_peek(self, 0)?; - field.op(op, x) - } - - /// Special finite field operations. - fn run_sf(&self, input_fn: &ProverInputFn) -> Result { - let field = EvmField::from_str(input_fn.0[1].as_str()) - .map_err(|_| ProgramError::ProverInputError(InvalidFunction))?; - let inputs: [U256; 4] = match field { - Bls381Base => (0..4) - .map(|i| stack_peek(self, i)) - .collect::, _>>()? - .try_into() - .unwrap(), - _ => todo!(), - }; - let res = match input_fn.0[2].as_str() { - "add_lo" => field.add_lo(inputs), - "add_hi" => field.add_hi(inputs), - "mul_lo" => field.mul_lo(inputs), - "mul_hi" => field.mul_hi(inputs), - "sub_lo" => field.sub_lo(inputs), - "sub_hi" => field.sub_hi(inputs), - _ => return Err(ProgramError::ProverInputError(InvalidFunction)), - }; - - Ok(res) - } - - /// Finite field extension operations. - fn run_ffe(&self, input_fn: &ProverInputFn) -> Result { - let field = EvmField::from_str(input_fn.0[1].as_str()) - .map_err(|_| ProgramError::ProverInputError(InvalidFunction))?; - let n = input_fn.0[2] - .as_str() - .split('_') - .nth(1) - .unwrap() - .parse::() - .unwrap(); - let ptr = stack_peek(self, 11 - n).map(u256_to_usize)??; - - let f: [U256; 12] = match field { - Bn254Base => std::array::from_fn(|i| current_context_peek(self, BnPairing, ptr + i)), - _ => todo!(), - }; - Ok(field.field_extension_inverse(n, f)) - } - - /// RLP data. - fn run_rlp(&mut self) -> Result { - self.rlp_prover_inputs - .pop() - .ok_or(ProgramError::ProverInputError(OutOfRlpData)) - } - - fn run_current_hash(&mut self) -> Result { - Ok(U256::from_big_endian(&self.inputs.block_hashes.cur_hash.0)) - } - - /// Account code loading. - /// Initializes the code segment of the given context with the code corresponding - /// to the provided hash. - /// Returns the length of the code. - fn run_account_code(&mut self) -> Result { - // stack: codehash, ctx, ... - let codehash = stack_peek(self, 0)?; - let context = stack_peek(self, 1)? >> CONTEXT_SCALING_FACTOR; - let context = u256_to_usize(context)?; - let mut address = MemoryAddress::new(context, Segment::Code, 0); - let code = self - .inputs - .contract_code - .get(&H256::from_uint(&codehash)) - .ok_or(ProgramError::ProverInputError(CodeHashNotFound))?; - for &byte in code { - self.memory.set(address, byte.into()); - address.increment(); - } - Ok(code.len().into()) - } - - // Bignum modular multiplication. - // On the first call, calculates the remainder and quotient of the given inputs. - // These are stored, as limbs, in self.bignum_modmul_result_limbs. - // Subsequent calls return one limb at a time, in order (first remainder and then quotient). - fn run_bignum_modmul(&mut self) -> Result { - if self.bignum_modmul_result_limbs.is_empty() { - let len = stack_peek(self, 2).map(u256_to_usize)??; - let a_start_loc = stack_peek(self, 3).map(u256_to_usize)??; - let b_start_loc = stack_peek(self, 4).map(u256_to_usize)??; - let m_start_loc = stack_peek(self, 5).map(u256_to_usize)??; - - let (remainder, quotient) = - self.bignum_modmul(len, a_start_loc, b_start_loc, m_start_loc); - - self.bignum_modmul_result_limbs = remainder - .iter() - .cloned() - .pad_using(len, |_| 0.into()) - .chain(quotient.iter().cloned().pad_using(2 * len, |_| 0.into())) - .collect(); - self.bignum_modmul_result_limbs.reverse(); - } - - self.bignum_modmul_result_limbs - .pop() - .ok_or(ProgramError::ProverInputError(InvalidInput)) - } - - fn bignum_modmul( - &mut self, - len: usize, - a_start_loc: usize, - b_start_loc: usize, - m_start_loc: usize, - ) -> (Vec, Vec) { - let n = self.memory.contexts.len(); - let a = &self.memory.contexts[n - 1].segments[Segment::KernelGeneral.unscale()].content - [a_start_loc..a_start_loc + len]; - let b = &self.memory.contexts[n - 1].segments[Segment::KernelGeneral.unscale()].content - [b_start_loc..b_start_loc + len]; - let m = &self.memory.contexts[n - 1].segments[Segment::KernelGeneral.unscale()].content - [m_start_loc..m_start_loc + len]; - - let a_biguint = mem_vec_to_biguint(a); - let b_biguint = mem_vec_to_biguint(b); - let m_biguint = mem_vec_to_biguint(m); - - let prod = a_biguint * b_biguint; - let quo = if m_biguint == BigUint::default() { - BigUint::default() - } else { - &prod / &m_biguint - }; - let rem = prod - m_biguint * &quo; - - (biguint_to_mem_vec(rem), biguint_to_mem_vec(quo)) - } - - /// Withdrawal data. - fn run_withdrawal(&mut self) -> Result { - self.withdrawal_prover_inputs - .pop() - .ok_or(ProgramError::ProverInputError(OutOfWithdrawalData)) - } - - /// Return the number of bits of the top of the stack or an error if - /// the top of the stack is zero or empty. - fn run_num_bits(&mut self) -> Result { - let value = stack_peek(self, 0)?; - if value.is_zero() { - Err(ProgramError::ProverInputError(NumBitsError)) - } else { - let num_bits = value.bits(); - Ok(num_bits.into()) - } - } - - /// Generate either the next used jump address or the proof for the last jump address. - fn run_jumpdest_table(&mut self, input_fn: &ProverInputFn) -> Result { - match input_fn.0[1].as_str() { - "next_address" => self.run_next_jumpdest_table_address(), - "next_proof" => self.run_next_jumpdest_table_proof(), - _ => Err(ProgramError::ProverInputError(InvalidInput)), - } - } - - /// Returns the next used jump address. - fn run_next_jumpdest_table_address(&mut self) -> Result { - let context = u256_to_usize(stack_peek(self, 0)? >> CONTEXT_SCALING_FACTOR)?; - - if self.jumpdest_table.is_none() { - self.generate_jumpdest_table()?; - } - - let Some(jumpdest_table) = &mut self.jumpdest_table else { - return Err(ProgramError::ProverInputError( - ProverInputError::InvalidJumpdestSimulation, - )); - }; - - if let Some(ctx_jumpdest_table) = jumpdest_table.get_mut(&context) - && let Some(next_jumpdest_address) = ctx_jumpdest_table.pop() - { - Ok((next_jumpdest_address + 1).into()) - } else { - self.jumpdest_table = None; - Ok(U256::zero()) - } - } - - /// Returns the proof for the last jump address. - fn run_next_jumpdest_table_proof(&mut self) -> Result { - let context = u256_to_usize(stack_peek(self, 1)? >> CONTEXT_SCALING_FACTOR)?; - let Some(jumpdest_table) = &mut self.jumpdest_table else { - return Err(ProgramError::ProverInputError( - ProverInputError::InvalidJumpdestSimulation, - )); - }; - if let Some(ctx_jumpdest_table) = jumpdest_table.get_mut(&context) - && let Some(next_jumpdest_proof) = ctx_jumpdest_table.pop() - { - Ok(next_jumpdest_proof.into()) - } else { - Err(ProgramError::ProverInputError( - ProverInputError::InvalidJumpdestSimulation, - )) - } - } -} - -impl GenerationState { - /// Simulate the user's code and store all the jump addresses with their respective contexts. - fn generate_jumpdest_table(&mut self) -> Result<(), ProgramError> { - let checkpoint = self.checkpoint(); - let memory = self.memory.clone(); - - // Simulate the user's code and (unnecessarily) part of the kernel code, skipping the validate table call - let Some(jumpdest_table) = simulate_cpu_between_labels_and_get_user_jumps( - "jumpdest_analysis_end", - "terminate_common", - self, - ) else { - self.jumpdest_table = Some(HashMap::new()); - return Ok(()); - }; - - // Return to the state before starting the simulation - self.rollback(checkpoint); - self.memory = memory; - - // Find proofs for all contexts - self.set_jumpdest_analysis_inputs(jumpdest_table); - - Ok(()) - } - - /// Given a HashMap containing the contexts and the jumpdest addresses, compute their respective proofs, - /// by calling `get_proofs_and_jumpdests` - pub(crate) fn set_jumpdest_analysis_inputs( - &mut self, - jumpdest_table: HashMap>, - ) { - self.jumpdest_table = Some(HashMap::from_iter(jumpdest_table.into_iter().map( - |(ctx, jumpdest_table)| { - let code = self.get_code(ctx).unwrap(); - if let Some(&largest_address) = jumpdest_table.last() { - let proofs = get_proofs_and_jumpdests(&code, largest_address, jumpdest_table); - (ctx, proofs) - } else { - (ctx, vec![]) - } - }, - ))); - } - - fn get_code(&self, context: usize) -> Result, ProgramError> { - let code_len = self.get_code_len(context)?; - let code = (0..code_len) - .map(|i| { - u256_to_u8( - self.memory - .get(MemoryAddress::new(context, Segment::Code, i)), - ) - }) - .collect::, _>>()?; - Ok(code) - } - - fn get_code_len(&self, context: usize) -> Result { - let code_len = u256_to_usize(self.memory.get(MemoryAddress::new( - context, - Segment::ContextMetadata, - ContextMetadata::CodeSize.unscale(), - )))?; - Ok(code_len) - } -} - -/// For all address in `jumpdest_table`, each bounded by `largest_address`, -/// this function searches for a proof. A proof is the closest address -/// for which none of the previous 32 bytes in the code (including opcodes -/// and pushed bytes) are PUSHXX and the address is in its range. It returns -/// a vector of even size containing proofs followed by their addresses. -fn get_proofs_and_jumpdests( - code: &[u8], - largest_address: usize, - jumpdest_table: std::collections::BTreeSet, -) -> Vec { - const PUSH1_OPCODE: u8 = 0x60; - const PUSH32_OPCODE: u8 = 0x7f; - let (proofs, _) = CodeIterator::until(code, largest_address + 1).fold( - (vec![], 0), - |(mut proofs, acc), (pos, _opcode)| { - let has_prefix = if let Some(prefix_start) = pos.checked_sub(32) { - code[prefix_start..pos] - .iter() - .enumerate() - .fold(true, |acc, (prefix_pos, &byte)| { - let cond1 = byte > PUSH32_OPCODE; - let cond2 = (prefix_start + prefix_pos) as i32 - + (byte as i32 - PUSH1_OPCODE as i32) - + 1 - < pos as i32; - acc && (cond1 || cond2) - }) - } else { - false - }; - let acc = if has_prefix { pos - 32 } else { acc }; - if jumpdest_table.contains(&pos) { - // Push the proof - proofs.push(acc); - // Push the address - proofs.push(pos); - } - (proofs, acc) - }, - ); - proofs -} - -/// An iterator over the EVM code contained in `code`, which skips the bytes -/// that are the arguments of a PUSHXX opcode. -struct CodeIterator<'a> { - code: &'a [u8], - pos: usize, - end: usize, -} - -impl<'a> CodeIterator<'a> { - fn new(code: &'a [u8]) -> Self { - CodeIterator { - end: code.len(), - code, - pos: 0, - } - } - fn until(code: &'a [u8], end: usize) -> Self { - CodeIterator { - end: std::cmp::min(code.len(), end), - code, - pos: 0, - } - } -} - -impl<'a> Iterator for CodeIterator<'a> { - type Item = (usize, u8); - - fn next(&mut self) -> Option { - const PUSH1_OPCODE: u8 = 0x60; - const PUSH32_OPCODE: u8 = 0x7f; - let CodeIterator { code, pos, end } = self; - if *pos >= *end { - return None; - } - let opcode = code[*pos]; - let old_pos = *pos; - *pos += if (PUSH1_OPCODE..=PUSH32_OPCODE).contains(&opcode) { - (opcode - PUSH1_OPCODE + 2).into() - } else { - 1 - }; - Some((old_pos, opcode)) - } -} - -enum EvmField { - Bls381Base, - Bls381Scalar, - Bn254Base, - Bn254Scalar, - Secp256k1Base, - Secp256k1Scalar, -} - -enum FieldOp { - Inverse, - Sqrt, -} - -impl FromStr for EvmField { - type Err = Error; - - fn from_str(s: &str) -> Result { - Ok(match s { - "bls381_base" => Bls381Base, - "bls381_scalar" => Bls381Scalar, - "bn254_base" => Bn254Base, - "bn254_scalar" => Bn254Scalar, - "secp256k1_base" => Secp256k1Base, - "secp256k1_scalar" => Secp256k1Scalar, - _ => bail!("Unrecognized field."), - }) - } -} - -impl FromStr for FieldOp { - type Err = Error; - - fn from_str(s: &str) -> Result { - Ok(match s { - "inverse" => Inverse, - "sqrt" => Sqrt, - _ => bail!("Unrecognized field operation."), - }) - } -} - -impl EvmField { - fn order(&self) -> U256 { - match self { - EvmField::Bls381Base => todo!(), - EvmField::Bls381Scalar => todo!(), - EvmField::Bn254Base => { - U256::from_str("0x30644e72e131a029b85045b68181585d97816a916871ca8d3c208c16d87cfd47") - .unwrap() - } - EvmField::Bn254Scalar => todo!(), - EvmField::Secp256k1Base => { - U256::from_str("0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f") - .unwrap() - } - EvmField::Secp256k1Scalar => { - U256::from_str("0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141") - .unwrap() - } - } - } - - fn op(&self, op: FieldOp, x: U256) -> Result { - match op { - FieldOp::Inverse => self.inverse(x), - FieldOp::Sqrt => self.sqrt(x), - } - } - - fn inverse(&self, x: U256) -> Result { - let n = self.order(); - if x >= n { - return Err(ProgramError::ProverInputError(InvalidInput)); - }; - modexp(x, n - 2, n) - } - - fn sqrt(&self, x: U256) -> Result { - let n = self.order(); - if x >= n { - return Err(ProgramError::ProverInputError(InvalidInput)); - }; - let (q, r) = (n + 1).div_mod(4.into()); - - if !r.is_zero() { - return Err(ProgramError::ProverInputError(InvalidInput)); - }; - - // Only naive sqrt implementation for now. If needed implement Tonelli-Shanks - modexp(x, q, n) - } - - fn add_lo(&self, inputs: [U256; 4]) -> U256 { - let [y1, x0, x1, y0] = inputs; - let x = U512::from(x0) + (U512::from(x1) << 256); - let y = U512::from(y0) + (U512::from(y1) << 256); - let z = BLS381 { val: x } + BLS381 { val: y }; - z.lo() - } - - fn add_hi(&self, inputs: [U256; 4]) -> U256 { - let [x0, x1, y0, y1] = inputs; - let x = U512::from(x0) + (U512::from(x1) << 256); - let y = U512::from(y0) + (U512::from(y1) << 256); - let z = BLS381 { val: x } + BLS381 { val: y }; - z.hi() - } - - fn mul_lo(&self, inputs: [U256; 4]) -> U256 { - let [y1, x0, x1, y0] = inputs; - let x = U512::from(x0) + (U512::from(x1) << 256); - let y = U512::from(y0) + (U512::from(y1) << 256); - let z = BLS381 { val: x } * BLS381 { val: y }; - z.lo() - } - - fn mul_hi(&self, inputs: [U256; 4]) -> U256 { - let [x0, x1, y0, y1] = inputs; - let x = U512::from(x0) + (U512::from(x1) << 256); - let y = U512::from(y0) + (U512::from(y1) << 256); - let z = BLS381 { val: x } * BLS381 { val: y }; - z.hi() - } - - fn sub_lo(&self, inputs: [U256; 4]) -> U256 { - let [y1, x0, x1, y0] = inputs; - let x = U512::from(x0) + (U512::from(x1) << 256); - let y = U512::from(y0) + (U512::from(y1) << 256); - let z = BLS381 { val: x } - BLS381 { val: y }; - z.lo() - } - - fn sub_hi(&self, inputs: [U256; 4]) -> U256 { - let [x0, x1, y0, y1] = inputs; - let x = U512::from(x0) + (U512::from(x1) << 256); - let y = U512::from(y0) + (U512::from(y1) << 256); - let z = BLS381 { val: x } - BLS381 { val: y }; - z.hi() - } - - fn field_extension_inverse(&self, n: usize, f: [U256; 12]) -> U256 { - let f: Fp12 = unsafe { transmute(f) }; - let f_inv: [U256; 12] = unsafe { transmute(f.inv()) }; - f_inv[n] - } -} - -fn modexp(x: U256, e: U256, n: U256) -> Result { - let mut current = x; - let mut product = U256::one(); - - for j in 0..256 { - if e.bit(j) { - product = U256::try_from(product.full_mul(current) % n) - .map_err(|_| ProgramError::ProverInputError(InvalidInput))?; - } - current = U256::try_from(current.full_mul(current) % n) - .map_err(|_| ProgramError::ProverInputError(InvalidInput))?; - } - - Ok(product) -} diff --git a/evm/src/generation/rlp.rs b/evm/src/generation/rlp.rs deleted file mode 100644 index ffc302fd54..0000000000 --- a/evm/src/generation/rlp.rs +++ /dev/null @@ -1,22 +0,0 @@ -use ethereum_types::U256; - -pub(crate) fn all_rlp_prover_inputs_reversed(signed_txn: &[u8]) -> Vec { - let mut inputs = all_rlp_prover_inputs(signed_txn); - inputs.reverse(); - inputs -} - -fn all_rlp_prover_inputs(signed_txn: &[u8]) -> Vec { - let mut prover_inputs = vec![]; - prover_inputs.push(signed_txn.len().into()); - let mut chunks = signed_txn.chunks_exact(32); - for bytes in chunks.by_ref() { - prover_inputs.push(U256::from_big_endian(bytes)); - } - let mut last_chunk = chunks.remainder().to_vec(); - if !last_chunk.is_empty() { - last_chunk.extend_from_slice(&vec![0u8; 32 - last_chunk.len()]); - prover_inputs.push(U256::from_big_endian(&last_chunk)); - } - prover_inputs -} diff --git a/evm/src/generation/state.rs b/evm/src/generation/state.rs deleted file mode 100644 index a6df4b3331..0000000000 --- a/evm/src/generation/state.rs +++ /dev/null @@ -1,206 +0,0 @@ -use std::collections::HashMap; - -use ethereum_types::{Address, BigEndianHash, H160, H256, U256}; -use keccak_hash::keccak; -use plonky2::field::types::Field; - -use super::mpt::{load_all_mpts, TrieRootPtrs}; -use super::TrieInputs; -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::context_metadata::ContextMetadata; -use crate::generation::rlp::all_rlp_prover_inputs_reversed; -use crate::generation::GenerationInputs; -use crate::memory::segments::Segment; -use crate::util::u256_to_usize; -use crate::witness::errors::ProgramError; -use crate::witness::memory::{MemoryAddress, MemoryState}; -use crate::witness::state::RegistersState; -use crate::witness::traces::{TraceCheckpoint, Traces}; -use crate::witness::util::stack_peek; - -pub(crate) struct GenerationStateCheckpoint { - pub(crate) registers: RegistersState, - pub(crate) traces: TraceCheckpoint, -} - -#[derive(Debug)] -pub(crate) struct GenerationState { - pub(crate) inputs: GenerationInputs, - pub(crate) registers: RegistersState, - pub(crate) memory: MemoryState, - pub(crate) traces: Traces, - - /// Prover inputs containing RLP data, in reverse order so that the next input can be obtained - /// via `pop()`. - pub(crate) rlp_prover_inputs: Vec, - - pub(crate) withdrawal_prover_inputs: Vec, - - /// The state trie only stores state keys, which are hashes of addresses, but sometimes it is - /// useful to see the actual addresses for debugging. Here we store the mapping for all known - /// addresses. - pub(crate) state_key_to_address: HashMap, - - /// Prover inputs containing the result of a MODMUL operation, in little-endian order (so that - /// inputs are obtained in big-endian order via `pop()`). Contains both the remainder and the - /// quotient, in that order. - pub(crate) bignum_modmul_result_limbs: Vec, - - /// Pointers, within the `TrieData` segment, of the three MPTs. - pub(crate) trie_root_ptrs: TrieRootPtrs, - - /// A hash map where the key is a context in the user's code and the value is the set of - /// jump destinations with its corresponding "proof". A "proof" for a jump destination is - /// either 0 or an address i > 32 in the code (not necessarily pointing to an opcode) such that - /// for every j in [i, i+32] it holds that code[j] < 0x7f - j + i. - pub(crate) jumpdest_table: Option>>, -} - -impl GenerationState { - fn preinitialize_mpts(&mut self, trie_inputs: &TrieInputs) -> TrieRootPtrs { - let (trie_roots_ptrs, trie_data) = - load_all_mpts(trie_inputs).expect("Invalid MPT data for preinitialization"); - - self.memory.contexts[0].segments[Segment::TrieData.unscale()].content = trie_data; - - trie_roots_ptrs - } - pub(crate) fn new(inputs: GenerationInputs, kernel_code: &[u8]) -> Result { - log::debug!("Input signed_txn: {:?}", &inputs.signed_txn); - log::debug!("Input state_trie: {:?}", &inputs.tries.state_trie); - log::debug!( - "Input transactions_trie: {:?}", - &inputs.tries.transactions_trie - ); - log::debug!("Input receipts_trie: {:?}", &inputs.tries.receipts_trie); - log::debug!("Input storage_tries: {:?}", &inputs.tries.storage_tries); - log::debug!("Input contract_code: {:?}", &inputs.contract_code); - - let rlp_prover_inputs = - all_rlp_prover_inputs_reversed(inputs.clone().signed_txn.as_ref().unwrap_or(&vec![])); - let withdrawal_prover_inputs = all_withdrawals_prover_inputs_reversed(&inputs.withdrawals); - let bignum_modmul_result_limbs = Vec::new(); - - let mut state = Self { - inputs: inputs.clone(), - registers: Default::default(), - memory: MemoryState::new(kernel_code), - traces: Traces::default(), - rlp_prover_inputs, - withdrawal_prover_inputs, - state_key_to_address: HashMap::new(), - bignum_modmul_result_limbs, - trie_root_ptrs: TrieRootPtrs { - state_root_ptr: 0, - txn_root_ptr: 0, - receipt_root_ptr: 0, - }, - jumpdest_table: None, - }; - let trie_root_ptrs = state.preinitialize_mpts(&inputs.tries); - - state.trie_root_ptrs = trie_root_ptrs; - Ok(state) - } - - /// Updates `program_counter`, and potentially adds some extra handling if we're jumping to a - /// special location. - pub(crate) fn jump_to(&mut self, dst: usize) -> Result<(), ProgramError> { - self.registers.program_counter = dst; - if dst == KERNEL.global_labels["observe_new_address"] { - let tip_u256 = stack_peek(self, 0)?; - let tip_h256 = H256::from_uint(&tip_u256); - let tip_h160 = H160::from(tip_h256); - self.observe_address(tip_h160); - } else if dst == KERNEL.global_labels["observe_new_contract"] { - let tip_u256 = stack_peek(self, 0)?; - let tip_h256 = H256::from_uint(&tip_u256); - self.observe_contract(tip_h256)?; - } - - Ok(()) - } - - /// Observe the given address, so that we will be able to recognize the associated state key. - /// This is just for debugging purposes. - pub(crate) fn observe_address(&mut self, address: Address) { - let state_key = keccak(address.0); - self.state_key_to_address.insert(state_key, address); - } - - /// Observe the given code hash and store the associated code. - /// When called, the code corresponding to `codehash` should be stored in the return data. - pub(crate) fn observe_contract(&mut self, codehash: H256) -> Result<(), ProgramError> { - if self.inputs.contract_code.contains_key(&codehash) { - return Ok(()); // Return early if the code hash has already been observed. - } - - let ctx = self.registers.context; - let returndata_offset = ContextMetadata::ReturndataSize.unscale(); - let returndata_size_addr = - MemoryAddress::new(ctx, Segment::ContextMetadata, returndata_offset); - let returndata_size = u256_to_usize(self.memory.get(returndata_size_addr))?; - let code = self.memory.contexts[ctx].segments[Segment::Returndata.unscale()].content - [..returndata_size] - .iter() - .map(|x| x.low_u32() as u8) - .collect::>(); - debug_assert_eq!(keccak(&code), codehash); - - self.inputs.contract_code.insert(codehash, code); - - Ok(()) - } - - pub(crate) fn checkpoint(&self) -> GenerationStateCheckpoint { - GenerationStateCheckpoint { - registers: self.registers, - traces: self.traces.checkpoint(), - } - } - - pub(crate) fn rollback(&mut self, checkpoint: GenerationStateCheckpoint) { - self.registers = checkpoint.registers; - self.traces.rollback(checkpoint.traces); - } - - pub(crate) fn stack(&self) -> Vec { - const MAX_TO_SHOW: usize = 10; - (0..self.registers.stack_len.min(MAX_TO_SHOW)) - .map(|i| stack_peek(self, i).unwrap()) - .collect() - } - - /// Clones everything but the traces. - pub(crate) fn soft_clone(&self) -> GenerationState { - Self { - inputs: self.inputs.clone(), - registers: self.registers, - memory: self.memory.clone(), - traces: Traces::default(), - rlp_prover_inputs: self.rlp_prover_inputs.clone(), - state_key_to_address: self.state_key_to_address.clone(), - bignum_modmul_result_limbs: self.bignum_modmul_result_limbs.clone(), - withdrawal_prover_inputs: self.withdrawal_prover_inputs.clone(), - trie_root_ptrs: TrieRootPtrs { - state_root_ptr: 0, - txn_root_ptr: 0, - receipt_root_ptr: 0, - }, - jumpdest_table: None, - } - } -} - -/// Withdrawals prover input array is of the form `[addr0, amount0, ..., addrN, amountN, U256::MAX, U256::MAX]`. -/// Returns the reversed array. -pub(crate) fn all_withdrawals_prover_inputs_reversed(withdrawals: &[(Address, U256)]) -> Vec { - let mut withdrawal_prover_inputs = withdrawals - .iter() - .flat_map(|w| [U256::from((w.0).0.as_slice()), w.1]) - .collect::>(); - withdrawal_prover_inputs.push(U256::MAX); - withdrawal_prover_inputs.push(U256::MAX); - withdrawal_prover_inputs.reverse(); - withdrawal_prover_inputs -} diff --git a/evm/src/generation/trie_extractor.rs b/evm/src/generation/trie_extractor.rs deleted file mode 100644 index 4d3a745a19..0000000000 --- a/evm/src/generation/trie_extractor.rs +++ /dev/null @@ -1,313 +0,0 @@ -//! Code for extracting trie data after witness generation. This is intended only for debugging. - -use std::collections::HashMap; - -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, Node, PartialTrie, WrappedNode}; -use ethereum_types::{BigEndianHash, H256, U256, U512}; - -use super::mpt::{AccountRlp, LegacyReceiptRlp, LogRlp}; -use crate::cpu::kernel::constants::trie_type::PartialTrieType; -use crate::memory::segments::Segment; -use crate::util::{u256_to_bool, u256_to_h160, u256_to_u8, u256_to_usize}; -use crate::witness::errors::ProgramError; -use crate::witness::memory::{MemoryAddress, MemoryState}; - -/// Account data as it's stored in the state trie, with a pointer to the storage trie. -#[derive(Debug)] -pub(crate) struct AccountTrieRecord { - pub(crate) nonce: u64, - pub(crate) balance: U256, - pub(crate) storage_ptr: usize, - pub(crate) code_hash: H256, -} - -pub(crate) fn read_state_trie_value(slice: &[U256]) -> Result { - Ok(AccountTrieRecord { - nonce: slice[0].low_u64(), - balance: slice[1], - storage_ptr: u256_to_usize(slice[2])?, - code_hash: H256::from_uint(&slice[3]), - }) -} - -pub(crate) const fn read_storage_trie_value(slice: &[U256]) -> U256 { - slice[0] -} - -pub(crate) fn read_trie( - memory: &MemoryState, - ptr: usize, - read_value: fn(&[U256]) -> Result, -) -> Result, ProgramError> { - let mut res = HashMap::new(); - let empty_nibbles = Nibbles { - count: 0, - packed: U512::zero(), - }; - read_trie_helper::(memory, ptr, read_value, empty_nibbles, &mut res)?; - Ok(res) -} - -pub(crate) fn read_trie_helper( - memory: &MemoryState, - ptr: usize, - read_value: fn(&[U256]) -> Result, - prefix: Nibbles, - res: &mut HashMap, -) -> Result<(), ProgramError> { - let load = |offset| memory.get(MemoryAddress::new(0, Segment::TrieData, offset)); - let load_slice_from = |init_offset| { - &memory.contexts[0].segments[Segment::TrieData.unscale()].content[init_offset..] - }; - - let trie_type = PartialTrieType::all()[u256_to_usize(load(ptr))?]; - match trie_type { - PartialTrieType::Empty => Ok(()), - PartialTrieType::Hash => Ok(()), - PartialTrieType::Branch => { - let ptr_payload = ptr + 1; - for i in 0u8..16 { - let child_ptr = u256_to_usize(load(ptr_payload + i as usize))?; - read_trie_helper::(memory, child_ptr, read_value, prefix.merge_nibble(i), res)?; - } - let value_ptr = u256_to_usize(load(ptr_payload + 16))?; - if value_ptr != 0 { - res.insert(prefix, read_value(load_slice_from(value_ptr))?); - }; - - Ok(()) - } - PartialTrieType::Extension => { - let count = u256_to_usize(load(ptr + 1))?; - let packed = load(ptr + 2); - let nibbles = Nibbles { - count, - packed: packed.into(), - }; - let child_ptr = u256_to_usize(load(ptr + 3))?; - read_trie_helper::( - memory, - child_ptr, - read_value, - prefix.merge_nibbles(&nibbles), - res, - ) - } - PartialTrieType::Leaf => { - let count = u256_to_usize(load(ptr + 1))?; - let packed = load(ptr + 2); - let nibbles = Nibbles { - count, - packed: packed.into(), - }; - let value_ptr = u256_to_usize(load(ptr + 3))?; - res.insert( - prefix.merge_nibbles(&nibbles), - read_value(load_slice_from(value_ptr))?, - ); - - Ok(()) - } - } -} - -pub(crate) fn read_receipt_trie_value( - slice: &[U256], -) -> Result<(Option, LegacyReceiptRlp), ProgramError> { - let first_value = slice[0]; - // Skip two elements for non-legacy Receipts, and only one otherwise. - let (first_byte, slice) = if first_value == U256::one() || first_value == U256::from(2u8) { - (Some(first_value.as_u32() as u8), &slice[2..]) - } else { - (None, &slice[1..]) - }; - - let status = u256_to_bool(slice[0])?; - let cum_gas_used = slice[1]; - let bloom = slice[2..2 + 256] - .iter() - .map(|&x| u256_to_u8(x)) - .collect::>()?; - // We read the number of logs at position `2 + 256 + 1`, and skip over the next element before parsing the logs. - let logs = read_logs(u256_to_usize(slice[2 + 256 + 1])?, &slice[2 + 256 + 3..])?; - - Ok(( - first_byte, - LegacyReceiptRlp { - status, - cum_gas_used, - bloom, - logs, - }, - )) -} - -pub(crate) fn read_logs(num_logs: usize, slice: &[U256]) -> Result, ProgramError> { - let mut offset = 0; - (0..num_logs) - .map(|_| { - let address = u256_to_h160(slice[offset])?; - let num_topics = u256_to_usize(slice[offset + 1])?; - - let topics = (0..num_topics) - .map(|i| H256::from_uint(&slice[offset + 2 + i])) - .collect(); - - let data_len = u256_to_usize(slice[offset + 2 + num_topics])?; - let log = LogRlp { - address, - topics, - data: slice[offset + 2 + num_topics + 1..offset + 2 + num_topics + 1 + data_len] - .iter() - .map(|&x| u256_to_u8(x)) - .collect::>()?, - }; - offset += 2 + num_topics + 1 + data_len; - Ok(log) - }) - .collect() -} - -pub(crate) fn read_state_rlp_value( - memory: &MemoryState, - slice: &[U256], -) -> Result, ProgramError> { - let storage_trie: HashedPartialTrie = get_trie(memory, slice[2].as_usize(), |_, x| { - Ok(rlp::encode(&read_storage_trie_value(x)).to_vec()) - })?; - let account = AccountRlp { - nonce: slice[0], - balance: slice[1], - storage_root: storage_trie.hash(), - code_hash: H256::from_uint(&slice[3]), - }; - Ok(rlp::encode(&account).to_vec()) -} - -pub(crate) fn read_txn_rlp_value( - _memory: &MemoryState, - slice: &[U256], -) -> Result, ProgramError> { - let txn_rlp_len = u256_to_usize(slice[0])?; - slice[1..txn_rlp_len + 1] - .iter() - .map(|&x| u256_to_u8(x)) - .collect::>() -} - -pub(crate) fn read_receipt_rlp_value( - _memory: &MemoryState, - slice: &[U256], -) -> Result, ProgramError> { - let (first_byte, receipt) = read_receipt_trie_value(slice)?; - let mut bytes = rlp::encode(&receipt).to_vec(); - if let Some(txn_byte) = first_byte { - bytes.insert(0, txn_byte); - } - - Ok(bytes) -} - -pub(crate) fn get_state_trie( - memory: &MemoryState, - ptr: usize, -) -> Result { - get_trie(memory, ptr, read_state_rlp_value) -} - -pub(crate) fn get_txn_trie( - memory: &MemoryState, - ptr: usize, -) -> Result { - get_trie(memory, ptr, read_txn_rlp_value) -} - -pub(crate) fn get_receipt_trie( - memory: &MemoryState, - ptr: usize, -) -> Result { - get_trie(memory, ptr, read_receipt_rlp_value) -} - -pub(crate) fn get_trie( - memory: &MemoryState, - ptr: usize, - read_rlp_value: fn(&MemoryState, &[U256]) -> Result, ProgramError>, -) -> Result { - let empty_nibbles = Nibbles { - count: 0, - packed: U512::zero(), - }; - Ok(N::new(get_trie_helper( - memory, - ptr, - read_rlp_value, - empty_nibbles, - )?)) -} - -pub(crate) fn get_trie_helper( - memory: &MemoryState, - ptr: usize, - read_value: fn(&MemoryState, &[U256]) -> Result, ProgramError>, - prefix: Nibbles, -) -> Result, ProgramError> { - let load = |offset| memory.get(MemoryAddress::new(0, Segment::TrieData, offset)); - let load_slice_from = |init_offset| { - &memory.contexts[0].segments[Segment::TrieData.unscale()].content[init_offset..] - }; - - let trie_type = PartialTrieType::all()[u256_to_usize(load(ptr))?]; - match trie_type { - PartialTrieType::Empty => Ok(Node::Empty), - PartialTrieType::Hash => { - let ptr_payload = ptr + 1; - let hash = H256::from_uint(&load(ptr_payload)); - Ok(Node::Hash(hash)) - } - PartialTrieType::Branch => { - let ptr_payload = ptr + 1; - let children = (0..16) - .map(|i| { - let child_ptr = u256_to_usize(load(ptr_payload + i as usize))?; - get_trie_helper(memory, child_ptr, read_value, prefix.merge_nibble(i as u8)) - }) - .collect::, _>>()?; - let children = core::array::from_fn(|i| WrappedNode::from(children[i].clone())); - let value_ptr = u256_to_usize(load(ptr_payload + 16))?; - let mut value: Vec = vec![]; - if value_ptr != 0 { - value = read_value(memory, load_slice_from(value_ptr))?; - }; - Ok(Node::Branch { children, value }) - } - PartialTrieType::Extension => { - let count = u256_to_usize(load(ptr + 1))?; - let packed = load(ptr + 2); - let nibbles = Nibbles { - count, - packed: packed.into(), - }; - let child_ptr = u256_to_usize(load(ptr + 3))?; - let child = WrappedNode::from(get_trie_helper( - memory, - child_ptr, - read_value, - prefix.merge_nibbles(&nibbles), - )?); - Ok(Node::Extension { nibbles, child }) - } - PartialTrieType::Leaf => { - let count = u256_to_usize(load(ptr + 1))?; - let packed = load(ptr + 2); - let nibbles = Nibbles { - count, - packed: packed.into(), - }; - let value_ptr = u256_to_usize(load(ptr + 3))?; - let value = read_value(memory, load_slice_from(value_ptr))?; - Ok(Node::Leaf { nibbles, value }) - } - } -} diff --git a/evm/src/get_challenges.rs b/evm/src/get_challenges.rs index 70c5b98b87..2cb12d403f 100644 --- a/evm/src/get_challenges.rs +++ b/evm/src/get_challenges.rs @@ -61,12 +61,16 @@ fn observe_block_metadata< challenger.observe_element(u256_to_u32(block_metadata.block_number)?); challenger.observe_element(u256_to_u32(block_metadata.block_difficulty)?); challenger.observe_elements(&h256_limbs::(block_metadata.block_random)); - challenger.observe_element(u256_to_u32(block_metadata.block_gaslimit)?); + let gaslimit = u256_to_u64(block_metadata.block_gaslimit)?; + challenger.observe_element(gaslimit.0); + challenger.observe_element(gaslimit.1); challenger.observe_element(u256_to_u32(block_metadata.block_chain_id)?); let basefee = u256_to_u64(block_metadata.block_base_fee)?; challenger.observe_element(basefee.0); challenger.observe_element(basefee.1); - challenger.observe_element(u256_to_u32(block_metadata.block_gas_used)?); + let gas_used = u256_to_u64(block_metadata.block_gas_used)?; + challenger.observe_element(gas_used.0); + challenger.observe_element(gas_used.1); for i in 0..8 { challenger.observe_elements(&u256_limbs(block_metadata.block_bloom[i])); } @@ -89,10 +93,10 @@ fn observe_block_metadata_target< challenger.observe_element(block_metadata.block_number); challenger.observe_element(block_metadata.block_difficulty); challenger.observe_elements(&block_metadata.block_random); - challenger.observe_element(block_metadata.block_gaslimit); + challenger.observe_elements(&block_metadata.block_gaslimit); challenger.observe_element(block_metadata.block_chain_id); challenger.observe_elements(&block_metadata.block_base_fee); - challenger.observe_element(block_metadata.block_gas_used); + challenger.observe_elements(&block_metadata.block_gas_used); challenger.observe_elements(&block_metadata.block_bloom); } @@ -104,11 +108,21 @@ fn observe_extra_block_data< challenger: &mut Challenger, extra_data: &ExtraBlockData, ) -> Result<(), ProgramError> { - challenger.observe_elements(&h256_limbs(extra_data.checkpoint_state_trie_root)); + challenger.observe_elements(&h256_limbs(extra_data.genesis_state_trie_root)); challenger.observe_element(u256_to_u32(extra_data.txn_number_before)?); challenger.observe_element(u256_to_u32(extra_data.txn_number_after)?); - challenger.observe_element(u256_to_u32(extra_data.gas_used_before)?); - challenger.observe_element(u256_to_u32(extra_data.gas_used_after)?); + let gas_used_before = u256_to_u64(extra_data.gas_used_before)?; + challenger.observe_element(gas_used_before.0); + challenger.observe_element(gas_used_before.1); + let gas_used_after = u256_to_u64(extra_data.gas_used_after)?; + challenger.observe_element(gas_used_after.0); + challenger.observe_element(gas_used_after.1); + for i in 0..8 { + challenger.observe_elements(&u256_limbs(extra_data.block_bloom_before[i])); + } + for i in 0..8 { + challenger.observe_elements(&u256_limbs(extra_data.block_bloom_after[i])); + } Ok(()) } @@ -123,11 +137,13 @@ fn observe_extra_block_data_target< ) where C::Hasher: AlgebraicHasher, { - challenger.observe_elements(&extra_data.checkpoint_state_trie_root); + challenger.observe_elements(&extra_data.genesis_state_trie_root); challenger.observe_element(extra_data.txn_number_before); challenger.observe_element(extra_data.txn_number_after); - challenger.observe_element(extra_data.gas_used_before); - challenger.observe_element(extra_data.gas_used_after); + challenger.observe_elements(&extra_data.gas_used_before); + challenger.observe_elements(&extra_data.gas_used_after); + challenger.observe_elements(&extra_data.block_bloom_before); + challenger.observe_elements(&extra_data.block_bloom_after); } fn observe_block_hashes< diff --git a/evm/src/keccak/columns.rs b/evm/src/keccak/columns.rs deleted file mode 100644 index eedba41c0f..0000000000 --- a/evm/src/keccak/columns.rs +++ /dev/null @@ -1,134 +0,0 @@ -use plonky2::field::types::Field; - -use crate::keccak::keccak_stark::{NUM_INPUTS, NUM_ROUNDS}; -use crate::lookup::Column; - -/// A register which is set to 1 if we are in the `i`th round, otherwise 0. -pub(crate) const fn reg_step(i: usize) -> usize { - debug_assert!(i < NUM_ROUNDS); - i -} - -/// Registers to hold permutation inputs. -/// `reg_input_limb(2*i) -> input[i] as u32` -/// `reg_input_limb(2*i+1) -> input[i] >> 32` -pub(crate) fn reg_input_limb(i: usize) -> Column { - debug_assert!(i < 2 * NUM_INPUTS); - let i_u64 = i / 2; // The index of the 64-bit chunk. - - // The 5x5 state is treated as y-major, as per the Keccak spec. - let y = i_u64 / 5; - let x = i_u64 % 5; - - let reg_low_limb = reg_a(x, y); - let is_high_limb = i % 2; - Column::single(reg_low_limb + is_high_limb) -} - -/// Registers to hold permutation outputs. -/// `reg_output_limb(2*i) -> output[i] as u32` -/// `reg_output_limb(2*i+1) -> output[i] >> 32` -pub(crate) const fn reg_output_limb(i: usize) -> usize { - debug_assert!(i < 2 * NUM_INPUTS); - let i_u64 = i / 2; // The index of the 64-bit chunk. - - // The 5x5 state is treated as y-major, as per the Keccak spec. - let y = i_u64 / 5; - let x = i_u64 % 5; - - let is_high_limb = i % 2; - reg_a_prime_prime_prime(x, y) + is_high_limb -} - -const R: [[u8; 5]; 5] = [ - [0, 36, 3, 41, 18], - [1, 44, 10, 45, 2], - [62, 6, 43, 15, 61], - [28, 55, 25, 21, 56], - [27, 20, 39, 8, 14], -]; - -/// Column holding the timestamp, used to link inputs and outputs -/// in the `KeccakSpongeStark`. -pub(crate) const TIMESTAMP: usize = NUM_ROUNDS; - -const START_A: usize = TIMESTAMP + 1; -pub(crate) const fn reg_a(x: usize, y: usize) -> usize { - debug_assert!(x < 5); - debug_assert!(y < 5); - START_A + (x * 5 + y) * 2 -} - -// C[x] = xor(A[x, 0], A[x, 1], A[x, 2], A[x, 3], A[x, 4]) -const START_C: usize = START_A + 5 * 5 * 2; -pub(crate) const fn reg_c(x: usize, z: usize) -> usize { - debug_assert!(x < 5); - debug_assert!(z < 64); - START_C + x * 64 + z -} - -// C'[x, z] = xor(C[x, z], C[x - 1, z], C[x + 1, z - 1]) -const START_C_PRIME: usize = START_C + 5 * 64; -pub(crate) const fn reg_c_prime(x: usize, z: usize) -> usize { - debug_assert!(x < 5); - debug_assert!(z < 64); - START_C_PRIME + x * 64 + z -} - -// Note: D is inlined, not stored in the witness. - -// A'[x, y] = xor(A[x, y], D[x]) -// = xor(A[x, y], C[x - 1], ROT(C[x + 1], 1)) -const START_A_PRIME: usize = START_C_PRIME + 5 * 64; -pub(crate) const fn reg_a_prime(x: usize, y: usize, z: usize) -> usize { - debug_assert!(x < 5); - debug_assert!(y < 5); - debug_assert!(z < 64); - START_A_PRIME + x * 64 * 5 + y * 64 + z -} - -pub(crate) const fn reg_b(x: usize, y: usize, z: usize) -> usize { - debug_assert!(x < 5); - debug_assert!(y < 5); - debug_assert!(z < 64); - // B is just a rotation of A', so these are aliases for A' registers. - // From the spec, - // B[y, (2x + 3y) % 5] = ROT(A'[x, y], r[x, y]) - // So, - // B[x, y] = f((x + 3y) % 5, x) - // where f(a, b) = ROT(A'[a, b], r[a, b]) - let a = (x + 3 * y) % 5; - let b = x; - let rot = R[a][b] as usize; - reg_a_prime(a, b, (z + 64 - rot) % 64) -} - -// A''[x, y] = xor(B[x, y], andn(B[x + 1, y], B[x + 2, y])). -const START_A_PRIME_PRIME: usize = START_A_PRIME + 5 * 5 * 64; -pub(crate) const fn reg_a_prime_prime(x: usize, y: usize) -> usize { - debug_assert!(x < 5); - debug_assert!(y < 5); - START_A_PRIME_PRIME + x * 2 * 5 + y * 2 -} - -const START_A_PRIME_PRIME_0_0_BITS: usize = START_A_PRIME_PRIME + 5 * 5 * 2; -pub(crate) const fn reg_a_prime_prime_0_0_bit(i: usize) -> usize { - debug_assert!(i < 64); - START_A_PRIME_PRIME_0_0_BITS + i -} - -const REG_A_PRIME_PRIME_PRIME_0_0_LO: usize = START_A_PRIME_PRIME_0_0_BITS + 64; -const REG_A_PRIME_PRIME_PRIME_0_0_HI: usize = REG_A_PRIME_PRIME_PRIME_0_0_LO + 1; - -// A'''[0, 0] is additionally xor'd with RC. -pub(crate) const fn reg_a_prime_prime_prime(x: usize, y: usize) -> usize { - debug_assert!(x < 5); - debug_assert!(y < 5); - if x == 0 && y == 0 { - REG_A_PRIME_PRIME_PRIME_0_0_LO - } else { - reg_a_prime_prime(x, y) - } -} - -pub(crate) const NUM_COLUMNS: usize = REG_A_PRIME_PRIME_PRIME_0_0_HI + 1; diff --git a/evm/src/keccak/constants.rs b/evm/src/keccak/constants.rs deleted file mode 100644 index 72286237c8..0000000000 --- a/evm/src/keccak/constants.rs +++ /dev/null @@ -1,157 +0,0 @@ -const RC: [u64; 24] = [ - 0x0000000000000001, - 0x0000000000008082, - 0x800000000000808A, - 0x8000000080008000, - 0x000000000000808B, - 0x0000000080000001, - 0x8000000080008081, - 0x8000000000008009, - 0x000000000000008A, - 0x0000000000000088, - 0x0000000080008009, - 0x000000008000000A, - 0x000000008000808B, - 0x800000000000008B, - 0x8000000000008089, - 0x8000000000008003, - 0x8000000000008002, - 0x8000000000000080, - 0x000000000000800A, - 0x800000008000000A, - 0x8000000080008081, - 0x8000000000008080, - 0x0000000080000001, - 0x8000000080008008, -]; - -const RC_BITS: [[u8; 64]; 24] = [ - [ - 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, - ], - [ - 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, - ], - [ - 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 1, - ], - [ - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 1, - ], - [ - 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, - ], - [ - 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, - ], - [ - 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 1, - ], - [ - 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 1, - ], - [ - 0, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, - ], - [ - 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, - ], - [ - 1, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, - ], - [ - 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, - ], - [ - 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, - ], - [ - 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 1, - ], - [ - 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 1, - ], - [ - 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 1, - ], - [ - 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 1, - ], - [ - 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 1, - ], - [ - 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, - ], - [ - 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 1, - ], - [ - 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 1, - ], - [ - 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 1, - ], - [ - 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, - ], - [ - 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 1, - ], -]; - -pub(crate) const fn rc_value_bit(round: usize, bit_index: usize) -> u8 { - RC_BITS[round][bit_index] -} - -pub(crate) const fn rc_value(round: usize) -> u64 { - RC[round] -} diff --git a/evm/src/keccak/keccak_stark.rs b/evm/src/keccak/keccak_stark.rs deleted file mode 100644 index 771c9b4371..0000000000 --- a/evm/src/keccak/keccak_stark.rs +++ /dev/null @@ -1,772 +0,0 @@ -use core::marker::PhantomData; - -use itertools::Itertools; -use plonky2::field::extension::{Extendable, FieldExtension}; -use plonky2::field::packed::PackedField; -use plonky2::field::polynomial::PolynomialValues; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::plonk_common::reduce_with_powers_ext_circuit; -use plonky2::timed; -use plonky2::util::timing::TimingTree; - -use super::columns::reg_input_limb; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::evaluation_frame::{StarkEvaluationFrame, StarkFrame}; -use crate::keccak::columns::{ - reg_a, reg_a_prime, reg_a_prime_prime, reg_a_prime_prime_0_0_bit, reg_a_prime_prime_prime, - reg_b, reg_c, reg_c_prime, reg_output_limb, reg_step, NUM_COLUMNS, TIMESTAMP, -}; -use crate::keccak::constants::{rc_value, rc_value_bit}; -use crate::keccak::logic::{ - andn, andn_gen, andn_gen_circuit, xor, xor3_gen, xor3_gen_circuit, xor_gen, xor_gen_circuit, -}; -use crate::keccak::round_flags::{eval_round_flags, eval_round_flags_recursively}; -use crate::lookup::{Column, Filter}; -use crate::stark::Stark; -use crate::util::trace_rows_to_poly_values; - -/// Number of rounds in a Keccak permutation. -pub(crate) const NUM_ROUNDS: usize = 24; - -/// Number of 64-bit elements in the Keccak permutation input. -pub(crate) const NUM_INPUTS: usize = 25; - -/// Create vector of `Columns` corresponding to the permutation input limbs. -pub(crate) fn ctl_data_inputs() -> Vec> { - let mut res: Vec<_> = (0..2 * NUM_INPUTS).map(reg_input_limb).collect(); - res.push(Column::single(TIMESTAMP)); - res -} - -/// Create vector of `Columns` corresponding to the permutation output limbs. -pub(crate) fn ctl_data_outputs() -> Vec> { - let mut res: Vec<_> = Column::singles((0..2 * NUM_INPUTS).map(reg_output_limb)).collect(); - res.push(Column::single(TIMESTAMP)); - res -} - -/// CTL filter for the first round of the Keccak permutation. -pub(crate) fn ctl_filter_inputs() -> Filter { - Filter::new_simple(Column::single(reg_step(0))) -} - -/// CTL filter for the final round of the Keccak permutation. -pub(crate) fn ctl_filter_outputs() -> Filter { - Filter::new_simple(Column::single(reg_step(NUM_ROUNDS - 1))) -} - -#[derive(Copy, Clone, Default)] -pub(crate) struct KeccakStark { - pub(crate) f: PhantomData, -} - -impl, const D: usize> KeccakStark { - /// Generate the rows of the trace. Note that this does not generate the permuted columns used - /// in our lookup arguments, as those are computed after transposing to column-wise form. - fn generate_trace_rows( - &self, - inputs_and_timestamps: Vec<([u64; NUM_INPUTS], usize)>, - min_rows: usize, - ) -> Vec<[F; NUM_COLUMNS]> { - let num_rows = (inputs_and_timestamps.len() * NUM_ROUNDS) - .max(min_rows) - .next_power_of_two(); - - let mut rows = Vec::with_capacity(num_rows); - for input_and_timestamp in inputs_and_timestamps.iter() { - let rows_for_perm = self.generate_trace_rows_for_perm(*input_and_timestamp); - rows.extend(rows_for_perm); - } - - while rows.len() < num_rows { - rows.push([F::ZERO; NUM_COLUMNS]); - } - rows - } - - fn generate_trace_rows_for_perm( - &self, - input_and_timestamp: ([u64; NUM_INPUTS], usize), - ) -> Vec<[F; NUM_COLUMNS]> { - let mut rows = vec![[F::ZERO; NUM_COLUMNS]; NUM_ROUNDS]; - let input = input_and_timestamp.0; - let timestamp = input_and_timestamp.1; - // Set the timestamp of the current input. - // It will be checked against the value in `KeccakSponge`. - // The timestamp is used to link the input and output of - // the same permutation together. - for round in 0..24 { - rows[round][TIMESTAMP] = F::from_canonical_usize(timestamp); - } - - // Populate the round input for the first round. - for x in 0..5 { - for y in 0..5 { - let input_xy = input[y * 5 + x]; - let reg_lo = reg_a(x, y); - let reg_hi = reg_lo + 1; - rows[0][reg_lo] = F::from_canonical_u64(input_xy & 0xFFFFFFFF); - rows[0][reg_hi] = F::from_canonical_u64(input_xy >> 32); - } - } - - self.generate_trace_row_for_round(&mut rows[0], 0); - for round in 1..24 { - self.copy_output_to_input(rows[round - 1], &mut rows[round]); - self.generate_trace_row_for_round(&mut rows[round], round); - } - - rows - } - - fn copy_output_to_input(&self, prev_row: [F; NUM_COLUMNS], next_row: &mut [F; NUM_COLUMNS]) { - for x in 0..5 { - for y in 0..5 { - let in_lo = reg_a(x, y); - let in_hi = in_lo + 1; - let out_lo = reg_a_prime_prime_prime(x, y); - let out_hi = out_lo + 1; - next_row[in_lo] = prev_row[out_lo]; - next_row[in_hi] = prev_row[out_hi]; - } - } - } - - fn generate_trace_row_for_round(&self, row: &mut [F; NUM_COLUMNS], round: usize) { - row[reg_step(round)] = F::ONE; - - // Populate C[x] = xor(A[x, 0], A[x, 1], A[x, 2], A[x, 3], A[x, 4]). - for x in 0..5 { - for z in 0..64 { - let is_high_limb = z / 32; - let bit_in_limb = z % 32; - let a = [0, 1, 2, 3, 4].map(|i| { - let reg_a_limb = reg_a(x, i) + is_high_limb; - let a_limb = row[reg_a_limb].to_canonical_u64() as u32; - F::from_bool(((a_limb >> bit_in_limb) & 1) != 0) - }); - row[reg_c(x, z)] = xor(a); - } - } - - // Populate C'[x, z] = xor(C[x, z], C[x - 1, z], C[x + 1, z - 1]). - for x in 0..5 { - for z in 0..64 { - row[reg_c_prime(x, z)] = xor([ - row[reg_c(x, z)], - row[reg_c((x + 4) % 5, z)], - row[reg_c((x + 1) % 5, (z + 63) % 64)], - ]); - } - } - - // Populate A'. To avoid shifting indices, we rewrite - // A'[x, y, z] = xor(A[x, y, z], C[x - 1, z], C[x + 1, z - 1]) - // as - // A'[x, y, z] = xor(A[x, y, z], C[x, z], C'[x, z]). - for x in 0..5 { - for y in 0..5 { - for z in 0..64 { - let is_high_limb = z / 32; - let bit_in_limb = z % 32; - let reg_a_limb = reg_a(x, y) + is_high_limb; - let a_limb = row[reg_a_limb].to_canonical_u64() as u32; - let a_bit = F::from_bool(((a_limb >> bit_in_limb) & 1) != 0); - row[reg_a_prime(x, y, z)] = - xor([a_bit, row[reg_c(x, z)], row[reg_c_prime(x, z)]]); - } - } - } - - // Populate A''. - // A''[x, y] = xor(B[x, y], andn(B[x + 1, y], B[x + 2, y])). - for x in 0..5 { - for y in 0..5 { - let get_bit = |z| { - xor([ - row[reg_b(x, y, z)], - andn(row[reg_b((x + 1) % 5, y, z)], row[reg_b((x + 2) % 5, y, z)]), - ]) - }; - - let lo = (0..32) - .rev() - .fold(F::ZERO, |acc, z| acc.double() + get_bit(z)); - let hi = (32..64) - .rev() - .fold(F::ZERO, |acc, z| acc.double() + get_bit(z)); - - let reg_lo = reg_a_prime_prime(x, y); - let reg_hi = reg_lo + 1; - row[reg_lo] = lo; - row[reg_hi] = hi; - } - } - - // For the XOR, we split A''[0, 0] to bits. - let val_lo = row[reg_a_prime_prime(0, 0)].to_canonical_u64(); - let val_hi = row[reg_a_prime_prime(0, 0) + 1].to_canonical_u64(); - let val = val_lo | (val_hi << 32); - let bit_values: Vec = (0..64) - .scan(val, |acc, _| { - let tmp = *acc & 1; - *acc >>= 1; - Some(tmp) - }) - .collect(); - for i in 0..64 { - row[reg_a_prime_prime_0_0_bit(i)] = F::from_canonical_u64(bit_values[i]); - } - - // A''[0, 0] is additionally xor'd with RC. - let in_reg_lo = reg_a_prime_prime(0, 0); - let in_reg_hi = in_reg_lo + 1; - let out_reg_lo = reg_a_prime_prime_prime(0, 0); - let out_reg_hi = out_reg_lo + 1; - let rc_lo = rc_value(round) & ((1 << 32) - 1); - let rc_hi = rc_value(round) >> 32; - row[out_reg_lo] = F::from_canonical_u64(row[in_reg_lo].to_canonical_u64() ^ rc_lo); - row[out_reg_hi] = F::from_canonical_u64(row[in_reg_hi].to_canonical_u64() ^ rc_hi); - } - - pub(crate) fn generate_trace( - &self, - inputs: Vec<([u64; NUM_INPUTS], usize)>, - min_rows: usize, - timing: &mut TimingTree, - ) -> Vec> { - // Generate the witness, except for permuted columns in the lookup argument. - let trace_rows = timed!( - timing, - "generate trace rows", - self.generate_trace_rows(inputs, min_rows) - ); - let trace_polys = timed!( - timing, - "convert to PolynomialValues", - trace_rows_to_poly_values(trace_rows) - ); - trace_polys - } -} - -impl, const D: usize> Stark for KeccakStark { - type EvaluationFrame = StarkFrame - where - FE: FieldExtension, - P: PackedField; - - type EvaluationFrameTarget = StarkFrame, NUM_COLUMNS>; - - fn eval_packed_generic( - &self, - vars: &Self::EvaluationFrame, - yield_constr: &mut ConstraintConsumer

, - ) where - FE: FieldExtension, - P: PackedField, - { - eval_round_flags(vars, yield_constr); - - let local_values = vars.get_local_values(); - let next_values = vars.get_next_values(); - - // The filter must be 0 or 1. - let filter = local_values[reg_step(NUM_ROUNDS - 1)]; - yield_constr.constraint(filter * (filter - P::ONES)); - - // If this is not the final step, the filter must be off. - let final_step = local_values[reg_step(NUM_ROUNDS - 1)]; - let not_final_step = P::ONES - final_step; - yield_constr.constraint(not_final_step * filter); - - // If this is not the final step or a padding row, - // the local and next timestamps must match. - let sum_round_flags = (0..NUM_ROUNDS) - .map(|i| local_values[reg_step(i)]) - .sum::

(); - yield_constr.constraint( - sum_round_flags * not_final_step * (next_values[TIMESTAMP] - local_values[TIMESTAMP]), - ); - - // C'[x, z] = xor(C[x, z], C[x - 1, z], C[x + 1, z - 1]). - for x in 0..5 { - for z in 0..64 { - let xor = xor3_gen( - local_values[reg_c(x, z)], - local_values[reg_c((x + 4) % 5, z)], - local_values[reg_c((x + 1) % 5, (z + 63) % 64)], - ); - let c_prime = local_values[reg_c_prime(x, z)]; - yield_constr.constraint(c_prime - xor); - } - } - - // Check that the input limbs are consistent with A' and D. - // A[x, y, z] = xor(A'[x, y, z], D[x, y, z]) - // = xor(A'[x, y, z], C[x - 1, z], C[x + 1, z - 1]) - // = xor(A'[x, y, z], C[x, z], C'[x, z]). - // The last step is valid based on the identity we checked above. - // It isn't required, but makes this check a bit cleaner. - for x in 0..5 { - for y in 0..5 { - let a_lo = local_values[reg_a(x, y)]; - let a_hi = local_values[reg_a(x, y) + 1]; - let get_bit = |z| { - let a_prime = local_values[reg_a_prime(x, y, z)]; - let c = local_values[reg_c(x, z)]; - let c_prime = local_values[reg_c_prime(x, z)]; - xor3_gen(a_prime, c, c_prime) - }; - let computed_lo = (0..32) - .rev() - .fold(P::ZEROS, |acc, z| acc.doubles() + get_bit(z)); - let computed_hi = (32..64) - .rev() - .fold(P::ZEROS, |acc, z| acc.doubles() + get_bit(z)); - yield_constr.constraint(computed_lo - a_lo); - yield_constr.constraint(computed_hi - a_hi); - } - } - - // xor_{i=0}^4 A'[x, i, z] = C'[x, z], so for each x, z, - // diff * (diff - 2) * (diff - 4) = 0, where - // diff = sum_{i=0}^4 A'[x, i, z] - C'[x, z] - for x in 0..5 { - for z in 0..64 { - let sum: P = [0, 1, 2, 3, 4] - .map(|i| local_values[reg_a_prime(x, i, z)]) - .into_iter() - .sum(); - let diff = sum - local_values[reg_c_prime(x, z)]; - yield_constr - .constraint(diff * (diff - FE::TWO) * (diff - FE::from_canonical_u8(4))); - } - } - - // A''[x, y] = xor(B[x, y], andn(B[x + 1, y], B[x + 2, y])). - for x in 0..5 { - for y in 0..5 { - let get_bit = |z| { - xor_gen( - local_values[reg_b(x, y, z)], - andn_gen( - local_values[reg_b((x + 1) % 5, y, z)], - local_values[reg_b((x + 2) % 5, y, z)], - ), - ) - }; - - let reg_lo = reg_a_prime_prime(x, y); - let reg_hi = reg_lo + 1; - let lo = local_values[reg_lo]; - let hi = local_values[reg_hi]; - let computed_lo = (0..32) - .rev() - .fold(P::ZEROS, |acc, z| acc.doubles() + get_bit(z)); - let computed_hi = (32..64) - .rev() - .fold(P::ZEROS, |acc, z| acc.doubles() + get_bit(z)); - - yield_constr.constraint(computed_lo - lo); - yield_constr.constraint(computed_hi - hi); - } - } - - // A'''[0, 0] = A''[0, 0] XOR RC - let a_prime_prime_0_0_bits = (0..64) - .map(|i| local_values[reg_a_prime_prime_0_0_bit(i)]) - .collect_vec(); - let computed_a_prime_prime_0_0_lo = (0..32) - .rev() - .fold(P::ZEROS, |acc, z| acc.doubles() + a_prime_prime_0_0_bits[z]); - let computed_a_prime_prime_0_0_hi = (32..64) - .rev() - .fold(P::ZEROS, |acc, z| acc.doubles() + a_prime_prime_0_0_bits[z]); - let a_prime_prime_0_0_lo = local_values[reg_a_prime_prime(0, 0)]; - let a_prime_prime_0_0_hi = local_values[reg_a_prime_prime(0, 0) + 1]; - yield_constr.constraint(computed_a_prime_prime_0_0_lo - a_prime_prime_0_0_lo); - yield_constr.constraint(computed_a_prime_prime_0_0_hi - a_prime_prime_0_0_hi); - - let get_xored_bit = |i| { - let mut rc_bit_i = P::ZEROS; - for r in 0..NUM_ROUNDS { - let this_round = local_values[reg_step(r)]; - let this_round_constant = - P::from(FE::from_canonical_u32(rc_value_bit(r, i) as u32)); - rc_bit_i += this_round * this_round_constant; - } - - xor_gen(a_prime_prime_0_0_bits[i], rc_bit_i) - }; - - let a_prime_prime_prime_0_0_lo = local_values[reg_a_prime_prime_prime(0, 0)]; - let a_prime_prime_prime_0_0_hi = local_values[reg_a_prime_prime_prime(0, 0) + 1]; - let computed_a_prime_prime_prime_0_0_lo = (0..32) - .rev() - .fold(P::ZEROS, |acc, z| acc.doubles() + get_xored_bit(z)); - let computed_a_prime_prime_prime_0_0_hi = (32..64) - .rev() - .fold(P::ZEROS, |acc, z| acc.doubles() + get_xored_bit(z)); - yield_constr.constraint(computed_a_prime_prime_prime_0_0_lo - a_prime_prime_prime_0_0_lo); - yield_constr.constraint(computed_a_prime_prime_prime_0_0_hi - a_prime_prime_prime_0_0_hi); - - // Enforce that this round's output equals the next round's input. - for x in 0..5 { - for y in 0..5 { - let output_lo = local_values[reg_a_prime_prime_prime(x, y)]; - let output_hi = local_values[reg_a_prime_prime_prime(x, y) + 1]; - let input_lo = next_values[reg_a(x, y)]; - let input_hi = next_values[reg_a(x, y) + 1]; - let is_last_round = local_values[reg_step(NUM_ROUNDS - 1)]; - let not_last_round = P::ONES - is_last_round; - yield_constr.constraint_transition(not_last_round * (output_lo - input_lo)); - yield_constr.constraint_transition(not_last_round * (output_hi - input_hi)); - } - } - } - - fn eval_ext_circuit( - &self, - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - vars: &Self::EvaluationFrameTarget, - yield_constr: &mut RecursiveConstraintConsumer, - ) { - let one_ext = builder.one_extension(); - let two = builder.two(); - let two_ext = builder.two_extension(); - let four_ext = builder.constant_extension(F::Extension::from_canonical_u8(4)); - - eval_round_flags_recursively(builder, vars, yield_constr); - - let local_values = vars.get_local_values(); - let next_values = vars.get_next_values(); - - // The filter must be 0 or 1. - let filter = local_values[reg_step(NUM_ROUNDS - 1)]; - let constraint = builder.mul_sub_extension(filter, filter, filter); - yield_constr.constraint(builder, constraint); - - // If this is not the final step, the filter must be off. - let final_step = local_values[reg_step(NUM_ROUNDS - 1)]; - let not_final_step = builder.sub_extension(one_ext, final_step); - let constraint = builder.mul_extension(not_final_step, filter); - yield_constr.constraint(builder, constraint); - - // If this is not the final step or a padding row, - // the local and next timestamps must match. - let sum_round_flags = - builder.add_many_extension((0..NUM_ROUNDS).map(|i| local_values[reg_step(i)])); - let diff = builder.sub_extension(next_values[TIMESTAMP], local_values[TIMESTAMP]); - let constr = builder.mul_many_extension([sum_round_flags, not_final_step, diff]); - yield_constr.constraint(builder, constr); - - // C'[x, z] = xor(C[x, z], C[x - 1, z], C[x + 1, z - 1]). - for x in 0..5 { - for z in 0..64 { - let xor = xor3_gen_circuit( - builder, - local_values[reg_c(x, z)], - local_values[reg_c((x + 4) % 5, z)], - local_values[reg_c((x + 1) % 5, (z + 63) % 64)], - ); - let c_prime = local_values[reg_c_prime(x, z)]; - let diff = builder.sub_extension(c_prime, xor); - yield_constr.constraint(builder, diff); - } - } - - // Check that the input limbs are consistent with A' and D. - // A[x, y, z] = xor(A'[x, y, z], D[x, y, z]) - // = xor(A'[x, y, z], C[x - 1, z], C[x + 1, z - 1]) - // = xor(A'[x, y, z], C[x, z], C'[x, z]). - // The last step is valid based on the identity we checked above. - // It isn't required, but makes this check a bit cleaner. - for x in 0..5 { - for y in 0..5 { - let a_lo = local_values[reg_a(x, y)]; - let a_hi = local_values[reg_a(x, y) + 1]; - let mut get_bit = |z| { - let a_prime = local_values[reg_a_prime(x, y, z)]; - let c = local_values[reg_c(x, z)]; - let c_prime = local_values[reg_c_prime(x, z)]; - xor3_gen_circuit(builder, a_prime, c, c_prime) - }; - let bits_lo = (0..32).map(&mut get_bit).collect_vec(); - let bits_hi = (32..64).map(get_bit).collect_vec(); - let computed_lo = reduce_with_powers_ext_circuit(builder, &bits_lo, two); - let computed_hi = reduce_with_powers_ext_circuit(builder, &bits_hi, two); - let diff = builder.sub_extension(computed_lo, a_lo); - yield_constr.constraint(builder, diff); - let diff = builder.sub_extension(computed_hi, a_hi); - yield_constr.constraint(builder, diff); - } - } - - // xor_{i=0}^4 A'[x, i, z] = C'[x, z], so for each x, z, - // diff * (diff - 2) * (diff - 4) = 0, where - // diff = sum_{i=0}^4 A'[x, i, z] - C'[x, z] - for x in 0..5 { - for z in 0..64 { - let sum = builder.add_many_extension( - [0, 1, 2, 3, 4].map(|i| local_values[reg_a_prime(x, i, z)]), - ); - let diff = builder.sub_extension(sum, local_values[reg_c_prime(x, z)]); - let diff_minus_two = builder.sub_extension(diff, two_ext); - let diff_minus_four = builder.sub_extension(diff, four_ext); - let constraint = - builder.mul_many_extension([diff, diff_minus_two, diff_minus_four]); - yield_constr.constraint(builder, constraint); - } - } - - // A''[x, y] = xor(B[x, y], andn(B[x + 1, y], B[x + 2, y])). - for x in 0..5 { - for y in 0..5 { - let mut get_bit = |z| { - let andn = andn_gen_circuit( - builder, - local_values[reg_b((x + 1) % 5, y, z)], - local_values[reg_b((x + 2) % 5, y, z)], - ); - xor_gen_circuit(builder, local_values[reg_b(x, y, z)], andn) - }; - - let reg_lo = reg_a_prime_prime(x, y); - let reg_hi = reg_lo + 1; - let lo = local_values[reg_lo]; - let hi = local_values[reg_hi]; - let bits_lo = (0..32).map(&mut get_bit).collect_vec(); - let bits_hi = (32..64).map(get_bit).collect_vec(); - let computed_lo = reduce_with_powers_ext_circuit(builder, &bits_lo, two); - let computed_hi = reduce_with_powers_ext_circuit(builder, &bits_hi, two); - let diff = builder.sub_extension(computed_lo, lo); - yield_constr.constraint(builder, diff); - let diff = builder.sub_extension(computed_hi, hi); - yield_constr.constraint(builder, diff); - } - } - - // A'''[0, 0] = A''[0, 0] XOR RC - let a_prime_prime_0_0_bits = (0..64) - .map(|i| local_values[reg_a_prime_prime_0_0_bit(i)]) - .collect_vec(); - let computed_a_prime_prime_0_0_lo = - reduce_with_powers_ext_circuit(builder, &a_prime_prime_0_0_bits[0..32], two); - let computed_a_prime_prime_0_0_hi = - reduce_with_powers_ext_circuit(builder, &a_prime_prime_0_0_bits[32..64], two); - let a_prime_prime_0_0_lo = local_values[reg_a_prime_prime(0, 0)]; - let a_prime_prime_0_0_hi = local_values[reg_a_prime_prime(0, 0) + 1]; - let diff = builder.sub_extension(computed_a_prime_prime_0_0_lo, a_prime_prime_0_0_lo); - yield_constr.constraint(builder, diff); - let diff = builder.sub_extension(computed_a_prime_prime_0_0_hi, a_prime_prime_0_0_hi); - yield_constr.constraint(builder, diff); - - let mut get_xored_bit = |i| { - let mut rc_bit_i = builder.zero_extension(); - for r in 0..NUM_ROUNDS { - let this_round = local_values[reg_step(r)]; - let this_round_constant = builder - .constant_extension(F::from_canonical_u32(rc_value_bit(r, i) as u32).into()); - rc_bit_i = builder.mul_add_extension(this_round, this_round_constant, rc_bit_i); - } - - xor_gen_circuit(builder, a_prime_prime_0_0_bits[i], rc_bit_i) - }; - - let a_prime_prime_prime_0_0_lo = local_values[reg_a_prime_prime_prime(0, 0)]; - let a_prime_prime_prime_0_0_hi = local_values[reg_a_prime_prime_prime(0, 0) + 1]; - let bits_lo = (0..32).map(&mut get_xored_bit).collect_vec(); - let bits_hi = (32..64).map(get_xored_bit).collect_vec(); - let computed_a_prime_prime_prime_0_0_lo = - reduce_with_powers_ext_circuit(builder, &bits_lo, two); - let computed_a_prime_prime_prime_0_0_hi = - reduce_with_powers_ext_circuit(builder, &bits_hi, two); - let diff = builder.sub_extension( - computed_a_prime_prime_prime_0_0_lo, - a_prime_prime_prime_0_0_lo, - ); - yield_constr.constraint(builder, diff); - let diff = builder.sub_extension( - computed_a_prime_prime_prime_0_0_hi, - a_prime_prime_prime_0_0_hi, - ); - yield_constr.constraint(builder, diff); - - // Enforce that this round's output equals the next round's input. - for x in 0..5 { - for y in 0..5 { - let output_lo = local_values[reg_a_prime_prime_prime(x, y)]; - let output_hi = local_values[reg_a_prime_prime_prime(x, y) + 1]; - let input_lo = next_values[reg_a(x, y)]; - let input_hi = next_values[reg_a(x, y) + 1]; - let is_last_round = local_values[reg_step(NUM_ROUNDS - 1)]; - let diff = builder.sub_extension(input_lo, output_lo); - let filtered_diff = builder.mul_sub_extension(is_last_round, diff, diff); - yield_constr.constraint_transition(builder, filtered_diff); - let diff = builder.sub_extension(input_hi, output_hi); - let filtered_diff = builder.mul_sub_extension(is_last_round, diff, diff); - yield_constr.constraint_transition(builder, filtered_diff); - } - } - } - - fn constraint_degree(&self) -> usize { - 3 - } -} - -#[cfg(test)] -mod tests { - use anyhow::Result; - use env_logger::{try_init_from_env, Env, DEFAULT_FILTER_ENV}; - use plonky2::field::types::PrimeField64; - use plonky2::fri::oracle::PolynomialBatch; - use plonky2::iop::challenger::Challenger; - use plonky2::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - use tiny_keccak::keccakf; - - use super::*; - use crate::config::StarkConfig; - use crate::cross_table_lookup::{CtlData, CtlZData, GrandProductChallengeSet}; - use crate::lookup::GrandProductChallenge; - use crate::prover::prove_single_table; - use crate::stark_testing::{test_stark_circuit_constraints, test_stark_low_degree}; - - #[test] - fn test_stark_degree() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = KeccakStark; - - let stark = S { - f: Default::default(), - }; - test_stark_low_degree(stark) - } - - #[test] - fn test_stark_circuit() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = KeccakStark; - - let stark = S { - f: Default::default(), - }; - test_stark_circuit_constraints::(stark) - } - - #[test] - fn keccak_correctness_test() -> Result<()> { - let input: [u64; NUM_INPUTS] = rand::random(); - - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = KeccakStark; - - let stark = S { - f: Default::default(), - }; - - let rows = stark.generate_trace_rows(vec![(input, 0)], 8); - let last_row = rows[NUM_ROUNDS - 1]; - let output = (0..NUM_INPUTS) - .map(|i| { - let hi = last_row[reg_output_limb(2 * i + 1)].to_canonical_u64(); - let lo = last_row[reg_output_limb(2 * i)].to_canonical_u64(); - (hi << 32) | lo - }) - .collect::>(); - - let expected = { - let mut state = input; - keccakf(&mut state); - state - }; - - assert_eq!(output, expected); - - Ok(()) - } - - #[test] - fn keccak_benchmark() -> Result<()> { - const NUM_PERMS: usize = 85; - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = KeccakStark; - let stark = S::default(); - let config = StarkConfig::standard_fast_config(); - - init_logger(); - - let input: Vec<([u64; NUM_INPUTS], usize)> = - (0..NUM_PERMS).map(|_| (rand::random(), 0)).collect(); - - let mut timing = TimingTree::new("prove", log::Level::Debug); - let trace_poly_values = timed!( - timing, - "generate trace", - stark.generate_trace(input, 8, &mut timing) - ); - - let cloned_trace_poly_values = timed!(timing, "clone", trace_poly_values.clone()); - - let trace_commitments = timed!( - timing, - "compute trace commitment", - PolynomialBatch::::from_values( - cloned_trace_poly_values, - config.fri_config.rate_bits, - false, - config.fri_config.cap_height, - &mut timing, - None, - ) - ); - let degree = 1 << trace_commitments.degree_log; - - // Fake CTL data. - let ctl_z_data = CtlZData { - helper_columns: vec![PolynomialValues::zero(degree)], - z: PolynomialValues::zero(degree), - challenge: GrandProductChallenge { - beta: F::ZERO, - gamma: F::ZERO, - }, - columns: vec![], - filter: vec![Some(Filter::new_simple(Column::constant(F::ZERO)))], - }; - let ctl_data = CtlData { - zs_columns: vec![ctl_z_data.clone(); config.num_challenges], - }; - - prove_single_table( - &stark, - &config, - &trace_poly_values, - &trace_commitments, - &ctl_data, - &GrandProductChallengeSet { - challenges: vec![ctl_z_data.challenge; config.num_challenges], - }, - &mut Challenger::new(), - &mut timing, - None, - )?; - - timing.print(); - Ok(()) - } - - fn init_logger() { - let _ = try_init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "debug")); - } -} diff --git a/evm/src/keccak/logic.rs b/evm/src/keccak/logic.rs deleted file mode 100644 index 4e29b93fb8..0000000000 --- a/evm/src/keccak/logic.rs +++ /dev/null @@ -1,65 +0,0 @@ -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::PrimeField64; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; - -pub(crate) fn xor(xs: [F; N]) -> F { - xs.into_iter().fold(F::ZERO, |acc, x| { - debug_assert!(x.is_zero() || x.is_one()); - F::from_canonical_u64(acc.to_canonical_u64() ^ x.to_canonical_u64()) - }) -} - -/// Computes the arithmetic generalization of `xor(x, y)`, i.e. `x + y - 2 x y`. -pub(crate) fn xor_gen(x: P, y: P) -> P { - x + y - x * y.doubles() -} - -/// Computes the arithmetic generalization of `xor3(x, y, z)`. -pub(crate) fn xor3_gen(x: P, y: P, z: P) -> P { - xor_gen(x, xor_gen(y, z)) -} - -/// Computes the arithmetic generalization of `xor(x, y)`, i.e. `x + y - 2 x y`. -pub(crate) fn xor_gen_circuit, const D: usize>( - builder: &mut CircuitBuilder, - x: ExtensionTarget, - y: ExtensionTarget, -) -> ExtensionTarget { - let sum = builder.add_extension(x, y); - builder.arithmetic_extension(-F::TWO, F::ONE, x, y, sum) -} - -/// Computes the arithmetic generalization of `xor(x, y)`, i.e. `x + y - 2 x y`. -pub(crate) fn xor3_gen_circuit, const D: usize>( - builder: &mut CircuitBuilder, - x: ExtensionTarget, - y: ExtensionTarget, - z: ExtensionTarget, -) -> ExtensionTarget { - let x_xor_y = xor_gen_circuit(builder, x, y); - xor_gen_circuit(builder, x_xor_y, z) -} - -pub(crate) fn andn(x: F, y: F) -> F { - debug_assert!(x.is_zero() || x.is_one()); - debug_assert!(y.is_zero() || y.is_one()); - let x = x.to_canonical_u64(); - let y = y.to_canonical_u64(); - F::from_canonical_u64(!x & y) -} - -pub(crate) fn andn_gen(x: P, y: P) -> P { - (P::ONES - x) * y -} - -pub(crate) fn andn_gen_circuit, const D: usize>( - builder: &mut CircuitBuilder, - x: ExtensionTarget, - y: ExtensionTarget, -) -> ExtensionTarget { - // (1 - x) y = -xy + y - builder.arithmetic_extension(F::NEG_ONE, F::ONE, x, y, y) -} diff --git a/evm/src/keccak/mod.rs b/evm/src/keccak/mod.rs deleted file mode 100644 index d71e9e9cc7..0000000000 --- a/evm/src/keccak/mod.rs +++ /dev/null @@ -1,5 +0,0 @@ -pub mod columns; -pub mod constants; -pub mod keccak_stark; -pub mod logic; -pub mod round_flags; diff --git a/evm/src/keccak/round_flags.rs b/evm/src/keccak/round_flags.rs deleted file mode 100644 index 9ad144f7ef..0000000000 --- a/evm/src/keccak/round_flags.rs +++ /dev/null @@ -1,73 +0,0 @@ -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::evaluation_frame::{StarkEvaluationFrame, StarkFrame}; -use crate::keccak::columns::{reg_step, NUM_COLUMNS}; -use crate::keccak::keccak_stark::NUM_ROUNDS; - -pub(crate) fn eval_round_flags>( - vars: &StarkFrame, - yield_constr: &mut ConstraintConsumer

, -) { - let local_values = vars.get_local_values(); - let next_values = vars.get_next_values(); - - // Initially, the first step flag should be 1 while the others should be 0. - yield_constr.constraint_first_row(local_values[reg_step(0)] - F::ONE); - for i in 1..NUM_ROUNDS { - yield_constr.constraint_first_row(local_values[reg_step(i)]); - } - - // Flags should circularly increment, or be all zero for padding rows. - let next_any_flag = (0..NUM_ROUNDS).map(|i| next_values[reg_step(i)]).sum::

(); - for i in 0..NUM_ROUNDS { - let current_round_flag = local_values[reg_step(i)]; - let next_round_flag = next_values[reg_step((i + 1) % NUM_ROUNDS)]; - yield_constr.constraint_transition(next_any_flag * (next_round_flag - current_round_flag)); - } - - // Padding rows should always be followed by padding rows. - let current_any_flag = (0..NUM_ROUNDS) - .map(|i| local_values[reg_step(i)]) - .sum::

(); - yield_constr.constraint_transition(next_any_flag * (current_any_flag - F::ONE)); -} - -pub(crate) fn eval_round_flags_recursively, const D: usize>( - builder: &mut CircuitBuilder, - vars: &StarkFrame, NUM_COLUMNS>, - yield_constr: &mut RecursiveConstraintConsumer, -) { - let one = builder.one_extension(); - let local_values = vars.get_local_values(); - let next_values = vars.get_next_values(); - - // Initially, the first step flag should be 1 while the others should be 0. - let step_0_minus_1 = builder.sub_extension(local_values[reg_step(0)], one); - yield_constr.constraint_first_row(builder, step_0_minus_1); - for i in 1..NUM_ROUNDS { - yield_constr.constraint_first_row(builder, local_values[reg_step(i)]); - } - - // Flags should circularly increment, or be all zero for padding rows. - let next_any_flag = - builder.add_many_extension((0..NUM_ROUNDS).map(|i| next_values[reg_step(i)])); - for i in 0..NUM_ROUNDS { - let current_round_flag = local_values[reg_step(i)]; - let next_round_flag = next_values[reg_step((i + 1) % NUM_ROUNDS)]; - let diff = builder.sub_extension(next_round_flag, current_round_flag); - let constraint = builder.mul_extension(next_any_flag, diff); - yield_constr.constraint_transition(builder, constraint); - } - - // Padding rows should always be followed by padding rows. - let current_any_flag = - builder.add_many_extension((0..NUM_ROUNDS).map(|i| local_values[reg_step(i)])); - let constraint = builder.mul_sub_extension(next_any_flag, current_any_flag, next_any_flag); - yield_constr.constraint_transition(builder, constraint); -} diff --git a/evm/src/keccak_sponge/columns.rs b/evm/src/keccak_sponge/columns.rs deleted file mode 100644 index b35ff1fa10..0000000000 --- a/evm/src/keccak_sponge/columns.rs +++ /dev/null @@ -1,156 +0,0 @@ -use core::borrow::{Borrow, BorrowMut}; -use core::mem::{size_of, transmute}; -use core::ops::Range; - -use crate::util::{indices_arr, transmute_no_compile_time_size_checks}; - -/// Total number of sponge bytes: number of rate bytes + number of capacity bytes. -pub(crate) const KECCAK_WIDTH_BYTES: usize = 200; -/// Total number of 32-bit limbs in the sponge. -pub(crate) const KECCAK_WIDTH_U32S: usize = KECCAK_WIDTH_BYTES / 4; -/// Number of non-digest bytes. -pub(crate) const KECCAK_WIDTH_MINUS_DIGEST_U32S: usize = - (KECCAK_WIDTH_BYTES - KECCAK_DIGEST_BYTES) / 4; -/// Number of rate bytes. -pub(crate) const KECCAK_RATE_BYTES: usize = 136; -/// Number of 32-bit rate limbs. -pub(crate) const KECCAK_RATE_U32S: usize = KECCAK_RATE_BYTES / 4; -/// Number of capacity bytes. -pub(crate) const KECCAK_CAPACITY_BYTES: usize = 64; -/// Number of 32-bit capacity limbs. -pub(crate) const KECCAK_CAPACITY_U32S: usize = KECCAK_CAPACITY_BYTES / 4; -/// Number of output digest bytes used during the squeezing phase. -pub(crate) const KECCAK_DIGEST_BYTES: usize = 32; -/// Number of 32-bit digest limbs. -pub(crate) const KECCAK_DIGEST_U32S: usize = KECCAK_DIGEST_BYTES / 4; - -/// A view of `KeccakSpongeStark`'s columns. -#[repr(C)] -#[derive(Eq, PartialEq, Debug)] -pub(crate) struct KeccakSpongeColumnsView { - /// 1 if this row represents a full input block, i.e. one in which each byte is an input byte, - /// not a padding byte; 0 otherwise. - pub is_full_input_block: T, - - /// The context of the base address at which we will read the input block. - pub context: T, - /// The segment of the base address at which we will read the input block. - pub segment: T, - /// The virtual address at which we will read the input block. - pub virt: T, - - /// The timestamp at which inputs should be read from memory. - pub timestamp: T, - - /// The number of input bytes that have already been absorbed prior to this block. - pub already_absorbed_bytes: T, - - /// If this row represents a final block row, the `i`th entry should be 1 if the final chunk of - /// input has length `i` (in other words if `len - already_absorbed == i`), otherwise 0. - /// - /// If this row represents a full input block, this should contain all 0s. - pub is_final_input_len: [T; KECCAK_RATE_BYTES], - - /// The initial rate part of the sponge, at the start of this step. - pub original_rate_u32s: [T; KECCAK_RATE_U32S], - - /// The capacity part of the sponge, encoded as 32-bit chunks, at the start of this step. - pub original_capacity_u32s: [T; KECCAK_CAPACITY_U32S], - - /// The block being absorbed, which may contain input bytes and/or padding bytes. - pub block_bytes: [T; KECCAK_RATE_BYTES], - - /// The rate part of the sponge, encoded as 32-bit chunks, after the current block is xor'd in, - /// but before the permutation is applied. - pub xored_rate_u32s: [T; KECCAK_RATE_U32S], - - /// The entire state (rate + capacity) of the sponge, encoded as 32-bit chunks, after the - /// permutation is applied, minus the first limbs where the digest is extracted from. - /// Those missing limbs can be recomputed from their corresponding bytes stored in - /// `updated_digest_state_bytes`. - pub partial_updated_state_u32s: [T; KECCAK_WIDTH_MINUS_DIGEST_U32S], - - /// The first part of the state of the sponge, seen as bytes, after the permutation is applied. - /// This also represents the output digest of the Keccak sponge during the squeezing phase. - pub updated_digest_state_bytes: [T; KECCAK_DIGEST_BYTES], - - /// The counter column (used for the range check) starts from 0 and increments. - pub range_counter: T, - /// The frequencies column used in logUp. - pub rc_frequencies: T, -} - -// `u8` is guaranteed to have a `size_of` of 1. -/// Number of columns in `KeccakSpongeStark`. -pub(crate) const NUM_KECCAK_SPONGE_COLUMNS: usize = size_of::>(); - -// Indices for LogUp range-check. -// They are on the last registers of this table. -pub(crate) const RC_FREQUENCIES: usize = NUM_KECCAK_SPONGE_COLUMNS - 1; -pub(crate) const RANGE_COUNTER: usize = RC_FREQUENCIES - 1; - -pub(crate) const BLOCK_BYTES_START: usize = - 6 + KECCAK_RATE_BYTES + KECCAK_RATE_U32S + KECCAK_CAPACITY_U32S; -/// Indices for the range-checked values, i.e. the `block_bytes` section. -// TODO: Find a better way to access those indices -pub(crate) const fn get_block_bytes_range() -> Range { - BLOCK_BYTES_START..BLOCK_BYTES_START + KECCAK_RATE_BYTES -} - -/// Return the index for the targeted `block_bytes` element. -pub(crate) const fn get_single_block_bytes_value(i: usize) -> usize { - debug_assert!(i < KECCAK_RATE_BYTES); - get_block_bytes_range().start + i -} - -impl From<[T; NUM_KECCAK_SPONGE_COLUMNS]> for KeccakSpongeColumnsView { - fn from(value: [T; NUM_KECCAK_SPONGE_COLUMNS]) -> Self { - unsafe { transmute_no_compile_time_size_checks(value) } - } -} - -impl From> for [T; NUM_KECCAK_SPONGE_COLUMNS] { - fn from(value: KeccakSpongeColumnsView) -> Self { - unsafe { transmute_no_compile_time_size_checks(value) } - } -} - -impl Borrow> for [T; NUM_KECCAK_SPONGE_COLUMNS] { - fn borrow(&self) -> &KeccakSpongeColumnsView { - unsafe { transmute(self) } - } -} - -impl BorrowMut> for [T; NUM_KECCAK_SPONGE_COLUMNS] { - fn borrow_mut(&mut self) -> &mut KeccakSpongeColumnsView { - unsafe { transmute(self) } - } -} - -impl Borrow<[T; NUM_KECCAK_SPONGE_COLUMNS]> for KeccakSpongeColumnsView { - fn borrow(&self) -> &[T; NUM_KECCAK_SPONGE_COLUMNS] { - unsafe { transmute(self) } - } -} - -impl BorrowMut<[T; NUM_KECCAK_SPONGE_COLUMNS]> for KeccakSpongeColumnsView { - fn borrow_mut(&mut self) -> &mut [T; NUM_KECCAK_SPONGE_COLUMNS] { - unsafe { transmute(self) } - } -} - -impl Default for KeccakSpongeColumnsView { - fn default() -> Self { - [T::default(); NUM_KECCAK_SPONGE_COLUMNS].into() - } -} - -const fn make_col_map() -> KeccakSpongeColumnsView { - let indices_arr = indices_arr::(); - unsafe { - transmute::<[usize; NUM_KECCAK_SPONGE_COLUMNS], KeccakSpongeColumnsView>(indices_arr) - } -} - -/// Map between the `KeccakSponge` columns and (0..`NUM_KECCAK_SPONGE_COLUMNS`) -pub(crate) const KECCAK_SPONGE_COL_MAP: KeccakSpongeColumnsView = make_col_map(); diff --git a/evm/src/keccak_sponge/keccak_sponge_stark.rs b/evm/src/keccak_sponge/keccak_sponge_stark.rs deleted file mode 100644 index ddf2bca00e..0000000000 --- a/evm/src/keccak_sponge/keccak_sponge_stark.rs +++ /dev/null @@ -1,873 +0,0 @@ -use core::borrow::Borrow; -use core::iter::{self, once, repeat}; -use core::marker::PhantomData; -use core::mem::size_of; - -use itertools::Itertools; -use plonky2::field::extension::{Extendable, FieldExtension}; -use plonky2::field::packed::PackedField; -use plonky2::field::polynomial::PolynomialValues; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::timed; -use plonky2::util::timing::TimingTree; -use plonky2::util::transpose; -use plonky2_util::ceil_div_usize; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cpu::kernel::keccak_util::keccakf_u32s; -use crate::evaluation_frame::{StarkEvaluationFrame, StarkFrame}; -use crate::keccak_sponge::columns::*; -use crate::lookup::{Column, Filter, Lookup}; -use crate::stark::Stark; -use crate::witness::memory::MemoryAddress; - -/// Strict upper bound for the individual bytes range-check. -const BYTE_RANGE_MAX: usize = 256; - -/// Creates the vector of `Columns` corresponding to: -/// - the address in memory of the inputs, -/// - the length of the inputs, -/// - the timestamp at which the inputs are read from memory, -/// - the output limbs of the Keccak sponge. -pub(crate) fn ctl_looked_data() -> Vec> { - let cols = KECCAK_SPONGE_COL_MAP; - let mut outputs = Vec::with_capacity(8); - for i in (0..8).rev() { - let cur_col = Column::linear_combination( - cols.updated_digest_state_bytes[i * 4..(i + 1) * 4] - .iter() - .enumerate() - .map(|(j, &c)| (c, F::from_canonical_u64(1 << (24 - 8 * j)))), - ); - outputs.push(cur_col); - } - - // The length of the inputs is `already_absorbed_bytes + is_final_input_len`. - let len_col = Column::linear_combination( - iter::once((cols.already_absorbed_bytes, F::ONE)).chain( - cols.is_final_input_len - .iter() - .enumerate() - .map(|(i, &elt)| (elt, F::from_canonical_usize(i))), - ), - ); - - let mut res: Vec> = - Column::singles([cols.context, cols.segment, cols.virt]).collect(); - res.push(len_col); - res.push(Column::single(cols.timestamp)); - res.extend(outputs); - - res -} - -/// Creates the vector of `Columns` corresponding to the inputs of the Keccak sponge. -/// This is used to check that the inputs of the sponge correspond to the inputs -/// given by `KeccakStark`. -pub(crate) fn ctl_looking_keccak_inputs() -> Vec> { - let cols = KECCAK_SPONGE_COL_MAP; - let mut res: Vec<_> = Column::singles( - [ - cols.xored_rate_u32s.as_slice(), - &cols.original_capacity_u32s, - ] - .concat(), - ) - .collect(); - res.push(Column::single(cols.timestamp)); - - res -} - -/// Creates the vector of `Columns` corresponding to the outputs of the Keccak sponge. -/// This is used to check that the outputs of the sponge correspond to the outputs -/// given by `KeccakStark`. -pub(crate) fn ctl_looking_keccak_outputs() -> Vec> { - let cols = KECCAK_SPONGE_COL_MAP; - - // We recover the 32-bit digest limbs from their corresponding bytes, - // and then append them to the rest of the updated state limbs. - let digest_u32s = cols.updated_digest_state_bytes.chunks_exact(4).map(|c| { - Column::linear_combination( - c.iter() - .enumerate() - .map(|(i, &b)| (b, F::from_canonical_usize(1 << (8 * i)))), - ) - }); - - let mut res: Vec<_> = digest_u32s.collect(); - - res.extend(Column::singles(&cols.partial_updated_state_u32s)); - res.push(Column::single(cols.timestamp)); - - res -} - -/// Creates the vector of `Columns` corresponding to the address and value of the byte being read from memory. -pub(crate) fn ctl_looking_memory(i: usize) -> Vec> { - let cols = KECCAK_SPONGE_COL_MAP; - - let mut res = vec![Column::constant(F::ONE)]; // is_read - - res.extend(Column::singles([cols.context, cols.segment])); - - // The address of the byte being read is `virt + already_absorbed_bytes + i`. - res.push(Column::linear_combination_with_constant( - [(cols.virt, F::ONE), (cols.already_absorbed_bytes, F::ONE)], - F::from_canonical_usize(i), - )); - - // The i'th input byte being read. - res.push(Column::single(cols.block_bytes[i])); - - // Since we're reading a single byte, the higher limbs must be zero. - res.extend((1..8).map(|_| Column::zero())); - - res.push(Column::single(cols.timestamp)); - - assert_eq!( - res.len(), - crate::memory::memory_stark::ctl_data::().len() - ); - res -} - -/// Returns the number of `KeccakSponge` tables looking into the `LogicStark`. -pub(crate) const fn num_logic_ctls() -> usize { - const U8S_PER_CTL: usize = 32; - ceil_div_usize(KECCAK_RATE_BYTES, U8S_PER_CTL) -} - -/// Creates the vector of `Columns` required to perform the `i`th logic CTL. -/// It is comprised of the ÌS_XOR` flag, the two inputs and the output -/// of the XOR operation. -/// Since we need to do 136 byte XORs, and the logic CTL can -/// XOR 32 bytes per CTL, there are 5 such CTLs. -pub(crate) fn ctl_looking_logic(i: usize) -> Vec> { - const U32S_PER_CTL: usize = 8; - const U8S_PER_CTL: usize = 32; - - debug_assert!(i < num_logic_ctls()); - let cols = KECCAK_SPONGE_COL_MAP; - - let mut res = vec![ - Column::constant(F::from_canonical_u8(0x18)), // is_xor - ]; - - // Input 0 contains some of the sponge's original rate chunks. If this is the last CTL, we won't - // need to use all of the CTL's inputs, so we will pass some zeros. - res.extend( - Column::singles(&cols.original_rate_u32s[i * U32S_PER_CTL..]) - .chain(repeat(Column::zero())) - .take(U32S_PER_CTL), - ); - - // Input 1 contains some of block's chunks. Again, for the last CTL it will include some zeros. - res.extend( - cols.block_bytes[i * U8S_PER_CTL..] - .chunks(size_of::()) - .map(|chunk| Column::le_bytes(chunk)) - .chain(repeat(Column::zero())) - .take(U32S_PER_CTL), - ); - - // The output contains the XOR'd rate part. - res.extend( - Column::singles(&cols.xored_rate_u32s[i * U32S_PER_CTL..]) - .chain(repeat(Column::zero())) - .take(U32S_PER_CTL), - ); - - res -} - -/// CTL filter for the final block rows of the `KeccakSponge` table. -pub(crate) fn ctl_looked_filter() -> Filter { - // The CPU table is only interested in our final-block rows, since those contain the final - // sponge output. - Filter::new_simple(Column::sum(KECCAK_SPONGE_COL_MAP.is_final_input_len)) -} - -/// CTL filter for reading the `i`th byte of input from memory. -pub(crate) fn ctl_looking_memory_filter(i: usize) -> Filter { - // We perform the `i`th read if either - // - this is a full input block, or - // - this is a final block of length `i` or greater - let cols = KECCAK_SPONGE_COL_MAP; - if i == KECCAK_RATE_BYTES - 1 { - Filter::new_simple(Column::single(cols.is_full_input_block)) - } else { - Filter::new_simple(Column::sum( - once(&cols.is_full_input_block).chain(&cols.is_final_input_len[i + 1..]), - )) - } -} - -/// CTL filter for looking at XORs in the logic table. -pub(crate) fn ctl_looking_logic_filter() -> Filter { - let cols = KECCAK_SPONGE_COL_MAP; - Filter::new_simple(Column::sum( - once(&cols.is_full_input_block).chain(&cols.is_final_input_len), - )) -} - -/// CTL filter for looking at the input and output in the Keccak table. -pub(crate) fn ctl_looking_keccak_filter() -> Filter { - let cols = KECCAK_SPONGE_COL_MAP; - Filter::new_simple(Column::sum( - once(&cols.is_full_input_block).chain(&cols.is_final_input_len), - )) -} - -/// Information about a Keccak sponge operation needed for witness generation. -#[derive(Clone, Debug)] -pub(crate) struct KeccakSpongeOp { - /// The base address at which inputs are read. - pub(crate) base_address: MemoryAddress, - - /// The timestamp at which inputs are read. - pub(crate) timestamp: usize, - - /// The input that was read. - pub(crate) input: Vec, -} - -/// Structure representing the `KeccakSponge` STARK, which carries out the sponge permutation. -#[derive(Copy, Clone, Default)] -pub(crate) struct KeccakSpongeStark { - f: PhantomData, -} - -impl, const D: usize> KeccakSpongeStark { - /// Generates the trace polynomial values for the `KeccakSponge`STARK. - pub(crate) fn generate_trace( - &self, - operations: Vec, - min_rows: usize, - timing: &mut TimingTree, - ) -> Vec> { - // Generate the witness row-wise. - let trace_rows = timed!( - timing, - "generate trace rows", - self.generate_trace_rows(operations, min_rows) - ); - - let trace_row_vecs: Vec<_> = trace_rows.into_iter().map(|row| row.to_vec()).collect(); - - let mut trace_cols = transpose(&trace_row_vecs); - self.generate_range_checks(&mut trace_cols); - - trace_cols.into_iter().map(PolynomialValues::new).collect() - } - - /// Generates the trace rows given the vector of `KeccakSponge` operations. - /// The trace is padded to a power of two with all-zero rows. - fn generate_trace_rows( - &self, - operations: Vec, - min_rows: usize, - ) -> Vec<[F; NUM_KECCAK_SPONGE_COLUMNS]> { - let base_len: usize = operations - .iter() - .map(|op| op.input.len() / KECCAK_RATE_BYTES + 1) - .sum(); - let mut rows = Vec::with_capacity(base_len.max(min_rows).next_power_of_two()); - // Generate active rows. - for op in operations { - rows.extend(self.generate_rows_for_op(op)); - } - // Pad the trace. - let padded_rows = rows.len().max(min_rows).next_power_of_two(); - for _ in rows.len()..padded_rows { - rows.push(self.generate_padding_row()); - } - rows - } - - /// Generates the rows associated to a given operation: - /// Performs a Keccak sponge permutation and fills the STARK's rows accordingly. - /// The number of rows is the number of input chunks of size `KECCAK_RATE_BYTES`. - fn generate_rows_for_op(&self, op: KeccakSpongeOp) -> Vec<[F; NUM_KECCAK_SPONGE_COLUMNS]> { - let mut rows = Vec::with_capacity(op.input.len() / KECCAK_RATE_BYTES + 1); - - let mut sponge_state = [0u32; KECCAK_WIDTH_U32S]; - - let mut input_blocks = op.input.chunks_exact(KECCAK_RATE_BYTES); - let mut already_absorbed_bytes = 0; - for block in input_blocks.by_ref() { - // We compute the updated state of the sponge. - let row = self.generate_full_input_row( - &op, - already_absorbed_bytes, - sponge_state, - block.try_into().unwrap(), - ); - - // We update the state limbs for the next block absorption. - // The first `KECCAK_DIGEST_U32s` limbs are stored as bytes after the computation, - // so we recompute the corresponding `u32` and update the first state limbs. - sponge_state[..KECCAK_DIGEST_U32S] - .iter_mut() - .zip(row.updated_digest_state_bytes.chunks_exact(4)) - .for_each(|(s, bs)| { - *s = bs - .iter() - .enumerate() - .map(|(i, b)| (b.to_canonical_u64() as u32) << (8 * i)) - .sum(); - }); - - // The rest of the bytes are already stored in the expected form, so we can directly - // update the state with the stored values. - sponge_state[KECCAK_DIGEST_U32S..] - .iter_mut() - .zip(row.partial_updated_state_u32s) - .for_each(|(s, x)| *s = x.to_canonical_u64() as u32); - - rows.push(row.into()); - already_absorbed_bytes += KECCAK_RATE_BYTES; - } - - rows.push( - self.generate_final_row( - &op, - already_absorbed_bytes, - sponge_state, - input_blocks.remainder(), - ) - .into(), - ); - - rows - } - - /// Generates a row where all bytes are input bytes, not padding bytes. - /// This includes updating the state sponge with a single absorption. - fn generate_full_input_row( - &self, - op: &KeccakSpongeOp, - already_absorbed_bytes: usize, - sponge_state: [u32; KECCAK_WIDTH_U32S], - block: [u8; KECCAK_RATE_BYTES], - ) -> KeccakSpongeColumnsView { - let mut row = KeccakSpongeColumnsView { - is_full_input_block: F::ONE, - ..Default::default() - }; - - row.block_bytes = block.map(F::from_canonical_u8); - - Self::generate_common_fields(&mut row, op, already_absorbed_bytes, sponge_state); - row - } - - /// Generates a row containing the last input bytes. - /// On top of computing one absorption and padding the input, - /// we indicate the last non-padding input byte by setting - /// `row.is_final_input_len[final_inputs.len()]` to 1. - fn generate_final_row( - &self, - op: &KeccakSpongeOp, - already_absorbed_bytes: usize, - sponge_state: [u32; KECCAK_WIDTH_U32S], - final_inputs: &[u8], - ) -> KeccakSpongeColumnsView { - assert_eq!(already_absorbed_bytes + final_inputs.len(), op.input.len()); - - let mut row = KeccakSpongeColumnsView::default(); - - for (block_byte, input_byte) in row.block_bytes.iter_mut().zip(final_inputs) { - *block_byte = F::from_canonical_u8(*input_byte); - } - - // pad10*1 rule - if final_inputs.len() == KECCAK_RATE_BYTES - 1 { - // Both 1s are placed in the same byte. - row.block_bytes[final_inputs.len()] = F::from_canonical_u8(0b10000001); - } else { - row.block_bytes[final_inputs.len()] = F::ONE; - row.block_bytes[KECCAK_RATE_BYTES - 1] = F::from_canonical_u8(0b10000000); - } - - row.is_final_input_len[final_inputs.len()] = F::ONE; - - Self::generate_common_fields(&mut row, op, already_absorbed_bytes, sponge_state); - row - } - - /// Generate fields that are common to both full-input-block rows and final-block rows. - /// Also updates the sponge state with a single absorption. - /// Given a state S = R || C and a block input B, - /// - R is updated with R XOR B, - /// - S is replaced by keccakf_u32s(S). - fn generate_common_fields( - row: &mut KeccakSpongeColumnsView, - op: &KeccakSpongeOp, - already_absorbed_bytes: usize, - mut sponge_state: [u32; KECCAK_WIDTH_U32S], - ) { - row.context = F::from_canonical_usize(op.base_address.context); - row.segment = F::from_canonical_usize(op.base_address.segment); - row.virt = F::from_canonical_usize(op.base_address.virt); - row.timestamp = F::from_canonical_usize(op.timestamp); - row.already_absorbed_bytes = F::from_canonical_usize(already_absorbed_bytes); - - row.original_rate_u32s = sponge_state[..KECCAK_RATE_U32S] - .iter() - .map(|x| F::from_canonical_u32(*x)) - .collect_vec() - .try_into() - .unwrap(); - - row.original_capacity_u32s = sponge_state[KECCAK_RATE_U32S..] - .iter() - .map(|x| F::from_canonical_u32(*x)) - .collect_vec() - .try_into() - .unwrap(); - - let block_u32s = (0..KECCAK_RATE_U32S).map(|i| { - u32::from_le_bytes( - row.block_bytes[i * 4..(i + 1) * 4] - .iter() - .map(|x| x.to_canonical_u64() as u8) - .collect_vec() - .try_into() - .unwrap(), - ) - }); - - // xor in the block - for (state_i, block_i) in sponge_state.iter_mut().zip(block_u32s) { - *state_i ^= block_i; - } - let xored_rate_u32s: [u32; KECCAK_RATE_U32S] = sponge_state[..KECCAK_RATE_U32S] - .to_vec() - .try_into() - .unwrap(); - row.xored_rate_u32s = xored_rate_u32s.map(F::from_canonical_u32); - - keccakf_u32s(&mut sponge_state); - // Store all but the first `KECCAK_DIGEST_U32S` limbs in the updated state. - // Those missing limbs will be broken down into bytes and stored separately. - row.partial_updated_state_u32s.copy_from_slice( - &sponge_state[KECCAK_DIGEST_U32S..] - .iter() - .copied() - .map(|i| F::from_canonical_u32(i)) - .collect::>(), - ); - sponge_state[..KECCAK_DIGEST_U32S] - .iter() - .enumerate() - .for_each(|(l, &elt)| { - let mut cur_elt = elt; - (0..4).for_each(|i| { - row.updated_digest_state_bytes[l * 4 + i] = - F::from_canonical_u32(cur_elt & 0xFF); - cur_elt >>= 8; - }); - - // 32-bit limb reconstruction consistency check. - let mut s = row.updated_digest_state_bytes[l * 4].to_canonical_u64(); - for i in 1..4 { - s += row.updated_digest_state_bytes[l * 4 + i].to_canonical_u64() << (8 * i); - } - assert_eq!(elt as u64, s, "not equal"); - }) - } - - fn generate_padding_row(&self) -> [F; NUM_KECCAK_SPONGE_COLUMNS] { - // The default instance has is_full_input_block = is_final_block = 0, - // indicating that it's a dummy/padding row. - KeccakSpongeColumnsView::default().into() - } - - /// Expects input in *column*-major layout - fn generate_range_checks(&self, cols: &mut [Vec]) { - debug_assert!(cols.len() == NUM_KECCAK_SPONGE_COLUMNS); - - let n_rows = cols[0].len(); - debug_assert!(cols.iter().all(|col| col.len() == n_rows)); - - for i in 0..BYTE_RANGE_MAX { - cols[RANGE_COUNTER][i] = F::from_canonical_usize(i); - } - for i in BYTE_RANGE_MAX..n_rows { - cols[RANGE_COUNTER][i] = F::from_canonical_usize(BYTE_RANGE_MAX - 1); - } - - // For each column c in cols, generate the range-check - // permutations and put them in the corresponding range-check - // columns rc_c and rc_c+1. - for col in 0..KECCAK_RATE_BYTES { - let c = get_single_block_bytes_value(col); - for i in 0..n_rows { - let x = cols[c][i].to_canonical_u64() as usize; - assert!( - x < BYTE_RANGE_MAX, - "column value {} exceeds the max range value {}", - x, - BYTE_RANGE_MAX - ); - cols[RC_FREQUENCIES][x] += F::ONE; - } - } - } -} - -impl, const D: usize> Stark for KeccakSpongeStark { - type EvaluationFrame = StarkFrame - where - FE: FieldExtension, - P: PackedField; - - type EvaluationFrameTarget = StarkFrame, NUM_KECCAK_SPONGE_COLUMNS>; - - fn eval_packed_generic( - &self, - vars: &Self::EvaluationFrame, - yield_constr: &mut ConstraintConsumer

, - ) where - FE: FieldExtension, - P: PackedField, - { - let local_values: &[P; NUM_KECCAK_SPONGE_COLUMNS] = - vars.get_local_values().try_into().unwrap(); - let local_values: &KeccakSpongeColumnsView

= local_values.borrow(); - let next_values: &[P; NUM_KECCAK_SPONGE_COLUMNS] = - vars.get_next_values().try_into().unwrap(); - let next_values: &KeccakSpongeColumnsView

= next_values.borrow(); - - // Check the range column: First value must be 0, last row - // must be 255, and intermediate rows must increment by 0 - // or 1. - let rc1 = local_values.range_counter; - let rc2 = next_values.range_counter; - yield_constr.constraint_first_row(rc1); - let incr = rc2 - rc1; - yield_constr.constraint_transition(incr * incr - incr); - let range_max = P::Scalar::from_canonical_u64((BYTE_RANGE_MAX - 1) as u64); - yield_constr.constraint_last_row(rc1 - range_max); - - // Each flag (full-input block, final block or implied dummy flag) must be boolean. - let is_full_input_block = local_values.is_full_input_block; - yield_constr.constraint(is_full_input_block * (is_full_input_block - P::ONES)); - - let is_final_block: P = local_values.is_final_input_len.iter().copied().sum(); - yield_constr.constraint(is_final_block * (is_final_block - P::ONES)); - - for &is_final_len in local_values.is_final_input_len.iter() { - yield_constr.constraint(is_final_len * (is_final_len - P::ONES)); - } - - // Ensure that full-input block and final block flags are not set to 1 at the same time. - yield_constr.constraint(is_final_block * is_full_input_block); - - // If this is the first row, the original sponge state should be 0 and already_absorbed_bytes = 0. - let already_absorbed_bytes = local_values.already_absorbed_bytes; - yield_constr.constraint_first_row(already_absorbed_bytes); - for &original_rate_elem in local_values.original_rate_u32s.iter() { - yield_constr.constraint_first_row(original_rate_elem); - } - for &original_capacity_elem in local_values.original_capacity_u32s.iter() { - yield_constr.constraint_first_row(original_capacity_elem); - } - - // If this is a final block, the next row's original sponge state should be 0 and already_absorbed_bytes = 0. - yield_constr.constraint_transition(is_final_block * next_values.already_absorbed_bytes); - for &original_rate_elem in next_values.original_rate_u32s.iter() { - yield_constr.constraint_transition(is_final_block * original_rate_elem); - } - for &original_capacity_elem in next_values.original_capacity_u32s.iter() { - yield_constr.constraint_transition(is_final_block * original_capacity_elem); - } - - // If this is a full-input block, the next row's address, time and len must match as well as its timestamp. - yield_constr.constraint_transition( - is_full_input_block * (local_values.context - next_values.context), - ); - yield_constr.constraint_transition( - is_full_input_block * (local_values.segment - next_values.segment), - ); - yield_constr - .constraint_transition(is_full_input_block * (local_values.virt - next_values.virt)); - yield_constr.constraint_transition( - is_full_input_block * (local_values.timestamp - next_values.timestamp), - ); - - // If this is a full-input block, the next row's "before" should match our "after" state. - for (current_bytes_after, next_before) in local_values - .updated_digest_state_bytes - .chunks_exact(4) - .zip(&next_values.original_rate_u32s[..KECCAK_DIGEST_U32S]) - { - let mut current_after = current_bytes_after[0]; - for i in 1..4 { - current_after += - current_bytes_after[i] * P::from(FE::from_canonical_usize(1 << (8 * i))); - } - yield_constr - .constraint_transition(is_full_input_block * (*next_before - current_after)); - } - for (¤t_after, &next_before) in local_values - .partial_updated_state_u32s - .iter() - .zip(next_values.original_rate_u32s[KECCAK_DIGEST_U32S..].iter()) - { - yield_constr.constraint_transition(is_full_input_block * (next_before - current_after)); - } - for (¤t_after, &next_before) in local_values - .partial_updated_state_u32s - .iter() - .skip(KECCAK_RATE_U32S - KECCAK_DIGEST_U32S) - .zip(next_values.original_capacity_u32s.iter()) - { - yield_constr.constraint_transition(is_full_input_block * (next_before - current_after)); - } - - // If this is a full-input block, the next row's already_absorbed_bytes should be ours plus `KECCAK_RATE_BYTES`. - yield_constr.constraint_transition( - is_full_input_block - * (already_absorbed_bytes + P::from(FE::from_canonical_usize(KECCAK_RATE_BYTES)) - - next_values.already_absorbed_bytes), - ); - - // A dummy row is always followed by another dummy row, so the prover can't put dummy rows "in between" to avoid the above checks. - let is_dummy = P::ONES - is_full_input_block - is_final_block; - let next_is_final_block: P = next_values.is_final_input_len.iter().copied().sum(); - yield_constr.constraint_transition( - is_dummy * (next_values.is_full_input_block + next_is_final_block), - ); - } - - fn eval_ext_circuit( - &self, - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - vars: &Self::EvaluationFrameTarget, - yield_constr: &mut RecursiveConstraintConsumer, - ) { - let local_values: &[ExtensionTarget; NUM_KECCAK_SPONGE_COLUMNS] = - vars.get_local_values().try_into().unwrap(); - let local_values: &KeccakSpongeColumnsView> = local_values.borrow(); - let next_values: &[ExtensionTarget; NUM_KECCAK_SPONGE_COLUMNS] = - vars.get_next_values().try_into().unwrap(); - let next_values: &KeccakSpongeColumnsView> = next_values.borrow(); - - let one = builder.one_extension(); - - // Check the range column: First value must be 0, last row - // must be 255, and intermediate rows must increment by 0 - // or 1. - let rc1 = local_values.range_counter; - let rc2 = next_values.range_counter; - yield_constr.constraint_first_row(builder, rc1); - let incr = builder.sub_extension(rc2, rc1); - let t = builder.mul_sub_extension(incr, incr, incr); - yield_constr.constraint_transition(builder, t); - let range_max = - builder.constant_extension(F::Extension::from_canonical_usize(BYTE_RANGE_MAX - 1)); - let t = builder.sub_extension(rc1, range_max); - yield_constr.constraint_last_row(builder, t); - - // Each flag (full-input block, final block or implied dummy flag) must be boolean. - let is_full_input_block = local_values.is_full_input_block; - let constraint = builder.mul_sub_extension( - is_full_input_block, - is_full_input_block, - is_full_input_block, - ); - yield_constr.constraint(builder, constraint); - - let is_final_block = builder.add_many_extension(local_values.is_final_input_len); - let constraint = builder.mul_sub_extension(is_final_block, is_final_block, is_final_block); - yield_constr.constraint(builder, constraint); - - for &is_final_len in local_values.is_final_input_len.iter() { - let constraint = builder.mul_sub_extension(is_final_len, is_final_len, is_final_len); - yield_constr.constraint(builder, constraint); - } - - // Ensure that full-input block and final block flags are not set to 1 at the same time. - let constraint = builder.mul_extension(is_final_block, is_full_input_block); - yield_constr.constraint(builder, constraint); - - // If this is the first row, the original sponge state should be 0 and already_absorbed_bytes = 0. - let already_absorbed_bytes = local_values.already_absorbed_bytes; - yield_constr.constraint_first_row(builder, already_absorbed_bytes); - for &original_rate_elem in local_values.original_rate_u32s.iter() { - yield_constr.constraint_first_row(builder, original_rate_elem); - } - for &original_capacity_elem in local_values.original_capacity_u32s.iter() { - yield_constr.constraint_first_row(builder, original_capacity_elem); - } - - // If this is a final block, the next row's original sponge state should be 0 and already_absorbed_bytes = 0. - let constraint = builder.mul_extension(is_final_block, next_values.already_absorbed_bytes); - yield_constr.constraint_transition(builder, constraint); - for &original_rate_elem in next_values.original_rate_u32s.iter() { - let constraint = builder.mul_extension(is_final_block, original_rate_elem); - yield_constr.constraint_transition(builder, constraint); - } - for &original_capacity_elem in next_values.original_capacity_u32s.iter() { - let constraint = builder.mul_extension(is_final_block, original_capacity_elem); - yield_constr.constraint_transition(builder, constraint); - } - - // If this is a full-input block, the next row's address, time and len must match as well as its timestamp. - let context_diff = builder.sub_extension(local_values.context, next_values.context); - let constraint = builder.mul_extension(is_full_input_block, context_diff); - yield_constr.constraint_transition(builder, constraint); - - let segment_diff = builder.sub_extension(local_values.segment, next_values.segment); - let constraint = builder.mul_extension(is_full_input_block, segment_diff); - yield_constr.constraint_transition(builder, constraint); - - let virt_diff = builder.sub_extension(local_values.virt, next_values.virt); - let constraint = builder.mul_extension(is_full_input_block, virt_diff); - yield_constr.constraint_transition(builder, constraint); - - let timestamp_diff = builder.sub_extension(local_values.timestamp, next_values.timestamp); - let constraint = builder.mul_extension(is_full_input_block, timestamp_diff); - yield_constr.constraint_transition(builder, constraint); - - // If this is a full-input block, the next row's "before" should match our "after" state. - for (current_bytes_after, next_before) in local_values - .updated_digest_state_bytes - .chunks_exact(4) - .zip(&next_values.original_rate_u32s[..KECCAK_DIGEST_U32S]) - { - let mut current_after = current_bytes_after[0]; - for i in 1..4 { - current_after = builder.mul_const_add_extension( - F::from_canonical_usize(1 << (8 * i)), - current_bytes_after[i], - current_after, - ); - } - let diff = builder.sub_extension(*next_before, current_after); - let constraint = builder.mul_extension(is_full_input_block, diff); - yield_constr.constraint_transition(builder, constraint); - } - for (¤t_after, &next_before) in local_values - .partial_updated_state_u32s - .iter() - .zip(next_values.original_rate_u32s[KECCAK_DIGEST_U32S..].iter()) - { - let diff = builder.sub_extension(next_before, current_after); - let constraint = builder.mul_extension(is_full_input_block, diff); - yield_constr.constraint_transition(builder, constraint); - } - for (¤t_after, &next_before) in local_values - .partial_updated_state_u32s - .iter() - .skip(KECCAK_RATE_U32S - KECCAK_DIGEST_U32S) - .zip(next_values.original_capacity_u32s.iter()) - { - let diff = builder.sub_extension(next_before, current_after); - let constraint = builder.mul_extension(is_full_input_block, diff); - yield_constr.constraint_transition(builder, constraint); - } - - // If this is a full-input block, the next row's already_absorbed_bytes should be ours plus `KECCAK_RATE_BYTES`. - let absorbed_bytes = builder.add_const_extension( - already_absorbed_bytes, - F::from_canonical_usize(KECCAK_RATE_BYTES), - ); - let absorbed_diff = - builder.sub_extension(absorbed_bytes, next_values.already_absorbed_bytes); - let constraint = builder.mul_extension(is_full_input_block, absorbed_diff); - yield_constr.constraint_transition(builder, constraint); - - // A dummy row is always followed by another dummy row, so the prover can't put dummy rows "in between" to avoid the above checks. - let is_dummy = { - let tmp = builder.sub_extension(one, is_final_block); - builder.sub_extension(tmp, is_full_input_block) - }; - let next_is_final_block = builder.add_many_extension(next_values.is_final_input_len); - let constraint = { - let tmp = builder.add_extension(next_is_final_block, next_values.is_full_input_block); - builder.mul_extension(is_dummy, tmp) - }; - yield_constr.constraint_transition(builder, constraint); - } - - fn constraint_degree(&self) -> usize { - 3 - } - - fn lookups(&self) -> Vec> { - vec![Lookup { - columns: Column::singles(get_block_bytes_range()).collect(), - table_column: Column::single(RANGE_COUNTER), - frequencies_column: Column::single(RC_FREQUENCIES), - filter_columns: vec![None; KECCAK_RATE_BYTES], - }] - } -} - -#[cfg(test)] -mod tests { - use anyhow::Result; - use keccak_hash::keccak; - use plonky2::field::goldilocks_field::GoldilocksField; - use plonky2::field::types::PrimeField64; - use plonky2::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - - use super::*; - use crate::memory::segments::Segment; - use crate::stark_testing::{test_stark_circuit_constraints, test_stark_low_degree}; - - #[test] - fn test_stark_degree() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = KeccakSpongeStark; - - let stark = S::default(); - test_stark_low_degree(stark) - } - - #[test] - fn test_stark_circuit() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = KeccakSpongeStark; - - let stark = S::default(); - test_stark_circuit_constraints::(stark) - } - - #[test] - fn test_generation() -> Result<()> { - const D: usize = 2; - type F = GoldilocksField; - type S = KeccakSpongeStark; - - let input = vec![1, 2, 3]; - let expected_output = keccak(&input); - - let op = KeccakSpongeOp { - base_address: MemoryAddress::new(0, Segment::Code, 0), - timestamp: 0, - input, - }; - let stark = S::default(); - let rows = stark.generate_rows_for_op(op); - assert_eq!(rows.len(), 1); - let last_row: &KeccakSpongeColumnsView = rows.last().unwrap().borrow(); - let output = last_row - .updated_digest_state_bytes - .iter() - .map(|x| x.to_canonical_u64() as u8) - .collect_vec(); - - assert_eq!(output, expected_output.0); - Ok(()) - } -} diff --git a/evm/src/keccak_sponge/mod.rs b/evm/src/keccak_sponge/mod.rs deleted file mode 100644 index 92b7f0c15e..0000000000 --- a/evm/src/keccak_sponge/mod.rs +++ /dev/null @@ -1,6 +0,0 @@ -//! The Keccak sponge STARK is used to hash a variable amount of data which is read from memory. -//! It connects to the memory STARK to read input data, and to the Keccak-f STARK to evaluate the -//! permutation at each absorption step. - -pub mod columns; -pub mod keccak_sponge_stark; diff --git a/evm/src/lib.rs b/evm/src/lib.rs index 5cc7192bd6..06013ae172 100644 --- a/evm/src/lib.rs +++ b/evm/src/lib.rs @@ -1,168 +1,8 @@ -//! An implementation of a Type 1 zk-EVM by Polygon Zero. -//! -//! Following the [zk-EVM classification of V. Buterin](https://vitalik.eth.limo/general/2022/08/04/zkevm.html), -//! the plonky2_evm crate aims at providing an efficient solution for the problem of generating cryptographic -//! proofs of Ethereum-like transactions with *full Ethereum capability*. -//! -//! To this end, the plonky2 zk-EVM is tailored for an AIR-based STARK system satisfying degree 3 constraints, -//! with support for recursive aggregation leveraging plonky2 circuits with FRI-based plonkish arithmetization. -//! These circuits require a one-time, offline preprocessing phase. -//! See the [`fixed_recursive_verifier`] module for more details on how this works. -//! These preprocessed circuits are gathered within the [`AllRecursiveCircuits`] prover state, -//! and can be generated as such: -//! -//! ```ignore -//! // Specify the base field to use. -//! type F = GoldilocksField; -//! // Specify the extension degree to use. -//! const D: usize = 2; -//! // Specify the recursive configuration to use, here leveraging Poseidon hash -//! // over the Goldilocks field both natively and in-circuit. -//! type C = PoseidonGoldilocksConfig; -//! -//! let all_stark = AllStark::::default(); -//! let config = StarkConfig::standard_fast_config(); -//! -//! // Generate all the recursive circuits needed to generate succinct proofs for blocks. -//! // The ranges correspond to the supported table sizes for each individual STARK component. -//! let prover_state = AllRecursiveCircuits::::new( -//! &all_stark, -//! &[16..25, 10..20, 12..25, 14..25, 9..20, 12..20, 17..30], -//! &config, -//! ); -//! ``` -//! -//! # Inputs type -//! -//! Transactions need to be processed into an Intermediary Representation (IR) format for the prover -//! to be able to generate proofs of valid state transition. This involves passing the encoded transaction, -//! the header of the block in which it was included, some information on the state prior execution -//! of this transaction, etc. -//! This intermediary representation is called [`GenerationInputs`]. -//! -//! -//! # Generating succinct proofs -//! -//! ## Transaction proofs -//! -//! To generate a proof for a transaction, given its [`GenerationInputs`] and an [`AllRecursiveCircuits`] -//! prover state, one can simply call the [prove_root](AllRecursiveCircuits::prove_root) method. -//! -//! ```ignore -//! let mut timing = TimingTree::new("prove", log::Level::Debug); -//! let kill_signal = None; // Useful only with distributed proving to kill hanging jobs. -//! let (proof, public_values) = -//! prover_state.prove_root(all_stark, config, inputs, &mut timing, kill_signal); -//! ``` -//! -//! This outputs a transaction proof and its associated public values. These are necessary during the -//! aggregation levels (see below). If one were to miss the public values, they are also retrievable directly -//! from the proof's encoded public inputs, as such: -//! -//! ```ignore -//! let public_values = PublicValues::from_public_inputs(&proof.public_inputs); -//! ``` -//! -//! ## Aggregation proofs -//! -//! Because the plonky2 zkEVM generates proofs on a transaction basis, we then need to aggregate them for succinct -//! verification. This is done in a binary tree fashion, where each inner node proof verifies two children proofs, -//! through the [prove_aggregation](AllRecursiveCircuits::prove_aggregation) method. -//! Note that the tree does *not* need to be complete, as this aggregation process can take as inputs both regular -//! transaction proofs and aggregation proofs. We only need to specify for each child if it is an aggregation proof -//! or a regular one. -//! -//! ```ignore -//! let (proof_1, pv_1) = -//! prover_state.prove_root(all_stark, config, inputs_1, &mut timing, None); -//! let (proof_2, pv_2) = -//! prover_state.prove_root(all_stark, config, inputs_2, &mut timing, None); -//! let (proof_3, pv_3) = -//! prover_state.prove_root(all_stark, config, inputs_3, &mut timing, None); -//! -//! // Now aggregate proofs for txn 1 and 2. -//! let (agg_proof_1_2, pv_1_2) = -//! prover_state.prove_aggregation(false, proof_1, pv_1, false, proof_2, pv_2); -//! -//! // Now aggregate the newly generated aggregation proof with the last regular txn proof. -//! let (agg_proof_1_3, pv_1_3) = -//! prover_state.prove_aggregation(true, agg_proof_1_2, pv_1_2, false, proof_3, pv_3); -//! ``` -//! -//! **Note**: The proofs provided to the [prove_aggregation](AllRecursiveCircuits::prove_aggregation) method *MUST* have contiguous states. -//! Trying to combine `proof_1` and `proof_3` from the example above would fail. -//! -//! ## Block proofs -//! -//! Once all transactions of a block have been proven and we are left with a single aggregation proof and its public values, -//! we can then wrap it into a final block proof, attesting validity of the entire block. -//! This [prove_block](AllRecursiveCircuits::prove_block) method accepts an optional previous block proof as argument, -//! which will then try combining the previously proven block with the current one, generating a validity proof for both. -//! Applying this process from genesis would yield a single proof attesting correctness of the entire chain. -//! -//! ```ignore -//! let previous_block_proof = { ... }; -//! let (block_proof, block_public_values) = -//! prover_state.prove_block(Some(&previous_block_proof), &agg_proof, agg_pv)?; -//! ``` -//! -//! ### Checkpoint heights -//! -//! The process of always providing a previous block proof when generating a proof for the current block may yield some -//! undesirable issues. For this reason, the plonky2 zk-EVM supports checkpoint heights. At given block heights, -//! the prover does not have to pass a previous block proof. This would in practice correspond to block heights at which -//! a proof has been generated and sent to L1 for settlement. -//! -//! The only requirement when generating a block proof without passing a previous one as argument is to have the -//! `checkpoint_state_trie_root` metadata in the `PublicValues` of the final aggregation proof be matching the state -//! trie before applying all the included transactions. If this condition is not met, the prover will fail to generate -//! a valid proof. -//! -//! -//! ```ignore -//! let (block_proof, block_public_values) = -//! prover_state.prove_block(None, &agg_proof, agg_pv)?; -//! ``` -//! -//! # Prover state serialization -//! -//! Because the recursive circuits only need to be generated once, they can be saved to disk once the preprocessing phase -//! completed successfully, and deserialized on-demand. -//! The plonky2 zk-EVM provides serialization methods to convert the entire prover state to a vector of bytes, and vice-versa. -//! This requires the use of custom serializers for gates and generators for proper recursive circuit encoding. This crate provides -//! default serializers supporting all custom gates and associated generators defined within the [`plonky2`] crate. -//! -//! ```ignore -//! let prover_state = AllRecursiveCircuits::::new(...); -//! -//! // Default serializers -//! let gate_serializer = DefaultGateSerializer; -//! let generator_serializer = DefaultGeneratorSerializer:: { -//! _phantom: PhantomData::, -//! }; -//! -//! // Serialize the prover state to a sequence of bytes -//! let bytes = prover_state.to_bytes(false, &gate_serializer, &generator_serializer).unwrap(); -//! -//! // Deserialize the bytes into a prover state -//! let recovered_prover_state = AllRecursiveCircuits::::from_bytes( -//! &all_circuits_bytes, -//! false, -//! &gate_serializer, -//! &generator_serializer, -//! ).unwrap(); -//! -//! assert_eq!(prover_state, recovered_prover_state); -//! ``` -//! -//! Note that an entire prover state built with wide ranges may be particularly large (up to ~25 GB), hence serialization methods, -//! while faster than doing another preprocessing, may take some non-negligible time. - -#![cfg_attr(docsrs, feature(doc_cfg))] +#![allow(incomplete_features)] #![allow(clippy::needless_range_loop)] #![allow(clippy::too_many_arguments)] +#![allow(clippy::type_complexity)] #![allow(clippy::field_reassign_with_default)] -#![allow(unused)] #![feature(let_chains)] pub mod all_stark; @@ -187,14 +27,12 @@ pub mod proof; pub mod prover; pub mod recursive_verifier; pub mod stark; +pub mod stark_testing; pub mod util; pub mod vanishing_poly; pub mod verifier; pub mod witness; -#[cfg(test)] -mod stark_testing; - use eth_trie_utils::partial_trie::HashedPartialTrie; // Set up Jemalloc #[cfg(not(target_os = "macos"))] @@ -204,11 +42,4 @@ use jemallocator::Jemalloc; #[global_allocator] static GLOBAL: Jemalloc = Jemalloc; -// Public definitions and re-exports - pub type Node = eth_trie_utils::partial_trie::Node; - -pub use all_stark::AllStark; -pub use config::StarkConfig; -pub use fixed_recursive_verifier::AllRecursiveCircuits; -pub use generation::GenerationInputs; diff --git a/evm/src/logic.rs b/evm/src/logic.rs deleted file mode 100644 index fa83fa94c1..0000000000 --- a/evm/src/logic.rs +++ /dev/null @@ -1,374 +0,0 @@ -use core::marker::PhantomData; - -use ethereum_types::U256; -use itertools::izip; -use plonky2::field::extension::{Extendable, FieldExtension}; -use plonky2::field::packed::PackedField; -use plonky2::field::polynomial::PolynomialValues; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::timed; -use plonky2::util::timing::TimingTree; -use plonky2_util::ceil_div_usize; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::evaluation_frame::{StarkEvaluationFrame, StarkFrame}; -use crate::logic::columns::NUM_COLUMNS; -use crate::lookup::{Column, Filter}; -use crate::stark::Stark; -use crate::util::{limb_from_bits_le, limb_from_bits_le_recursive, trace_rows_to_poly_values}; - -/// Total number of bits per input/output. -const VAL_BITS: usize = 256; -/// Number of bits stored per field element. Ensure that this fits; it is not checked. -pub(crate) const PACKED_LIMB_BITS: usize = 32; -/// Number of field elements needed to store each input/output at the specified packing. -const PACKED_LEN: usize = ceil_div_usize(VAL_BITS, PACKED_LIMB_BITS); - -/// `LogicStark` columns. -pub(crate) mod columns { - use core::cmp::min; - use core::ops::Range; - - use super::{PACKED_LEN, PACKED_LIMB_BITS, VAL_BITS}; - - /// 1 if this is an AND operation, 0 otherwise. - pub(crate) const IS_AND: usize = 0; - /// 1 if this is an OR operation, 0 otherwise. - pub(crate) const IS_OR: usize = IS_AND + 1; - /// 1 if this is a XOR operation, 0 otherwise. - pub(crate) const IS_XOR: usize = IS_OR + 1; - /// First input, decomposed into bits. - pub(crate) const INPUT0: Range = (IS_XOR + 1)..(IS_XOR + 1) + VAL_BITS; - /// Second input, decomposed into bits. - pub(crate) const INPUT1: Range = INPUT0.end..INPUT0.end + VAL_BITS; - /// The result is packed in limbs of `PACKED_LIMB_BITS` bits. - pub(crate) const RESULT: Range = INPUT1.end..INPUT1.end + PACKED_LEN; - - /// Returns the column range for each 32 bit chunk in the input. - pub(crate) fn limb_bit_cols_for_input( - input_bits: Range, - ) -> impl Iterator> { - (0..PACKED_LEN).map(move |i| { - let start = input_bits.start + i * PACKED_LIMB_BITS; - let end = min(start + PACKED_LIMB_BITS, input_bits.end); - start..end - }) - } - - /// Number of columns in `LogicStark`. - pub(crate) const NUM_COLUMNS: usize = RESULT.end; -} - -/// Creates the vector of `Columns` corresponding to the opcode, the two inputs and the output of the logic operation. -pub(crate) fn ctl_data() -> Vec> { - // We scale each filter flag with the associated opcode value. - // If a logic operation is happening on the CPU side, the CTL - // will enforce that the reconstructed opcode value from the - // opcode bits matches. - let mut res = vec![Column::linear_combination([ - (columns::IS_AND, F::from_canonical_u8(0x16)), - (columns::IS_OR, F::from_canonical_u8(0x17)), - (columns::IS_XOR, F::from_canonical_u8(0x18)), - ])]; - res.extend(columns::limb_bit_cols_for_input(columns::INPUT0).map(Column::le_bits)); - res.extend(columns::limb_bit_cols_for_input(columns::INPUT1).map(Column::le_bits)); - res.extend(columns::RESULT.map(Column::single)); - res -} - -/// CTL filter for logic operations. -pub(crate) fn ctl_filter() -> Filter { - Filter::new_simple(Column::sum([ - columns::IS_AND, - columns::IS_OR, - columns::IS_XOR, - ])) -} - -/// Structure representing the Logic STARK, which computes all logic operations. -#[derive(Copy, Clone, Default)] -pub(crate) struct LogicStark { - pub f: PhantomData, -} - -/// Logic operations. -#[derive(Copy, Clone, Debug, Eq, PartialEq)] -pub(crate) enum Op { - And, - Or, - Xor, -} - -impl Op { - /// Returns the output of the current Logic operation. - pub(crate) fn result(&self, a: U256, b: U256) -> U256 { - match self { - Op::And => a & b, - Op::Or => a | b, - Op::Xor => a ^ b, - } - } -} - -/// A logic operation over `U256`` words. It contains an operator, -/// either `AND`, `OR` or `XOR`, two inputs and its expected result. -#[derive(Debug)] -pub(crate) struct Operation { - operator: Op, - input0: U256, - input1: U256, - pub(crate) result: U256, -} - -impl Operation { - /// Computes the expected result of an operator with the two provided inputs, - /// and returns the associated logic `Operation`. - pub(crate) fn new(operator: Op, input0: U256, input1: U256) -> Self { - let result = operator.result(input0, input1); - Operation { - operator, - input0, - input1, - result, - } - } - - /// Given an `Operation`, fills a row with the corresponding flag, inputs and output. - fn into_row(self) -> [F; NUM_COLUMNS] { - let Operation { - operator, - input0, - input1, - result, - } = self; - let mut row = [F::ZERO; NUM_COLUMNS]; - row[match operator { - Op::And => columns::IS_AND, - Op::Or => columns::IS_OR, - Op::Xor => columns::IS_XOR, - }] = F::ONE; - for i in 0..256 { - row[columns::INPUT0.start + i] = F::from_bool(input0.bit(i)); - row[columns::INPUT1.start + i] = F::from_bool(input1.bit(i)); - } - let result_limbs: &[u64] = result.as_ref(); - for (i, &limb) in result_limbs.iter().enumerate() { - row[columns::RESULT.start + 2 * i] = F::from_canonical_u32(limb as u32); - row[columns::RESULT.start + 2 * i + 1] = F::from_canonical_u32((limb >> 32) as u32); - } - row - } -} - -impl LogicStark { - /// Generates the trace polynomials for `LogicStark`. - pub(crate) fn generate_trace( - &self, - operations: Vec, - min_rows: usize, - timing: &mut TimingTree, - ) -> Vec> { - // First, turn all provided operations into rows in `LogicStark`, and pad if necessary. - let trace_rows = timed!( - timing, - "generate trace rows", - self.generate_trace_rows(operations, min_rows) - ); - // Generate the trace polynomials from the trace values. - let trace_polys = timed!( - timing, - "convert to PolynomialValues", - trace_rows_to_poly_values(trace_rows) - ); - trace_polys - } - - /// Generate the `LogicStark` traces based on the provided vector of operations. - /// The trace is padded to a power of two with all-zero rows. - fn generate_trace_rows( - &self, - operations: Vec, - min_rows: usize, - ) -> Vec<[F; NUM_COLUMNS]> { - let len = operations.len(); - let padded_len = len.max(min_rows).next_power_of_two(); - - let mut rows = Vec::with_capacity(padded_len); - for op in operations { - rows.push(op.into_row()); - } - - // Pad to a power of two. - for _ in len..padded_len { - rows.push([F::ZERO; NUM_COLUMNS]); - } - - rows - } -} - -impl, const D: usize> Stark for LogicStark { - type EvaluationFrame = StarkFrame - where - FE: FieldExtension, - P: PackedField; - - type EvaluationFrameTarget = StarkFrame, NUM_COLUMNS>; - - fn eval_packed_generic( - &self, - vars: &Self::EvaluationFrame, - yield_constr: &mut ConstraintConsumer

, - ) where - FE: FieldExtension, - P: PackedField, - { - let lv = vars.get_local_values(); - - // IS_AND, IS_OR, and IS_XOR come from the CPU table, so we assume they're valid. - let is_and = lv[columns::IS_AND]; - let is_or = lv[columns::IS_OR]; - let is_xor = lv[columns::IS_XOR]; - - // The result will be `in0 OP in1 = sum_coeff * (in0 + in1) + and_coeff * (in0 AND in1)`. - // `AND => sum_coeff = 0, and_coeff = 1` - // `OR => sum_coeff = 1, and_coeff = -1` - // `XOR => sum_coeff = 1, and_coeff = -2` - let sum_coeff = is_or + is_xor; - let and_coeff = is_and - is_or - is_xor * FE::TWO; - - // Ensure that all bits are indeed bits. - for input_bits_cols in [columns::INPUT0, columns::INPUT1] { - for i in input_bits_cols { - let bit = lv[i]; - yield_constr.constraint(bit * (bit - P::ONES)); - } - } - - // Form the result - for (result_col, x_bits_cols, y_bits_cols) in izip!( - columns::RESULT, - columns::limb_bit_cols_for_input(columns::INPUT0), - columns::limb_bit_cols_for_input(columns::INPUT1), - ) { - let x: P = limb_from_bits_le(x_bits_cols.clone().map(|col| lv[col])); - let y: P = limb_from_bits_le(y_bits_cols.clone().map(|col| lv[col])); - - let x_bits = x_bits_cols.map(|i| lv[i]); - let y_bits = y_bits_cols.map(|i| lv[i]); - - let x_land_y: P = izip!(0.., x_bits, y_bits) - .map(|(i, x_bit, y_bit)| x_bit * y_bit * FE::from_canonical_u64(1 << i)) - .sum(); - let x_op_y = sum_coeff * (x + y) + and_coeff * x_land_y; - - yield_constr.constraint(lv[result_col] - x_op_y); - } - } - - fn eval_ext_circuit( - &self, - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - vars: &Self::EvaluationFrameTarget, - yield_constr: &mut RecursiveConstraintConsumer, - ) { - let lv = vars.get_local_values(); - - // IS_AND, IS_OR, and IS_XOR come from the CPU table, so we assume they're valid. - let is_and = lv[columns::IS_AND]; - let is_or = lv[columns::IS_OR]; - let is_xor = lv[columns::IS_XOR]; - - // The result will be `in0 OP in1 = sum_coeff * (in0 + in1) + and_coeff * (in0 AND in1)`. - // `AND => sum_coeff = 0, and_coeff = 1` - // `OR => sum_coeff = 1, and_coeff = -1` - // `XOR => sum_coeff = 1, and_coeff = -2` - let sum_coeff = builder.add_extension(is_or, is_xor); - let and_coeff = { - let and_coeff = builder.sub_extension(is_and, is_or); - builder.mul_const_add_extension(-F::TWO, is_xor, and_coeff) - }; - - // Ensure that all bits are indeed bits. - for input_bits_cols in [columns::INPUT0, columns::INPUT1] { - for i in input_bits_cols { - let bit = lv[i]; - let constr = builder.mul_sub_extension(bit, bit, bit); - yield_constr.constraint(builder, constr); - } - } - - // Form the result - for (result_col, x_bits_cols, y_bits_cols) in izip!( - columns::RESULT, - columns::limb_bit_cols_for_input(columns::INPUT0), - columns::limb_bit_cols_for_input(columns::INPUT1), - ) { - let x = limb_from_bits_le_recursive(builder, x_bits_cols.clone().map(|i| lv[i])); - let y = limb_from_bits_le_recursive(builder, y_bits_cols.clone().map(|i| lv[i])); - let x_bits = x_bits_cols.map(|i| lv[i]); - let y_bits = y_bits_cols.map(|i| lv[i]); - - let x_land_y = izip!(0usize.., x_bits, y_bits).fold( - builder.zero_extension(), - |acc, (i, x_bit, y_bit)| { - builder.arithmetic_extension( - F::from_canonical_u64(1 << i), - F::ONE, - x_bit, - y_bit, - acc, - ) - }, - ); - let x_op_y = { - let x_op_y = builder.mul_extension(sum_coeff, x); - let x_op_y = builder.mul_add_extension(sum_coeff, y, x_op_y); - builder.mul_add_extension(and_coeff, x_land_y, x_op_y) - }; - let constr = builder.sub_extension(lv[result_col], x_op_y); - yield_constr.constraint(builder, constr); - } - } - - fn constraint_degree(&self) -> usize { - 3 - } -} - -#[cfg(test)] -mod tests { - use anyhow::Result; - use plonky2::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - - use crate::logic::LogicStark; - use crate::stark_testing::{test_stark_circuit_constraints, test_stark_low_degree}; - - #[test] - fn test_stark_degree() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = LogicStark; - - let stark = S { - f: Default::default(), - }; - test_stark_low_degree(stark) - } - - #[test] - fn test_stark_circuit() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = LogicStark; - - let stark = S { - f: Default::default(), - }; - test_stark_circuit_constraints::(stark) - } -} diff --git a/evm/src/memory/columns.rs b/evm/src/memory/columns.rs deleted file mode 100644 index 2010bf33ec..0000000000 --- a/evm/src/memory/columns.rs +++ /dev/null @@ -1,49 +0,0 @@ -//! Memory registers. - -use crate::memory::VALUE_LIMBS; - -// Columns for memory operations, ordered by (addr, timestamp). -/// 1 if this is an actual memory operation, or 0 if it's a padding row. -pub(crate) const FILTER: usize = 0; -/// Each memory operation is associated to a unique timestamp. -/// For a given memory operation `op_i`, its timestamp is computed as `C * N + i` -/// where `C` is the CPU clock at that time, `N` is the number of general memory channels, -/// and `i` is the index of the memory channel at which the memory operation is performed. -pub(crate) const TIMESTAMP: usize = FILTER + 1; -/// 1 if this is a read operation, 0 if it is a write one. -pub(crate) const IS_READ: usize = TIMESTAMP + 1; -/// The execution context of this address. -pub(crate) const ADDR_CONTEXT: usize = IS_READ + 1; -/// The segment section of this address. -pub(crate) const ADDR_SEGMENT: usize = ADDR_CONTEXT + 1; -/// The virtual address within the given context and segment. -pub(crate) const ADDR_VIRTUAL: usize = ADDR_SEGMENT + 1; - -// Eight 32-bit limbs hold a total of 256 bits. -// If a value represents an integer, it is little-endian encoded. -const VALUE_START: usize = ADDR_VIRTUAL + 1; -pub(crate) const fn value_limb(i: usize) -> usize { - debug_assert!(i < VALUE_LIMBS); - VALUE_START + i -} - -// Flags to indicate whether this part of the address differs from the next row, -// and the previous parts do not differ. -// That is, e.g., `SEGMENT_FIRST_CHANGE` is `F::ONE` iff `ADDR_CONTEXT` is the same in this -// row and the next, but `ADDR_SEGMENT` is not. -pub(crate) const CONTEXT_FIRST_CHANGE: usize = VALUE_START + VALUE_LIMBS; -pub(crate) const SEGMENT_FIRST_CHANGE: usize = CONTEXT_FIRST_CHANGE + 1; -pub(crate) const VIRTUAL_FIRST_CHANGE: usize = SEGMENT_FIRST_CHANGE + 1; - -// Used to lower the degree of the zero-initializing constraints. -// Contains `next_segment * addr_changed * next_is_read`. -pub(crate) const INITIALIZE_AUX: usize = VIRTUAL_FIRST_CHANGE + 1; - -// We use a range check to enforce the ordering. -pub(crate) const RANGE_CHECK: usize = INITIALIZE_AUX + 1; -/// The counter column (used for the range check) starts from 0 and increments. -pub(crate) const COUNTER: usize = RANGE_CHECK + 1; -/// The frequencies column used in logUp. -pub(crate) const FREQUENCIES: usize = COUNTER + 1; - -pub(crate) const NUM_COLUMNS: usize = FREQUENCIES + 1; diff --git a/evm/src/memory/memory_stark.rs b/evm/src/memory/memory_stark.rs deleted file mode 100644 index 44d2af6ae2..0000000000 --- a/evm/src/memory/memory_stark.rs +++ /dev/null @@ -1,607 +0,0 @@ -use core::marker::PhantomData; - -use ethereum_types::U256; -use itertools::Itertools; -use plonky2::field::extension::{Extendable, FieldExtension}; -use plonky2::field::packed::PackedField; -use plonky2::field::polynomial::PolynomialValues; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::timed; -use plonky2::util::timing::TimingTree; -use plonky2::util::transpose; -use plonky2_maybe_rayon::*; - -use super::segments::Segment; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::evaluation_frame::{StarkEvaluationFrame, StarkFrame}; -use crate::lookup::{Column, Filter, Lookup}; -use crate::memory::columns::{ - value_limb, ADDR_CONTEXT, ADDR_SEGMENT, ADDR_VIRTUAL, CONTEXT_FIRST_CHANGE, COUNTER, FILTER, - FREQUENCIES, INITIALIZE_AUX, IS_READ, NUM_COLUMNS, RANGE_CHECK, SEGMENT_FIRST_CHANGE, - TIMESTAMP, VIRTUAL_FIRST_CHANGE, -}; -use crate::memory::VALUE_LIMBS; -use crate::stark::Stark; -use crate::witness::memory::MemoryOpKind::Read; -use crate::witness::memory::{MemoryAddress, MemoryOp}; - -/// Creates the vector of `Columns` corresponding to: -/// - the memory operation type, -/// - the address in memory of the element being read/written, -/// - the value being read/written, -/// - the timestamp at which the element is read/written. -pub(crate) fn ctl_data() -> Vec> { - let mut res = - Column::singles([IS_READ, ADDR_CONTEXT, ADDR_SEGMENT, ADDR_VIRTUAL]).collect_vec(); - res.extend(Column::singles((0..8).map(value_limb))); - res.push(Column::single(TIMESTAMP)); - res -} - -/// CTL filter for memory operations. -pub(crate) fn ctl_filter() -> Filter { - Filter::new_simple(Column::single(FILTER)) -} - -#[derive(Copy, Clone, Default)] -pub(crate) struct MemoryStark { - pub(crate) f: PhantomData, -} - -impl MemoryOp { - /// Generate a row for a given memory operation. Note that this does not generate columns which - /// depend on the next operation, such as `CONTEXT_FIRST_CHANGE`; those are generated later. - /// It also does not generate columns such as `COUNTER`, which are generated later, after the - /// trace has been transposed into column-major form. - fn into_row(self) -> [F; NUM_COLUMNS] { - let mut row = [F::ZERO; NUM_COLUMNS]; - row[FILTER] = F::from_bool(self.filter); - row[TIMESTAMP] = F::from_canonical_usize(self.timestamp); - row[IS_READ] = F::from_bool(self.kind == Read); - let MemoryAddress { - context, - segment, - virt, - } = self.address; - row[ADDR_CONTEXT] = F::from_canonical_usize(context); - row[ADDR_SEGMENT] = F::from_canonical_usize(segment); - row[ADDR_VIRTUAL] = F::from_canonical_usize(virt); - for j in 0..VALUE_LIMBS { - row[value_limb(j)] = F::from_canonical_u32((self.value >> (j * 32)).low_u32()); - } - row - } -} - -/// Generates the `_FIRST_CHANGE` columns and the `RANGE_CHECK` column in the trace. -pub(crate) fn generate_first_change_flags_and_rc( - trace_rows: &mut [[F; NUM_COLUMNS]], -) { - let num_ops = trace_rows.len(); - for idx in 0..num_ops - 1 { - let row = trace_rows[idx].as_slice(); - let next_row = trace_rows[idx + 1].as_slice(); - - let context = row[ADDR_CONTEXT]; - let segment = row[ADDR_SEGMENT]; - let virt = row[ADDR_VIRTUAL]; - let timestamp = row[TIMESTAMP]; - let next_context = next_row[ADDR_CONTEXT]; - let next_segment = next_row[ADDR_SEGMENT]; - let next_virt = next_row[ADDR_VIRTUAL]; - let next_timestamp = next_row[TIMESTAMP]; - let next_is_read = next_row[IS_READ]; - - let context_changed = context != next_context; - let segment_changed = segment != next_segment; - let virtual_changed = virt != next_virt; - - let context_first_change = context_changed; - let segment_first_change = segment_changed && !context_first_change; - let virtual_first_change = - virtual_changed && !segment_first_change && !context_first_change; - - let row = trace_rows[idx].as_mut_slice(); - row[CONTEXT_FIRST_CHANGE] = F::from_bool(context_first_change); - row[SEGMENT_FIRST_CHANGE] = F::from_bool(segment_first_change); - row[VIRTUAL_FIRST_CHANGE] = F::from_bool(virtual_first_change); - - row[RANGE_CHECK] = if context_first_change { - next_context - context - F::ONE - } else if segment_first_change { - next_segment - segment - F::ONE - } else if virtual_first_change { - next_virt - virt - F::ONE - } else { - next_timestamp - timestamp - }; - - assert!( - row[RANGE_CHECK].to_canonical_u64() < num_ops as u64, - "Range check of {} is too large. Bug in fill_gaps?", - row[RANGE_CHECK] - ); - - let address_changed = - row[CONTEXT_FIRST_CHANGE] + row[SEGMENT_FIRST_CHANGE] + row[VIRTUAL_FIRST_CHANGE]; - row[INITIALIZE_AUX] = next_segment * address_changed * next_is_read; - } -} - -impl, const D: usize> MemoryStark { - /// Generate most of the trace rows. Excludes a few columns like `COUNTER`, which are generated - /// later, after transposing to column-major form. - fn generate_trace_row_major(&self, mut memory_ops: Vec) -> Vec<[F; NUM_COLUMNS]> { - // fill_gaps expects an ordered list of operations. - memory_ops.sort_by_key(MemoryOp::sorting_key); - Self::fill_gaps(&mut memory_ops); - - Self::pad_memory_ops(&mut memory_ops); - - // fill_gaps may have added operations at the end which break the order, so sort again. - memory_ops.sort_by_key(MemoryOp::sorting_key); - - let mut trace_rows = memory_ops - .into_par_iter() - .map(|op| op.into_row()) - .collect::>(); - generate_first_change_flags_and_rc(trace_rows.as_mut_slice()); - trace_rows - } - - /// Generates the `COUNTER`, `RANGE_CHECK` and `FREQUENCIES` columns, given a - /// trace in column-major form. - fn generate_trace_col_major(trace_col_vecs: &mut [Vec]) { - let height = trace_col_vecs[0].len(); - trace_col_vecs[COUNTER] = (0..height).map(|i| F::from_canonical_usize(i)).collect(); - - for i in 0..height { - let x_rc = trace_col_vecs[RANGE_CHECK][i].to_canonical_u64() as usize; - trace_col_vecs[FREQUENCIES][x_rc] += F::ONE; - if (trace_col_vecs[CONTEXT_FIRST_CHANGE][i] == F::ONE) - || (trace_col_vecs[SEGMENT_FIRST_CHANGE][i] == F::ONE) - { - // CONTEXT_FIRST_CHANGE and SEGMENT_FIRST_CHANGE should be 0 at the last row, so the index - // should never be out of bounds. - let x_fo = trace_col_vecs[ADDR_VIRTUAL][i + 1].to_canonical_u64() as usize; - trace_col_vecs[FREQUENCIES][x_fo] += F::ONE; - } - } - } - - /// This memory STARK orders rows by `(context, segment, virt, timestamp)`. To enforce the - /// ordering, it range checks the delta of the first field that changed. - /// - /// This method adds some dummy operations to ensure that none of these range checks will be too - /// large, i.e. that they will all be smaller than the number of rows, allowing them to be - /// checked easily with a single lookup. - /// - /// For example, say there are 32 memory operations, and a particular address is accessed at - /// timestamps 20 and 100. 80 would fail the range check, so this method would add two dummy - /// reads to the same address, say at timestamps 50 and 80. - fn fill_gaps(memory_ops: &mut Vec) { - let max_rc = memory_ops.len().next_power_of_two() - 1; - for (mut curr, mut next) in memory_ops.clone().into_iter().tuple_windows() { - if curr.address.context != next.address.context - || curr.address.segment != next.address.segment - { - // We won't bother to check if there's a large context gap, because there can't be - // more than 500 contexts or so, as explained here: - // https://notes.ethereum.org/@vbuterin/proposals_to_adjust_memory_gas_costs - // Similarly, the number of possible segments is a small constant, so any gap must - // be small. max_rc will always be much larger, as just bootloading the kernel will - // trigger thousands of memory operations. - // However, we do check that the first address accessed is range-checkable. If not, - // we could start at a negative address and cheat. - while next.address.virt > max_rc { - let mut dummy_address = next.address; - dummy_address.virt -= max_rc; - let dummy_read = MemoryOp::new_dummy_read(dummy_address, 0, U256::zero()); - memory_ops.push(dummy_read); - next = dummy_read; - } - } else if curr.address.virt != next.address.virt { - while next.address.virt - curr.address.virt - 1 > max_rc { - let mut dummy_address = curr.address; - dummy_address.virt += max_rc + 1; - let dummy_read = MemoryOp::new_dummy_read(dummy_address, 0, U256::zero()); - memory_ops.push(dummy_read); - curr = dummy_read; - } - } else { - while next.timestamp - curr.timestamp > max_rc { - let dummy_read = - MemoryOp::new_dummy_read(curr.address, curr.timestamp + max_rc, curr.value); - memory_ops.push(dummy_read); - curr = dummy_read; - } - } - } - } - - fn pad_memory_ops(memory_ops: &mut Vec) { - let last_op = *memory_ops.last().expect("No memory ops?"); - - // We essentially repeat the last operation until our operation list has the desired size, - // with a few changes: - // - We change its filter to 0 to indicate that this is a dummy operation. - // - We make sure it's a read, since dummy operations must be reads. - let padding_op = MemoryOp { - filter: false, - kind: Read, - ..last_op - }; - - let num_ops = memory_ops.len(); - let num_ops_padded = num_ops.next_power_of_two(); - for _ in num_ops..num_ops_padded { - memory_ops.push(padding_op); - } - } - - pub(crate) fn generate_trace( - &self, - memory_ops: Vec, - timing: &mut TimingTree, - ) -> Vec> { - // Generate most of the trace in row-major form. - let trace_rows = timed!( - timing, - "generate trace rows", - self.generate_trace_row_major(memory_ops) - ); - let trace_row_vecs: Vec<_> = trace_rows.into_iter().map(|row| row.to_vec()).collect(); - - // Transpose to column-major form. - let mut trace_col_vecs = transpose(&trace_row_vecs); - - // A few final generation steps, which work better in column-major form. - Self::generate_trace_col_major(&mut trace_col_vecs); - - trace_col_vecs - .into_iter() - .map(|column| PolynomialValues::new(column)) - .collect() - } -} - -impl, const D: usize> Stark for MemoryStark { - type EvaluationFrame = StarkFrame - where - FE: FieldExtension, - P: PackedField; - - type EvaluationFrameTarget = StarkFrame, NUM_COLUMNS>; - - fn eval_packed_generic( - &self, - vars: &Self::EvaluationFrame, - yield_constr: &mut ConstraintConsumer

, - ) where - FE: FieldExtension, - P: PackedField, - { - let one = P::from(FE::ONE); - let local_values = vars.get_local_values(); - let next_values = vars.get_next_values(); - - let timestamp = local_values[TIMESTAMP]; - let addr_context = local_values[ADDR_CONTEXT]; - let addr_segment = local_values[ADDR_SEGMENT]; - let addr_virtual = local_values[ADDR_VIRTUAL]; - let value_limbs: Vec<_> = (0..8).map(|i| local_values[value_limb(i)]).collect(); - - let next_timestamp = next_values[TIMESTAMP]; - let next_is_read = next_values[IS_READ]; - let next_addr_context = next_values[ADDR_CONTEXT]; - let next_addr_segment = next_values[ADDR_SEGMENT]; - let next_addr_virtual = next_values[ADDR_VIRTUAL]; - let next_values_limbs: Vec<_> = (0..8).map(|i| next_values[value_limb(i)]).collect(); - - // The filter must be 0 or 1. - let filter = local_values[FILTER]; - yield_constr.constraint(filter * (filter - P::ONES)); - - // IS_READ must be 0 or 1. - // This is implied by the MemoryStark CTL, where corresponding values are either - // hardcoded to 0/1, or boolean-constrained in their respective STARK modules. - - // If this is a dummy row (filter is off), it must be a read. This means the prover can - // insert reads which never appear in the CPU trace (which are harmless), but not writes. - let is_dummy = P::ONES - filter; - let is_write = P::ONES - local_values[IS_READ]; - yield_constr.constraint(is_dummy * is_write); - - let context_first_change = local_values[CONTEXT_FIRST_CHANGE]; - let segment_first_change = local_values[SEGMENT_FIRST_CHANGE]; - let virtual_first_change = local_values[VIRTUAL_FIRST_CHANGE]; - let address_unchanged = - one - context_first_change - segment_first_change - virtual_first_change; - - let range_check = local_values[RANGE_CHECK]; - - let not_context_first_change = one - context_first_change; - let not_segment_first_change = one - segment_first_change; - let not_virtual_first_change = one - virtual_first_change; - let not_address_unchanged = one - address_unchanged; - - // First set of ordering constraint: first_change flags are boolean. - yield_constr.constraint(context_first_change * not_context_first_change); - yield_constr.constraint(segment_first_change * not_segment_first_change); - yield_constr.constraint(virtual_first_change * not_virtual_first_change); - yield_constr.constraint(address_unchanged * not_address_unchanged); - - // Second set of ordering constraints: no change before the column corresponding to the nonzero first_change flag. - yield_constr - .constraint_transition(segment_first_change * (next_addr_context - addr_context)); - yield_constr - .constraint_transition(virtual_first_change * (next_addr_context - addr_context)); - yield_constr - .constraint_transition(virtual_first_change * (next_addr_segment - addr_segment)); - yield_constr.constraint_transition(address_unchanged * (next_addr_context - addr_context)); - yield_constr.constraint_transition(address_unchanged * (next_addr_segment - addr_segment)); - yield_constr.constraint_transition(address_unchanged * (next_addr_virtual - addr_virtual)); - - // Third set of ordering constraints: range-check difference in the column that should be increasing. - let computed_range_check = context_first_change * (next_addr_context - addr_context - one) - + segment_first_change * (next_addr_segment - addr_segment - one) - + virtual_first_change * (next_addr_virtual - addr_virtual - one) - + address_unchanged * (next_timestamp - timestamp); - yield_constr.constraint_transition(range_check - computed_range_check); - - // Validate initialize_aux. It contains next_segment * addr_changed * next_is_read. - let initialize_aux = local_values[INITIALIZE_AUX]; - yield_constr.constraint_transition( - initialize_aux - next_addr_segment * not_address_unchanged * next_is_read, - ); - - for i in 0..8 { - // Enumerate purportedly-ordered log. - yield_constr.constraint_transition( - next_is_read * address_unchanged * (next_values_limbs[i] - value_limbs[i]), - ); - // By default, memory is initialized with 0. This means that if the first operation of a new address is a read, - // then its value must be 0. - // There are exceptions, though: this constraint zero-initializes everything but the code segment and context 0. - yield_constr - .constraint_transition(next_addr_context * initialize_aux * next_values_limbs[i]); - // We don't want to exclude the entirety of context 0. This constraint zero-initializes all segments except the - // specified ones (segment 0 is already included in initialize_aux). - // There is overlap with the previous constraint, but this is not a problem. - yield_constr.constraint_transition( - (next_addr_segment - P::Scalar::from_canonical_usize(Segment::TrieData.unscale())) - * initialize_aux - * next_values_limbs[i], - ); - } - - // Check the range column: First value must be 0, - // and intermediate rows must increment by 1. - let rc1 = local_values[COUNTER]; - let rc2 = next_values[COUNTER]; - yield_constr.constraint_first_row(rc1); - let incr = rc2 - rc1; - yield_constr.constraint_transition(incr - P::Scalar::ONES); - } - - fn eval_ext_circuit( - &self, - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - vars: &Self::EvaluationFrameTarget, - yield_constr: &mut RecursiveConstraintConsumer, - ) { - let one = builder.one_extension(); - let local_values = vars.get_local_values(); - let next_values = vars.get_next_values(); - - let addr_context = local_values[ADDR_CONTEXT]; - let addr_segment = local_values[ADDR_SEGMENT]; - let addr_virtual = local_values[ADDR_VIRTUAL]; - let value_limbs: Vec<_> = (0..8).map(|i| local_values[value_limb(i)]).collect(); - let timestamp = local_values[TIMESTAMP]; - - let next_addr_context = next_values[ADDR_CONTEXT]; - let next_addr_segment = next_values[ADDR_SEGMENT]; - let next_addr_virtual = next_values[ADDR_VIRTUAL]; - let next_values_limbs: Vec<_> = (0..8).map(|i| next_values[value_limb(i)]).collect(); - let next_is_read = next_values[IS_READ]; - let next_timestamp = next_values[TIMESTAMP]; - - // The filter must be 0 or 1. - let filter = local_values[FILTER]; - let constraint = builder.mul_sub_extension(filter, filter, filter); - yield_constr.constraint(builder, constraint); - - // IS_READ must be 0 or 1. - // This is implied by the MemoryStark CTL, where corresponding values are either - // hardcoded to 0/1, or boolean-constrained in their respective STARK modules. - - // If this is a dummy row (filter is off), it must be a read. This means the prover can - // insert reads which never appear in the CPU trace (which are harmless), but not writes. - let is_dummy = builder.sub_extension(one, filter); - let is_write = builder.sub_extension(one, local_values[IS_READ]); - let is_dummy_write = builder.mul_extension(is_dummy, is_write); - yield_constr.constraint(builder, is_dummy_write); - - let context_first_change = local_values[CONTEXT_FIRST_CHANGE]; - let segment_first_change = local_values[SEGMENT_FIRST_CHANGE]; - let virtual_first_change = local_values[VIRTUAL_FIRST_CHANGE]; - let address_unchanged = { - let mut cur = builder.sub_extension(one, context_first_change); - cur = builder.sub_extension(cur, segment_first_change); - builder.sub_extension(cur, virtual_first_change) - }; - - let range_check = local_values[RANGE_CHECK]; - - let not_context_first_change = builder.sub_extension(one, context_first_change); - let not_segment_first_change = builder.sub_extension(one, segment_first_change); - let not_virtual_first_change = builder.sub_extension(one, virtual_first_change); - let not_address_unchanged = builder.sub_extension(one, address_unchanged); - let addr_context_diff = builder.sub_extension(next_addr_context, addr_context); - let addr_segment_diff = builder.sub_extension(next_addr_segment, addr_segment); - let addr_virtual_diff = builder.sub_extension(next_addr_virtual, addr_virtual); - - // First set of ordering constraint: traces are boolean. - let context_first_change_bool = - builder.mul_extension(context_first_change, not_context_first_change); - yield_constr.constraint(builder, context_first_change_bool); - let segment_first_change_bool = - builder.mul_extension(segment_first_change, not_segment_first_change); - yield_constr.constraint(builder, segment_first_change_bool); - let virtual_first_change_bool = - builder.mul_extension(virtual_first_change, not_virtual_first_change); - yield_constr.constraint(builder, virtual_first_change_bool); - let address_unchanged_bool = - builder.mul_extension(address_unchanged, not_address_unchanged); - yield_constr.constraint(builder, address_unchanged_bool); - - // Second set of ordering constraints: no change before the column corresponding to the nonzero first_change flag. - let segment_first_change_check = - builder.mul_extension(segment_first_change, addr_context_diff); - yield_constr.constraint_transition(builder, segment_first_change_check); - let virtual_first_change_check_1 = - builder.mul_extension(virtual_first_change, addr_context_diff); - yield_constr.constraint_transition(builder, virtual_first_change_check_1); - let virtual_first_change_check_2 = - builder.mul_extension(virtual_first_change, addr_segment_diff); - yield_constr.constraint_transition(builder, virtual_first_change_check_2); - let address_unchanged_check_1 = builder.mul_extension(address_unchanged, addr_context_diff); - yield_constr.constraint_transition(builder, address_unchanged_check_1); - let address_unchanged_check_2 = builder.mul_extension(address_unchanged, addr_segment_diff); - yield_constr.constraint_transition(builder, address_unchanged_check_2); - let address_unchanged_check_3 = builder.mul_extension(address_unchanged, addr_virtual_diff); - yield_constr.constraint_transition(builder, address_unchanged_check_3); - - // Third set of ordering constraints: range-check difference in the column that should be increasing. - let context_diff = { - let diff = builder.sub_extension(next_addr_context, addr_context); - builder.sub_extension(diff, one) - }; - let segment_diff = { - let diff = builder.sub_extension(next_addr_segment, addr_segment); - builder.sub_extension(diff, one) - }; - let segment_range_check = builder.mul_extension(segment_first_change, segment_diff); - let virtual_diff = { - let diff = builder.sub_extension(next_addr_virtual, addr_virtual); - builder.sub_extension(diff, one) - }; - let virtual_range_check = builder.mul_extension(virtual_first_change, virtual_diff); - let timestamp_diff = builder.sub_extension(next_timestamp, timestamp); - let timestamp_range_check = builder.mul_extension(address_unchanged, timestamp_diff); - - let computed_range_check = { - // context_range_check = context_first_change * context_diff - let mut sum = - builder.mul_add_extension(context_first_change, context_diff, segment_range_check); - sum = builder.add_extension(sum, virtual_range_check); - builder.add_extension(sum, timestamp_range_check) - }; - let range_check_diff = builder.sub_extension(range_check, computed_range_check); - yield_constr.constraint_transition(builder, range_check_diff); - - // Validate initialize_aux. It contains next_segment * addr_changed * next_is_read. - let initialize_aux = local_values[INITIALIZE_AUX]; - let computed_initialize_aux = builder.mul_extension(not_address_unchanged, next_is_read); - let computed_initialize_aux = - builder.mul_extension(next_addr_segment, computed_initialize_aux); - let new_first_read_constraint = - builder.sub_extension(initialize_aux, computed_initialize_aux); - yield_constr.constraint_transition(builder, new_first_read_constraint); - - for i in 0..8 { - // Enumerate purportedly-ordered log. - let value_diff = builder.sub_extension(next_values_limbs[i], value_limbs[i]); - let zero_if_read = builder.mul_extension(address_unchanged, value_diff); - let read_constraint = builder.mul_extension(next_is_read, zero_if_read); - yield_constr.constraint_transition(builder, read_constraint); - // By default, memory is initialized with 0. This means that if the first operation of a new address is a read, - // then its value must be 0. - // There are exceptions, though: this constraint zero-initializes everything but the code segment and context 0. - let context_zero_initializing_constraint = - builder.mul_extension(next_values_limbs[i], initialize_aux); - let initializing_constraint = - builder.mul_extension(next_addr_context, context_zero_initializing_constraint); - yield_constr.constraint_transition(builder, initializing_constraint); - // We don't want to exclude the entirety of context 0. This constraint zero-initializes all segments except the - // specified ones (segment 0 is already included in initialize_aux). - // There is overlap with the previous constraint, but this is not a problem. - let segment_trie_data = builder.add_const_extension( - next_addr_segment, - F::NEG_ONE * F::from_canonical_usize(Segment::TrieData.unscale()), - ); - let zero_init_constraint = - builder.mul_extension(segment_trie_data, context_zero_initializing_constraint); - yield_constr.constraint_transition(builder, zero_init_constraint); - } - - // Check the range column: First value must be 0, - // and intermediate rows must increment by 1. - let rc1 = local_values[COUNTER]; - let rc2 = next_values[COUNTER]; - yield_constr.constraint_first_row(builder, rc1); - let incr = builder.sub_extension(rc2, rc1); - let t = builder.sub_extension(incr, one); - yield_constr.constraint_transition(builder, t); - } - - fn constraint_degree(&self) -> usize { - 3 - } - - fn lookups(&self) -> Vec> { - vec![Lookup { - columns: vec![ - Column::single(RANGE_CHECK), - Column::single_next_row(ADDR_VIRTUAL), - ], - table_column: Column::single(COUNTER), - frequencies_column: Column::single(FREQUENCIES), - filter_columns: vec![ - None, - Some(Filter::new_simple(Column::sum([ - CONTEXT_FIRST_CHANGE, - SEGMENT_FIRST_CHANGE, - ]))), - ], - }] - } -} - -#[cfg(test)] -pub(crate) mod tests { - use anyhow::Result; - use plonky2::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - - use crate::memory::memory_stark::MemoryStark; - use crate::stark_testing::{test_stark_circuit_constraints, test_stark_low_degree}; - - #[test] - fn test_stark_degree() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = MemoryStark; - - let stark = S { - f: Default::default(), - }; - test_stark_low_degree(stark) - } - - #[test] - fn test_stark_circuit() -> Result<()> { - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - type S = MemoryStark; - - let stark = S { - f: Default::default(), - }; - test_stark_circuit_constraints::(stark) - } -} diff --git a/evm/src/memory/mod.rs b/evm/src/memory/mod.rs deleted file mode 100644 index c61119530f..0000000000 --- a/evm/src/memory/mod.rs +++ /dev/null @@ -1,13 +0,0 @@ -//! The Memory STARK is used to handle all memory read and write operations happening when -//! executing the EVM. Each non-dummy row of the table correspond to a single operation, -//! and rows are ordered by the timestamp associated to each memory operation. - -pub mod columns; -pub mod memory_stark; -pub mod segments; - -// TODO: Move to CPU module, now that channels have been removed from the memory table. -pub(crate) const NUM_CHANNELS: usize = crate::cpu::membus::NUM_CHANNELS; -/// The number of limbs holding the value at a memory address. -/// Eight limbs of 32 bits can hold a `U256`. -pub(crate) const VALUE_LIMBS: usize = 8; diff --git a/evm/src/memory/segments.rs b/evm/src/memory/segments.rs deleted file mode 100644 index 1b4bcbfbf7..0000000000 --- a/evm/src/memory/segments.rs +++ /dev/null @@ -1,212 +0,0 @@ -use ethereum_types::U256; - -pub(crate) const SEGMENT_SCALING_FACTOR: usize = 32; - -/// This contains all the existing memory segments. The values in the enum are shifted by 32 bits -/// to allow for convenient address components (context / segment / virtual) bundling in the kernel. -#[allow(dead_code)] -#[allow(clippy::enum_clike_unportable_variant)] -#[derive(Copy, Clone, Eq, PartialEq, Hash, Ord, PartialOrd, Debug)] -pub(crate) enum Segment { - /// Contains EVM bytecode. - // The Kernel has optimizations relying on the Code segment being 0. - // This shouldn't be changed! - Code = 0, - /// The program stack. - Stack = 1 << SEGMENT_SCALING_FACTOR, - /// Main memory, owned by the contract code. - MainMemory = 2 << SEGMENT_SCALING_FACTOR, - /// Data passed to the current context by its caller. - Calldata = 3 << SEGMENT_SCALING_FACTOR, - /// Data returned to the current context by its latest callee. - Returndata = 4 << SEGMENT_SCALING_FACTOR, - /// A segment which contains a few fixed-size metadata fields, such as the caller's context, or the - /// size of `CALLDATA` and `RETURNDATA`. - GlobalMetadata = 5 << SEGMENT_SCALING_FACTOR, - ContextMetadata = 6 << SEGMENT_SCALING_FACTOR, - /// General purpose kernel memory, used by various kernel functions. - /// In general, calling a helper function can result in this memory being clobbered. - KernelGeneral = 7 << SEGMENT_SCALING_FACTOR, - /// Another segment for general purpose kernel use. - KernelGeneral2 = 8 << SEGMENT_SCALING_FACTOR, - /// Segment to hold account code for opcodes like `CODESIZE, CODECOPY,...`. - KernelAccountCode = 9 << SEGMENT_SCALING_FACTOR, - /// Contains normalized transaction fields; see `NormalizedTxnField`. - TxnFields = 10 << SEGMENT_SCALING_FACTOR, - /// Contains the data field of a transaction. - TxnData = 11 << SEGMENT_SCALING_FACTOR, - /// A buffer used to hold raw RLP data. - RlpRaw = 12 << SEGMENT_SCALING_FACTOR, - /// Contains all trie data. It is owned by the kernel, so it only lives on context 0. - TrieData = 13 << SEGMENT_SCALING_FACTOR, - ShiftTable = 14 << SEGMENT_SCALING_FACTOR, - JumpdestBits = 15 << SEGMENT_SCALING_FACTOR, - EcdsaTable = 16 << SEGMENT_SCALING_FACTOR, - BnWnafA = 17 << SEGMENT_SCALING_FACTOR, - BnWnafB = 18 << SEGMENT_SCALING_FACTOR, - BnTableQ = 19 << SEGMENT_SCALING_FACTOR, - BnPairing = 20 << SEGMENT_SCALING_FACTOR, - /// List of addresses that have been accessed in the current transaction. - AccessedAddresses = 21 << SEGMENT_SCALING_FACTOR, - /// List of storage keys that have been accessed in the current transaction. - AccessedStorageKeys = 22 << SEGMENT_SCALING_FACTOR, - /// List of addresses that have called SELFDESTRUCT in the current transaction. - SelfDestructList = 23 << SEGMENT_SCALING_FACTOR, - /// Contains the bloom filter of a transaction. - TxnBloom = 24 << SEGMENT_SCALING_FACTOR, - /// Contains the bloom filter present in the block header. - GlobalBlockBloom = 25 << SEGMENT_SCALING_FACTOR, - /// List of log pointers pointing to the LogsData segment. - Logs = 26 << SEGMENT_SCALING_FACTOR, - LogsData = 27 << SEGMENT_SCALING_FACTOR, - /// Journal of state changes. List of pointers to `JournalData`. Length in `GlobalMetadata`. - Journal = 28 << SEGMENT_SCALING_FACTOR, - JournalData = 29 << SEGMENT_SCALING_FACTOR, - JournalCheckpoints = 30 << SEGMENT_SCALING_FACTOR, - /// List of addresses that have been touched in the current transaction. - TouchedAddresses = 31 << SEGMENT_SCALING_FACTOR, - /// List of checkpoints for the current context. Length in `ContextMetadata`. - ContextCheckpoints = 32 << SEGMENT_SCALING_FACTOR, - /// List of 256 previous block hashes. - BlockHashes = 33 << SEGMENT_SCALING_FACTOR, -} - -impl Segment { - pub(crate) const COUNT: usize = 34; - - /// Unscales this segment by `SEGMENT_SCALING_FACTOR`. - pub(crate) const fn unscale(&self) -> usize { - *self as usize >> SEGMENT_SCALING_FACTOR - } - - pub(crate) const fn all() -> [Self; Self::COUNT] { - [ - Self::Code, - Self::Stack, - Self::MainMemory, - Self::Calldata, - Self::Returndata, - Self::GlobalMetadata, - Self::ContextMetadata, - Self::KernelGeneral, - Self::KernelGeneral2, - Self::KernelAccountCode, - Self::TxnFields, - Self::TxnData, - Self::RlpRaw, - Self::TrieData, - Self::ShiftTable, - Self::JumpdestBits, - Self::EcdsaTable, - Self::BnWnafA, - Self::BnWnafB, - Self::BnTableQ, - Self::BnPairing, - Self::AccessedAddresses, - Self::AccessedStorageKeys, - Self::SelfDestructList, - Self::TxnBloom, - Self::GlobalBlockBloom, - Self::Logs, - Self::LogsData, - Self::Journal, - Self::JournalData, - Self::JournalCheckpoints, - Self::TouchedAddresses, - Self::ContextCheckpoints, - Self::BlockHashes, - ] - } - - /// The variable name that gets passed into kernel assembly code. - pub(crate) const fn var_name(&self) -> &'static str { - match self { - Segment::Code => "SEGMENT_CODE", - Segment::Stack => "SEGMENT_STACK", - Segment::MainMemory => "SEGMENT_MAIN_MEMORY", - Segment::Calldata => "SEGMENT_CALLDATA", - Segment::Returndata => "SEGMENT_RETURNDATA", - Segment::GlobalMetadata => "SEGMENT_GLOBAL_METADATA", - Segment::ContextMetadata => "SEGMENT_CONTEXT_METADATA", - Segment::KernelGeneral => "SEGMENT_KERNEL_GENERAL", - Segment::KernelGeneral2 => "SEGMENT_KERNEL_GENERAL_2", - Segment::KernelAccountCode => "SEGMENT_KERNEL_ACCOUNT_CODE", - Segment::TxnFields => "SEGMENT_NORMALIZED_TXN", - Segment::TxnData => "SEGMENT_TXN_DATA", - Segment::RlpRaw => "SEGMENT_RLP_RAW", - Segment::TrieData => "SEGMENT_TRIE_DATA", - Segment::ShiftTable => "SEGMENT_SHIFT_TABLE", - Segment::JumpdestBits => "SEGMENT_JUMPDEST_BITS", - Segment::EcdsaTable => "SEGMENT_ECDSA_TABLE", - Segment::BnWnafA => "SEGMENT_BN_WNAF_A", - Segment::BnWnafB => "SEGMENT_BN_WNAF_B", - Segment::BnTableQ => "SEGMENT_BN_TABLE_Q", - Segment::BnPairing => "SEGMENT_BN_PAIRING", - Segment::AccessedAddresses => "SEGMENT_ACCESSED_ADDRESSES", - Segment::AccessedStorageKeys => "SEGMENT_ACCESSED_STORAGE_KEYS", - Segment::SelfDestructList => "SEGMENT_SELFDESTRUCT_LIST", - Segment::TxnBloom => "SEGMENT_TXN_BLOOM", - Segment::GlobalBlockBloom => "SEGMENT_GLOBAL_BLOCK_BLOOM", - Segment::Logs => "SEGMENT_LOGS", - Segment::LogsData => "SEGMENT_LOGS_DATA", - Segment::Journal => "SEGMENT_JOURNAL", - Segment::JournalData => "SEGMENT_JOURNAL_DATA", - Segment::JournalCheckpoints => "SEGMENT_JOURNAL_CHECKPOINTS", - Segment::TouchedAddresses => "SEGMENT_TOUCHED_ADDRESSES", - Segment::ContextCheckpoints => "SEGMENT_CONTEXT_CHECKPOINTS", - Segment::BlockHashes => "SEGMENT_BLOCK_HASHES", - } - } - - pub(crate) const fn bit_range(&self) -> usize { - match self { - Segment::Code => 8, - Segment::Stack => 256, - Segment::MainMemory => 8, - Segment::Calldata => 8, - Segment::Returndata => 8, - Segment::GlobalMetadata => 256, - Segment::ContextMetadata => 256, - Segment::KernelGeneral => 256, - Segment::KernelGeneral2 => 256, - Segment::KernelAccountCode => 8, - Segment::TxnFields => 256, - Segment::TxnData => 8, - Segment::RlpRaw => 8, - Segment::TrieData => 256, - Segment::ShiftTable => 256, - Segment::JumpdestBits => 1, - Segment::EcdsaTable => 256, - Segment::BnWnafA => 8, - Segment::BnWnafB => 8, - Segment::BnTableQ => 256, - Segment::BnPairing => 256, - Segment::AccessedAddresses => 256, - Segment::AccessedStorageKeys => 256, - Segment::SelfDestructList => 256, - Segment::TxnBloom => 8, - Segment::GlobalBlockBloom => 256, - Segment::Logs => 256, - Segment::LogsData => 256, - Segment::Journal => 256, - Segment::JournalData => 256, - Segment::JournalCheckpoints => 256, - Segment::TouchedAddresses => 256, - Segment::ContextCheckpoints => 256, - Segment::BlockHashes => 256, - } - } - - pub(crate) fn constant(&self, virt: usize) -> Option { - match self { - Segment::RlpRaw => { - if virt == 0xFFFFFFFF { - Some(U256::from(0x80)) - } else { - None - } - } - _ => None, - } - } -} diff --git a/evm/src/proof.rs b/evm/src/proof.rs deleted file mode 100644 index 33640458d6..0000000000 --- a/evm/src/proof.rs +++ /dev/null @@ -1,1129 +0,0 @@ -use ethereum_types::{Address, H256, U256}; -use itertools::Itertools; -use plonky2::field::extension::{Extendable, FieldExtension}; -use plonky2::fri::oracle::PolynomialBatch; -use plonky2::fri::proof::{FriChallenges, FriChallengesTarget, FriProof, FriProofTarget}; -use plonky2::fri::structure::{ - FriOpeningBatch, FriOpeningBatchTarget, FriOpenings, FriOpeningsTarget, -}; -use plonky2::hash::hash_types::{MerkleCapTarget, RichField}; -use plonky2::hash::merkle_tree::MerkleCap; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::iop::target::{BoolTarget, Target}; -use plonky2::plonk::circuit_builder::CircuitBuilder; -use plonky2::plonk::config::{GenericConfig, Hasher}; -use plonky2::util::serialization::{Buffer, IoResult, Read, Write}; -use plonky2_maybe_rayon::*; -use serde::{Deserialize, Serialize}; - -use crate::all_stark::NUM_TABLES; -use crate::config::StarkConfig; -use crate::cross_table_lookup::GrandProductChallengeSet; -use crate::util::{get_h160, get_h256, h2u}; - -/// A STARK proof for each table, plus some metadata used to create recursive wrapper proofs. -#[derive(Debug, Clone)] -pub struct AllProof, C: GenericConfig, const D: usize> { - /// Proofs for all the different STARK modules. - pub stark_proofs: [StarkProofWithMetadata; NUM_TABLES], - /// Cross-table lookup challenges. - pub(crate) ctl_challenges: GrandProductChallengeSet, - /// Public memory values used for the recursive proofs. - pub public_values: PublicValues, -} - -impl, C: GenericConfig, const D: usize> AllProof { - /// Returns the degree (i.e. the trace length) of each STARK. - pub fn degree_bits(&self, config: &StarkConfig) -> [usize; NUM_TABLES] { - core::array::from_fn(|i| self.stark_proofs[i].proof.recover_degree_bits(config)) - } -} - -/// Randomness for all STARKs. -pub(crate) struct AllProofChallenges, const D: usize> { - /// Randomness used in each STARK proof. - pub stark_challenges: [StarkProofChallenges; NUM_TABLES], - /// Randomness used for cross-table lookups. It is shared by all STARKs. - pub ctl_challenges: GrandProductChallengeSet, -} - -/// Memory values which are public. -#[derive(Debug, Clone, Default, PartialEq, Eq, Deserialize, Serialize)] -pub struct PublicValues { - /// Trie hashes before the execution of the local state transition - pub trie_roots_before: TrieRoots, - /// Trie hashes after the execution of the local state transition. - pub trie_roots_after: TrieRoots, - /// Block metadata: it remains unchanged within a block. - pub block_metadata: BlockMetadata, - /// 256 previous block hashes and current block's hash. - pub block_hashes: BlockHashes, - /// Extra block data that is specific to the current proof. - pub extra_block_data: ExtraBlockData, -} - -impl PublicValues { - /// Extracts public values from the given public inputs of a proof. - /// Public values are always the first public inputs added to the circuit, - /// so we can start extracting at index 0. - pub fn from_public_inputs(pis: &[F]) -> Self { - assert!( - pis.len() - > TrieRootsTarget::SIZE * 2 - + BlockMetadataTarget::SIZE - + BlockHashesTarget::SIZE - + ExtraBlockDataTarget::SIZE - - 1 - ); - - let trie_roots_before = TrieRoots::from_public_inputs(&pis[0..TrieRootsTarget::SIZE]); - let trie_roots_after = - TrieRoots::from_public_inputs(&pis[TrieRootsTarget::SIZE..TrieRootsTarget::SIZE * 2]); - let block_metadata = BlockMetadata::from_public_inputs( - &pis[TrieRootsTarget::SIZE * 2..TrieRootsTarget::SIZE * 2 + BlockMetadataTarget::SIZE], - ); - let block_hashes = BlockHashes::from_public_inputs( - &pis[TrieRootsTarget::SIZE * 2 + BlockMetadataTarget::SIZE - ..TrieRootsTarget::SIZE * 2 + BlockMetadataTarget::SIZE + BlockHashesTarget::SIZE], - ); - let extra_block_data = ExtraBlockData::from_public_inputs( - &pis[TrieRootsTarget::SIZE * 2 + BlockMetadataTarget::SIZE + BlockHashesTarget::SIZE - ..TrieRootsTarget::SIZE * 2 - + BlockMetadataTarget::SIZE - + BlockHashesTarget::SIZE - + ExtraBlockDataTarget::SIZE], - ); - - Self { - trie_roots_before, - trie_roots_after, - block_metadata, - block_hashes, - extra_block_data, - } - } -} - -/// Trie hashes. -#[derive(Debug, Clone, Default, PartialEq, Eq, Serialize, Deserialize)] -pub struct TrieRoots { - /// State trie hash. - pub state_root: H256, - /// Transaction trie hash. - pub transactions_root: H256, - /// Receipts trie hash. - pub receipts_root: H256, -} - -impl TrieRoots { - pub fn from_public_inputs(pis: &[F]) -> Self { - assert!(pis.len() == TrieRootsTarget::SIZE); - - let state_root = get_h256(&pis[0..8]); - let transactions_root = get_h256(&pis[8..16]); - let receipts_root = get_h256(&pis[16..24]); - - Self { - state_root, - transactions_root, - receipts_root, - } - } -} - -// There should be 256 previous hashes stored, so the default should also contain 256 values. -impl Default for BlockHashes { - fn default() -> Self { - Self { - prev_hashes: vec![H256::default(); 256], - cur_hash: H256::default(), - } - } -} - -/// User-provided helper values to compute the `BLOCKHASH` opcode. -/// The proofs across consecutive blocks ensure that these values -/// are consistent (i.e. shifted by one to the left). -/// -/// When the block number is less than 256, dummy values, i.e. `H256::default()`, -/// should be used for the additional block hashes. -#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)] -pub struct BlockHashes { - /// The previous 256 hashes to the current block. The leftmost hash, i.e. `prev_hashes[0]`, - /// is the oldest, and the rightmost, i.e. `prev_hashes[255]` is the hash of the parent block. - pub prev_hashes: Vec, - // The hash of the current block. - pub cur_hash: H256, -} - -impl BlockHashes { - pub fn from_public_inputs(pis: &[F]) -> Self { - assert!(pis.len() == BlockHashesTarget::SIZE); - - let prev_hashes: [H256; 256] = core::array::from_fn(|i| get_h256(&pis[8 * i..8 + 8 * i])); - let cur_hash = get_h256(&pis[2048..2056]); - - Self { - prev_hashes: prev_hashes.to_vec(), - cur_hash, - } - } -} - -/// Metadata contained in a block header. Those are identical between -/// all state transition proofs within the same block. -#[derive(Debug, Clone, Default, PartialEq, Eq, Deserialize, Serialize)] -pub struct BlockMetadata { - /// The address of this block's producer. - pub block_beneficiary: Address, - /// The timestamp of this block. - pub block_timestamp: U256, - /// The index of this block. - pub block_number: U256, - /// The difficulty (before PoS transition) of this block. - pub block_difficulty: U256, - pub block_random: H256, - /// The gas limit of this block. It must fit in a `u32`. - pub block_gaslimit: U256, - /// The chain id of this block. - pub block_chain_id: U256, - /// The base fee of this block. - pub block_base_fee: U256, - /// The total gas used in this block. It must fit in a `u32`. - pub block_gas_used: U256, - /// The block bloom of this block, represented as the consecutive - /// 32-byte chunks of a block's final bloom filter string. - pub block_bloom: [U256; 8], -} - -impl BlockMetadata { - pub fn from_public_inputs(pis: &[F]) -> Self { - assert!(pis.len() == BlockMetadataTarget::SIZE); - - let block_beneficiary = get_h160(&pis[0..5]); - let block_timestamp = pis[5].to_canonical_u64().into(); - let block_number = pis[6].to_canonical_u64().into(); - let block_difficulty = pis[7].to_canonical_u64().into(); - let block_random = get_h256(&pis[8..16]); - let block_gaslimit = pis[16].to_canonical_u64().into(); - let block_chain_id = pis[17].to_canonical_u64().into(); - let block_base_fee = - (pis[18].to_canonical_u64() + (pis[19].to_canonical_u64() << 32)).into(); - let block_gas_used = pis[20].to_canonical_u64().into(); - let block_bloom = core::array::from_fn(|i| h2u(get_h256(&pis[21 + 8 * i..29 + 8 * i]))); - - Self { - block_beneficiary, - block_timestamp, - block_number, - block_difficulty, - block_random, - block_gaslimit, - block_chain_id, - block_base_fee, - block_gas_used, - block_bloom, - } - } -} - -/// Additional block data that are specific to the local transaction being proven, -/// unlike `BlockMetadata`. -#[derive(Debug, Clone, Default, PartialEq, Eq, Deserialize, Serialize)] -pub struct ExtraBlockData { - /// The state trie digest of the checkpoint block. - pub checkpoint_state_trie_root: H256, - /// The transaction count prior execution of the local state transition, starting - /// at 0 for the initial transaction of a block. - pub txn_number_before: U256, - /// The transaction count after execution of the local state transition. - pub txn_number_after: U256, - /// The accumulated gas used prior execution of the local state transition, starting - /// at 0 for the initial transaction of a block. - pub gas_used_before: U256, - /// The accumulated gas used after execution of the local state transition. It should - /// match the `block_gas_used` value after execution of the last transaction in a block. - pub gas_used_after: U256, -} - -impl ExtraBlockData { - pub fn from_public_inputs(pis: &[F]) -> Self { - assert!(pis.len() == ExtraBlockDataTarget::SIZE); - - let checkpoint_state_trie_root = get_h256(&pis[0..8]); - let txn_number_before = pis[8].to_canonical_u64().into(); - let txn_number_after = pis[9].to_canonical_u64().into(); - let gas_used_before = pis[10].to_canonical_u64().into(); - let gas_used_after = pis[11].to_canonical_u64().into(); - - Self { - checkpoint_state_trie_root, - txn_number_before, - txn_number_after, - gas_used_before, - gas_used_after, - } - } -} - -/// Memory values which are public. -/// Note: All the larger integers are encoded with 32-bit limbs in little-endian order. -#[derive(Eq, PartialEq, Debug)] -pub struct PublicValuesTarget { - /// Trie hashes before the execution of the local state transition. - pub trie_roots_before: TrieRootsTarget, - /// Trie hashes after the execution of the local state transition. - pub trie_roots_after: TrieRootsTarget, - /// Block metadata: it remains unchanged within a block. - pub block_metadata: BlockMetadataTarget, - /// 256 previous block hashes and current block's hash. - pub block_hashes: BlockHashesTarget, - /// Extra block data that is specific to the current proof. - pub extra_block_data: ExtraBlockDataTarget, -} - -impl PublicValuesTarget { - /// Serializes public value targets. - pub(crate) fn to_buffer(&self, buffer: &mut Vec) -> IoResult<()> { - let TrieRootsTarget { - state_root: state_root_before, - transactions_root: transactions_root_before, - receipts_root: receipts_root_before, - } = self.trie_roots_before; - - buffer.write_target_array(&state_root_before)?; - buffer.write_target_array(&transactions_root_before)?; - buffer.write_target_array(&receipts_root_before)?; - - let TrieRootsTarget { - state_root: state_root_after, - transactions_root: transactions_root_after, - receipts_root: receipts_root_after, - } = self.trie_roots_after; - - buffer.write_target_array(&state_root_after)?; - buffer.write_target_array(&transactions_root_after)?; - buffer.write_target_array(&receipts_root_after)?; - - let BlockMetadataTarget { - block_beneficiary, - block_timestamp, - block_number, - block_difficulty, - block_random, - block_gaslimit, - block_chain_id, - block_base_fee, - block_gas_used, - block_bloom, - } = self.block_metadata; - - buffer.write_target_array(&block_beneficiary)?; - buffer.write_target(block_timestamp)?; - buffer.write_target(block_number)?; - buffer.write_target(block_difficulty)?; - buffer.write_target_array(&block_random)?; - buffer.write_target(block_gaslimit)?; - buffer.write_target(block_chain_id)?; - buffer.write_target_array(&block_base_fee)?; - buffer.write_target(block_gas_used)?; - buffer.write_target_array(&block_bloom)?; - - let BlockHashesTarget { - prev_hashes, - cur_hash, - } = self.block_hashes; - buffer.write_target_array(&prev_hashes)?; - buffer.write_target_array(&cur_hash)?; - - let ExtraBlockDataTarget { - checkpoint_state_trie_root, - txn_number_before, - txn_number_after, - gas_used_before, - gas_used_after, - } = self.extra_block_data; - buffer.write_target_array(&checkpoint_state_trie_root)?; - buffer.write_target(txn_number_before)?; - buffer.write_target(txn_number_after)?; - buffer.write_target(gas_used_before)?; - buffer.write_target(gas_used_after)?; - - Ok(()) - } - - /// Deserializes public value targets. - pub(crate) fn from_buffer(buffer: &mut Buffer) -> IoResult { - let trie_roots_before = TrieRootsTarget { - state_root: buffer.read_target_array()?, - transactions_root: buffer.read_target_array()?, - receipts_root: buffer.read_target_array()?, - }; - - let trie_roots_after = TrieRootsTarget { - state_root: buffer.read_target_array()?, - transactions_root: buffer.read_target_array()?, - receipts_root: buffer.read_target_array()?, - }; - - let block_metadata = BlockMetadataTarget { - block_beneficiary: buffer.read_target_array()?, - block_timestamp: buffer.read_target()?, - block_number: buffer.read_target()?, - block_difficulty: buffer.read_target()?, - block_random: buffer.read_target_array()?, - block_gaslimit: buffer.read_target()?, - block_chain_id: buffer.read_target()?, - block_base_fee: buffer.read_target_array()?, - block_gas_used: buffer.read_target()?, - block_bloom: buffer.read_target_array()?, - }; - - let block_hashes = BlockHashesTarget { - prev_hashes: buffer.read_target_array()?, - cur_hash: buffer.read_target_array()?, - }; - - let extra_block_data = ExtraBlockDataTarget { - checkpoint_state_trie_root: buffer.read_target_array()?, - txn_number_before: buffer.read_target()?, - txn_number_after: buffer.read_target()?, - gas_used_before: buffer.read_target()?, - gas_used_after: buffer.read_target()?, - }; - - Ok(Self { - trie_roots_before, - trie_roots_after, - block_metadata, - block_hashes, - extra_block_data, - }) - } - - /// Extracts public value `Target`s from the given public input `Target`s. - /// Public values are always the first public inputs added to the circuit, - /// so we can start extracting at index 0. - pub(crate) fn from_public_inputs(pis: &[Target]) -> Self { - assert!( - pis.len() - > TrieRootsTarget::SIZE * 2 - + BlockMetadataTarget::SIZE - + BlockHashesTarget::SIZE - + ExtraBlockDataTarget::SIZE - - 1 - ); - - Self { - trie_roots_before: TrieRootsTarget::from_public_inputs(&pis[0..TrieRootsTarget::SIZE]), - trie_roots_after: TrieRootsTarget::from_public_inputs( - &pis[TrieRootsTarget::SIZE..TrieRootsTarget::SIZE * 2], - ), - block_metadata: BlockMetadataTarget::from_public_inputs( - &pis[TrieRootsTarget::SIZE * 2 - ..TrieRootsTarget::SIZE * 2 + BlockMetadataTarget::SIZE], - ), - block_hashes: BlockHashesTarget::from_public_inputs( - &pis[TrieRootsTarget::SIZE * 2 + BlockMetadataTarget::SIZE - ..TrieRootsTarget::SIZE * 2 - + BlockMetadataTarget::SIZE - + BlockHashesTarget::SIZE], - ), - extra_block_data: ExtraBlockDataTarget::from_public_inputs( - &pis[TrieRootsTarget::SIZE * 2 + BlockMetadataTarget::SIZE + BlockHashesTarget::SIZE - ..TrieRootsTarget::SIZE * 2 - + BlockMetadataTarget::SIZE - + BlockHashesTarget::SIZE - + ExtraBlockDataTarget::SIZE], - ), - } - } - - /// Returns the public values in `pv0` or `pv1` depening on `condition`. - pub(crate) fn select, const D: usize>( - builder: &mut CircuitBuilder, - condition: BoolTarget, - pv0: Self, - pv1: Self, - ) -> Self { - Self { - trie_roots_before: TrieRootsTarget::select( - builder, - condition, - pv0.trie_roots_before, - pv1.trie_roots_before, - ), - trie_roots_after: TrieRootsTarget::select( - builder, - condition, - pv0.trie_roots_after, - pv1.trie_roots_after, - ), - block_metadata: BlockMetadataTarget::select( - builder, - condition, - pv0.block_metadata, - pv1.block_metadata, - ), - block_hashes: BlockHashesTarget::select( - builder, - condition, - pv0.block_hashes, - pv1.block_hashes, - ), - extra_block_data: ExtraBlockDataTarget::select( - builder, - condition, - pv0.extra_block_data, - pv1.extra_block_data, - ), - } - } -} - -/// Circuit version of `TrieRoots`. -/// `Target`s for trie hashes. Since a `Target` holds a 32-bit limb, each hash requires 8 `Target`s. -#[derive(Eq, PartialEq, Debug, Copy, Clone)] -pub struct TrieRootsTarget { - /// Targets for the state trie hash. - pub(crate) state_root: [Target; 8], - /// Targets for the transactions trie hash. - pub(crate) transactions_root: [Target; 8], - /// Targets for the receipts trie hash. - pub(crate) receipts_root: [Target; 8], -} - -impl TrieRootsTarget { - /// Number of `Target`s required for all trie hashes. - pub(crate) const HASH_SIZE: usize = 8; - pub(crate) const SIZE: usize = Self::HASH_SIZE * 3; - - /// Extracts trie hash `Target`s for all tries from the provided public input `Target`s. - /// The provided `pis` should start with the trie hashes. - pub(crate) fn from_public_inputs(pis: &[Target]) -> Self { - let state_root = pis[0..8].try_into().unwrap(); - let transactions_root = pis[8..16].try_into().unwrap(); - let receipts_root = pis[16..24].try_into().unwrap(); - - Self { - state_root, - transactions_root, - receipts_root, - } - } - - /// If `condition`, returns the trie hashes in `tr0`, - /// otherwise returns the trie hashes in `tr1`. - pub(crate) fn select, const D: usize>( - builder: &mut CircuitBuilder, - condition: BoolTarget, - tr0: Self, - tr1: Self, - ) -> Self { - Self { - state_root: core::array::from_fn(|i| { - builder.select(condition, tr0.state_root[i], tr1.state_root[i]) - }), - transactions_root: core::array::from_fn(|i| { - builder.select( - condition, - tr0.transactions_root[i], - tr1.transactions_root[i], - ) - }), - receipts_root: core::array::from_fn(|i| { - builder.select(condition, tr0.receipts_root[i], tr1.receipts_root[i]) - }), - } - } - - /// Connects the trie hashes in `tr0` and in `tr1`. - pub(crate) fn connect, const D: usize>( - builder: &mut CircuitBuilder, - tr0: Self, - tr1: Self, - ) { - for i in 0..8 { - builder.connect(tr0.state_root[i], tr1.state_root[i]); - builder.connect(tr0.transactions_root[i], tr1.transactions_root[i]); - builder.connect(tr0.receipts_root[i], tr1.receipts_root[i]); - } - } -} - -/// Circuit version of `BlockMetadata`. -/// Metadata contained in a block header. Those are identical between -/// all state transition proofs within the same block. -#[derive(Eq, PartialEq, Debug, Copy, Clone)] -pub struct BlockMetadataTarget { - /// `Target`s for the address of this block's producer. - pub(crate) block_beneficiary: [Target; 5], - /// `Target` for the timestamp of this block. - pub(crate) block_timestamp: Target, - /// `Target` for the index of this block. - pub(crate) block_number: Target, - /// `Target` for the difficulty (before PoS transition) of this block. - pub(crate) block_difficulty: Target, - /// `Target`s for the `mix_hash` value of this block. - pub(crate) block_random: [Target; 8], - /// `Target`s for the gas limit of this block. - pub(crate) block_gaslimit: Target, - /// `Target` for the chain id of this block. - pub(crate) block_chain_id: Target, - /// `Target`s for the base fee of this block. - pub(crate) block_base_fee: [Target; 2], - /// `Target`s for the gas used of this block. - pub(crate) block_gas_used: Target, - /// `Target`s for the block bloom of this block. - pub(crate) block_bloom: [Target; 64], -} - -impl BlockMetadataTarget { - /// Number of `Target`s required for the block metadata. - pub(crate) const SIZE: usize = 85; - - /// Extracts block metadata `Target`s from the provided public input `Target`s. - /// The provided `pis` should start with the block metadata. - pub(crate) fn from_public_inputs(pis: &[Target]) -> Self { - let block_beneficiary = pis[0..5].try_into().unwrap(); - let block_timestamp = pis[5]; - let block_number = pis[6]; - let block_difficulty = pis[7]; - let block_random = pis[8..16].try_into().unwrap(); - let block_gaslimit = pis[16]; - let block_chain_id = pis[17]; - let block_base_fee = pis[18..20].try_into().unwrap(); - let block_gas_used = pis[20]; - let block_bloom = pis[21..85].try_into().unwrap(); - - Self { - block_beneficiary, - block_timestamp, - block_number, - block_difficulty, - block_random, - block_gaslimit, - block_chain_id, - block_base_fee, - block_gas_used, - block_bloom, - } - } - - /// If `condition`, returns the block metadata in `bm0`, - /// otherwise returns the block metadata in `bm1`. - pub(crate) fn select, const D: usize>( - builder: &mut CircuitBuilder, - condition: BoolTarget, - bm0: Self, - bm1: Self, - ) -> Self { - Self { - block_beneficiary: core::array::from_fn(|i| { - builder.select( - condition, - bm0.block_beneficiary[i], - bm1.block_beneficiary[i], - ) - }), - block_timestamp: builder.select(condition, bm0.block_timestamp, bm1.block_timestamp), - block_number: builder.select(condition, bm0.block_number, bm1.block_number), - block_difficulty: builder.select(condition, bm0.block_difficulty, bm1.block_difficulty), - block_random: core::array::from_fn(|i| { - builder.select(condition, bm0.block_random[i], bm1.block_random[i]) - }), - block_gaslimit: builder.select(condition, bm0.block_gaslimit, bm1.block_gaslimit), - block_chain_id: builder.select(condition, bm0.block_chain_id, bm1.block_chain_id), - block_base_fee: core::array::from_fn(|i| { - builder.select(condition, bm0.block_base_fee[i], bm1.block_base_fee[i]) - }), - block_gas_used: builder.select(condition, bm0.block_gas_used, bm1.block_gas_used), - block_bloom: core::array::from_fn(|i| { - builder.select(condition, bm0.block_bloom[i], bm1.block_bloom[i]) - }), - } - } - - /// Connects the block metadata in `bm0` to the block metadata in `bm1`. - pub(crate) fn connect, const D: usize>( - builder: &mut CircuitBuilder, - bm0: Self, - bm1: Self, - ) { - for i in 0..5 { - builder.connect(bm0.block_beneficiary[i], bm1.block_beneficiary[i]); - } - builder.connect(bm0.block_timestamp, bm1.block_timestamp); - builder.connect(bm0.block_number, bm1.block_number); - builder.connect(bm0.block_difficulty, bm1.block_difficulty); - for i in 0..8 { - builder.connect(bm0.block_random[i], bm1.block_random[i]); - } - builder.connect(bm0.block_gaslimit, bm1.block_gaslimit); - builder.connect(bm0.block_chain_id, bm1.block_chain_id); - for i in 0..2 { - builder.connect(bm0.block_base_fee[i], bm1.block_base_fee[i]) - } - builder.connect(bm0.block_gas_used, bm1.block_gas_used); - for i in 0..64 { - builder.connect(bm0.block_bloom[i], bm1.block_bloom[i]) - } - } -} - -/// Circuit version of `BlockHashes`. -/// `Target`s for the user-provided previous 256 block hashes and current block hash. -/// Each block hash requires 8 `Target`s. -/// The proofs across consecutive blocks ensure that these values -/// are consistent (i.e. shifted by eight `Target`s to the left). -/// -/// When the block number is less than 256, dummy values, i.e. `H256::default()`, -/// should be used for the additional block hashes. -#[derive(Eq, PartialEq, Debug, Copy, Clone)] -pub struct BlockHashesTarget { - /// `Target`s for the previous 256 hashes to the current block. The leftmost hash, i.e. `prev_hashes[0..8]`, - /// is the oldest, and the rightmost, i.e. `prev_hashes[255 * 7..255 * 8]` is the hash of the parent block. - pub(crate) prev_hashes: [Target; 2048], - // `Target` for the hash of the current block. - pub(crate) cur_hash: [Target; 8], -} - -impl BlockHashesTarget { - /// Number of `Target`s required for previous and current block hashes. - pub(crate) const SIZE: usize = 2056; - - /// Extracts the previous and current block hash `Target`s from the public input `Target`s. - /// The provided `pis` should start with the block hashes. - pub(crate) fn from_public_inputs(pis: &[Target]) -> Self { - Self { - prev_hashes: pis[0..2048].try_into().unwrap(), - cur_hash: pis[2048..2056].try_into().unwrap(), - } - } - - /// If `condition`, returns the block hashes in `bm0`, - /// otherwise returns the block hashes in `bm1`. - pub(crate) fn select, const D: usize>( - builder: &mut CircuitBuilder, - condition: BoolTarget, - bm0: Self, - bm1: Self, - ) -> Self { - Self { - prev_hashes: core::array::from_fn(|i| { - builder.select(condition, bm0.prev_hashes[i], bm1.prev_hashes[i]) - }), - cur_hash: core::array::from_fn(|i| { - builder.select(condition, bm0.cur_hash[i], bm1.cur_hash[i]) - }), - } - } - - /// Connects the block hashes in `bm0` to the block hashes in `bm1`. - pub(crate) fn connect, const D: usize>( - builder: &mut CircuitBuilder, - bm0: Self, - bm1: Self, - ) { - for i in 0..2048 { - builder.connect(bm0.prev_hashes[i], bm1.prev_hashes[i]); - } - for i in 0..8 { - builder.connect(bm0.cur_hash[i], bm1.cur_hash[i]); - } - } -} - -/// Circuit version of `ExtraBlockData`. -/// Additional block data that are specific to the local transaction being proven, -/// unlike `BlockMetadata`. -#[derive(Eq, PartialEq, Debug, Copy, Clone)] -pub struct ExtraBlockDataTarget { - /// `Target`s for the state trie digest of the checkpoint block. - pub checkpoint_state_trie_root: [Target; 8], - /// `Target` for the transaction count prior execution of the local state transition, starting - /// at 0 for the initial trnasaction of a block. - pub txn_number_before: Target, - /// `Target` for the transaction count after execution of the local state transition. - pub txn_number_after: Target, - /// `Target` for the accumulated gas used prior execution of the local state transition, starting - /// at 0 for the initial transaction of a block. - pub gas_used_before: Target, - /// `Target` for the accumulated gas used after execution of the local state transition. It should - /// match the `block_gas_used` value after execution of the last transaction in a block. - pub gas_used_after: Target, -} - -impl ExtraBlockDataTarget { - /// Number of `Target`s required for the extra block data. - const SIZE: usize = 12; - - /// Extracts the extra block data `Target`s from the public input `Target`s. - /// The provided `pis` should start with the extra vblock data. - pub(crate) fn from_public_inputs(pis: &[Target]) -> Self { - let checkpoint_state_trie_root = pis[0..8].try_into().unwrap(); - let txn_number_before = pis[8]; - let txn_number_after = pis[9]; - let gas_used_before = pis[10]; - let gas_used_after = pis[11]; - - Self { - checkpoint_state_trie_root, - txn_number_before, - txn_number_after, - gas_used_before, - gas_used_after, - } - } - - /// If `condition`, returns the extra block data in `ed0`, - /// otherwise returns the extra block data in `ed1`. - pub(crate) fn select, const D: usize>( - builder: &mut CircuitBuilder, - condition: BoolTarget, - ed0: Self, - ed1: Self, - ) -> Self { - Self { - checkpoint_state_trie_root: core::array::from_fn(|i| { - builder.select( - condition, - ed0.checkpoint_state_trie_root[i], - ed1.checkpoint_state_trie_root[i], - ) - }), - txn_number_before: builder.select( - condition, - ed0.txn_number_before, - ed1.txn_number_before, - ), - txn_number_after: builder.select(condition, ed0.txn_number_after, ed1.txn_number_after), - gas_used_before: builder.select(condition, ed0.gas_used_before, ed1.gas_used_before), - gas_used_after: builder.select(condition, ed0.gas_used_after, ed1.gas_used_after), - } - } - - /// Connects the extra block data in `ed0` with the extra block data in `ed1`. - pub(crate) fn connect, const D: usize>( - builder: &mut CircuitBuilder, - ed0: Self, - ed1: Self, - ) { - for i in 0..8 { - builder.connect( - ed0.checkpoint_state_trie_root[i], - ed1.checkpoint_state_trie_root[i], - ); - } - builder.connect(ed0.txn_number_before, ed1.txn_number_before); - builder.connect(ed0.txn_number_after, ed1.txn_number_after); - builder.connect(ed0.gas_used_before, ed1.gas_used_before); - builder.connect(ed0.gas_used_after, ed1.gas_used_after); - } -} - -/// Merkle caps and openings that form the proof of a single STARK. -#[derive(Debug, Clone)] -pub struct StarkProof, C: GenericConfig, const D: usize> { - /// Merkle cap of LDEs of trace values. - pub trace_cap: MerkleCap, - /// Merkle cap of LDEs of lookup helper and CTL columns. - pub auxiliary_polys_cap: MerkleCap, - /// Merkle cap of LDEs of quotient polynomial evaluations. - pub quotient_polys_cap: MerkleCap, - /// Purported values of each polynomial at the challenge point. - pub openings: StarkOpeningSet, - /// A batch FRI argument for all openings. - pub opening_proof: FriProof, -} - -/// A `StarkProof` along with some metadata about the initial Fiat-Shamir state, which is used when -/// creating a recursive wrapper proof around a STARK proof. -#[derive(Debug, Clone)] -pub struct StarkProofWithMetadata -where - F: RichField + Extendable, - C: GenericConfig, -{ - /// Initial Fiat-Shamir state. - pub(crate) init_challenger_state: >::Permutation, - /// Proof for a single STARK. - pub(crate) proof: StarkProof, -} - -impl, C: GenericConfig, const D: usize> StarkProof { - /// Recover the length of the trace from a STARK proof and a STARK config. - pub fn recover_degree_bits(&self, config: &StarkConfig) -> usize { - let initial_merkle_proof = &self.opening_proof.query_round_proofs[0] - .initial_trees_proof - .evals_proofs[0] - .1; - let lde_bits = config.fri_config.cap_height + initial_merkle_proof.siblings.len(); - lde_bits - config.fri_config.rate_bits - } - - /// Returns the number of cross-table lookup polynomials computed for the current STARK. - pub fn num_ctl_zs(&self) -> usize { - self.openings.ctl_zs_first.len() - } -} - -/// Circuit version of `StarkProof`. -/// Merkle caps and openings that form the proof of a single STARK. -#[derive(Eq, PartialEq, Debug)] -pub(crate) struct StarkProofTarget { - /// `Target` for the Merkle cap if LDEs of trace values. - pub trace_cap: MerkleCapTarget, - /// `Target` for the Merkle cap of LDEs of lookup helper and CTL columns. - pub auxiliary_polys_cap: MerkleCapTarget, - /// `Target` for the Merkle cap of LDEs of quotient polynomial evaluations. - pub quotient_polys_cap: MerkleCapTarget, - /// `Target`s for the purported values of each polynomial at the challenge point. - pub openings: StarkOpeningSetTarget, - /// `Target`s for the batch FRI argument for all openings. - pub opening_proof: FriProofTarget, -} - -impl StarkProofTarget { - /// Serializes a STARK proof. - pub(crate) fn to_buffer(&self, buffer: &mut Vec) -> IoResult<()> { - buffer.write_target_merkle_cap(&self.trace_cap)?; - buffer.write_target_merkle_cap(&self.auxiliary_polys_cap)?; - buffer.write_target_merkle_cap(&self.quotient_polys_cap)?; - buffer.write_target_fri_proof(&self.opening_proof)?; - self.openings.to_buffer(buffer)?; - Ok(()) - } - - /// Deserializes a STARK proof. - pub(crate) fn from_buffer(buffer: &mut Buffer) -> IoResult { - let trace_cap = buffer.read_target_merkle_cap()?; - let auxiliary_polys_cap = buffer.read_target_merkle_cap()?; - let quotient_polys_cap = buffer.read_target_merkle_cap()?; - let opening_proof = buffer.read_target_fri_proof()?; - let openings = StarkOpeningSetTarget::from_buffer(buffer)?; - - Ok(Self { - trace_cap, - auxiliary_polys_cap, - quotient_polys_cap, - openings, - opening_proof, - }) - } - - /// Recover the length of the trace from a STARK proof and a STARK config. - pub(crate) fn recover_degree_bits(&self, config: &StarkConfig) -> usize { - let initial_merkle_proof = &self.opening_proof.query_round_proofs[0] - .initial_trees_proof - .evals_proofs[0] - .1; - let lde_bits = config.fri_config.cap_height + initial_merkle_proof.siblings.len(); - lde_bits - config.fri_config.rate_bits - } -} - -/// Randomness used for a STARK proof. -pub(crate) struct StarkProofChallenges, const D: usize> { - /// Random values used to combine STARK constraints. - pub stark_alphas: Vec, - - /// Point at which the STARK polynomials are opened. - pub stark_zeta: F::Extension, - - /// Randomness used in FRI. - pub fri_challenges: FriChallenges, -} - -/// Circuit version of `StarkProofChallenges`. -pub(crate) struct StarkProofChallengesTarget { - /// `Target`s for the random values used to combine STARK constraints. - pub stark_alphas: Vec, - /// `ExtensionTarget` for the point at which the STARK polynomials are opened. - pub stark_zeta: ExtensionTarget, - /// `Target`s for the randomness used in FRI. - pub fri_challenges: FriChallengesTarget, -} - -/// Purported values of each polynomial at the challenge point. -#[derive(Debug, Clone)] -pub struct StarkOpeningSet, const D: usize> { - /// Openings of trace polynomials at `zeta`. - pub local_values: Vec, - /// Openings of trace polynomials at `g * zeta`. - pub next_values: Vec, - /// Openings of lookups and cross-table lookups `Z` polynomials at `zeta`. - pub auxiliary_polys: Vec, - /// Openings of lookups and cross-table lookups `Z` polynomials at `g * zeta`. - pub auxiliary_polys_next: Vec, - /// Openings of cross-table lookups `Z` polynomials at `1`. - pub ctl_zs_first: Vec, - /// Openings of quotient polynomials at `zeta`. - pub quotient_polys: Vec, -} - -impl, const D: usize> StarkOpeningSet { - /// Returns a `StarkOpeningSet` given all the polynomial commitments, the number of permutation `Z`polynomials, - /// the evaluation point and a generator `g`. - /// Polynomials are evaluated at point `zeta` and, if necessary, at `g * zeta`. - pub fn new>( - zeta: F::Extension, - g: F, - trace_commitment: &PolynomialBatch, - auxiliary_polys_commitment: &PolynomialBatch, - quotient_commitment: &PolynomialBatch, - num_lookup_columns: usize, - num_ctl_polys: &[usize], - ) -> Self { - let total_num_helper_cols: usize = num_ctl_polys.iter().sum(); - - // Batch evaluates polynomials on the LDE, at a point `z`. - let eval_commitment = |z: F::Extension, c: &PolynomialBatch| { - c.polynomials - .par_iter() - .map(|p| p.to_extension().eval(z)) - .collect::>() - }; - // Batch evaluates polynomials at a base field point `z`. - let eval_commitment_base = |z: F, c: &PolynomialBatch| { - c.polynomials - .par_iter() - .map(|p| p.eval(z)) - .collect::>() - }; - - let auxiliary_first = eval_commitment_base(F::ONE, auxiliary_polys_commitment); - let ctl_zs_first = auxiliary_first[num_lookup_columns + total_num_helper_cols..].to_vec(); - // `g * zeta`. - let zeta_next = zeta.scalar_mul(g); - Self { - local_values: eval_commitment(zeta, trace_commitment), - next_values: eval_commitment(zeta_next, trace_commitment), - auxiliary_polys: eval_commitment(zeta, auxiliary_polys_commitment), - auxiliary_polys_next: eval_commitment(zeta_next, auxiliary_polys_commitment), - ctl_zs_first, - quotient_polys: eval_commitment(zeta, quotient_commitment), - } - } - - /// Constructs the openings required by FRI. - /// All openings but `ctl_zs_first` are grouped together. - pub(crate) fn to_fri_openings(&self) -> FriOpenings { - let zeta_batch = FriOpeningBatch { - values: self - .local_values - .iter() - .chain(&self.auxiliary_polys) - .chain(&self.quotient_polys) - .copied() - .collect_vec(), - }; - let zeta_next_batch = FriOpeningBatch { - values: self - .next_values - .iter() - .chain(&self.auxiliary_polys_next) - .copied() - .collect_vec(), - }; - debug_assert!(!self.ctl_zs_first.is_empty()); - let ctl_first_batch = FriOpeningBatch { - values: self - .ctl_zs_first - .iter() - .copied() - .map(F::Extension::from_basefield) - .collect(), - }; - - FriOpenings { - batches: vec![zeta_batch, zeta_next_batch, ctl_first_batch], - } - } -} - -/// Circuit version of `StarkOpeningSet`. -/// `Target`s for the purported values of each polynomial at the challenge point. -#[derive(Eq, PartialEq, Debug)] -pub(crate) struct StarkOpeningSetTarget { - /// `ExtensionTarget`s for the openings of trace polynomials at `zeta`. - pub local_values: Vec>, - /// `ExtensionTarget`s for the opening of trace polynomials at `g * zeta`. - pub next_values: Vec>, - /// `ExtensionTarget`s for the opening of lookups and cross-table lookups `Z` polynomials at `zeta`. - pub auxiliary_polys: Vec>, - /// `ExtensionTarget`s for the opening of lookups and cross-table lookups `Z` polynomials at `g * zeta`. - pub auxiliary_polys_next: Vec>, - /// `ExtensionTarget`s for the opening of lookups and cross-table lookups `Z` polynomials at 1. - pub ctl_zs_first: Vec, - /// `ExtensionTarget`s for the opening of quotient polynomials at `zeta`. - pub quotient_polys: Vec>, -} - -impl StarkOpeningSetTarget { - /// Serializes a STARK's opening set. - pub(crate) fn to_buffer(&self, buffer: &mut Vec) -> IoResult<()> { - buffer.write_target_ext_vec(&self.local_values)?; - buffer.write_target_ext_vec(&self.next_values)?; - buffer.write_target_ext_vec(&self.auxiliary_polys)?; - buffer.write_target_ext_vec(&self.auxiliary_polys_next)?; - buffer.write_target_vec(&self.ctl_zs_first)?; - buffer.write_target_ext_vec(&self.quotient_polys)?; - Ok(()) - } - - /// Deserializes a STARK's opening set. - pub(crate) fn from_buffer(buffer: &mut Buffer) -> IoResult { - let local_values = buffer.read_target_ext_vec::()?; - let next_values = buffer.read_target_ext_vec::()?; - let auxiliary_polys = buffer.read_target_ext_vec::()?; - let auxiliary_polys_next = buffer.read_target_ext_vec::()?; - let ctl_zs_first = buffer.read_target_vec()?; - let quotient_polys = buffer.read_target_ext_vec::()?; - - Ok(Self { - local_values, - next_values, - auxiliary_polys, - auxiliary_polys_next, - ctl_zs_first, - quotient_polys, - }) - } - - /// Circuit version of `to_fri_openings`for `FriOpenings`. - /// Constructs the `Target`s the circuit version of FRI. - /// All openings but `ctl_zs_first` are grouped together. - pub(crate) fn to_fri_openings(&self, zero: Target) -> FriOpeningsTarget { - let zeta_batch = FriOpeningBatchTarget { - values: self - .local_values - .iter() - .chain(&self.auxiliary_polys) - .chain(&self.quotient_polys) - .copied() - .collect_vec(), - }; - let zeta_next_batch = FriOpeningBatchTarget { - values: self - .next_values - .iter() - .chain(&self.auxiliary_polys_next) - .copied() - .collect_vec(), - }; - debug_assert!(!self.ctl_zs_first.is_empty()); - let ctl_first_batch = FriOpeningBatchTarget { - values: self - .ctl_zs_first - .iter() - .copied() - .map(|t| t.to_ext_target(zero)) - .collect(), - }; - - FriOpeningsTarget { - batches: vec![zeta_batch, zeta_next_batch, ctl_first_batch], - } - } -} diff --git a/evm/src/prover.rs b/evm/src/prover.rs deleted file mode 100644 index faef64a033..0000000000 --- a/evm/src/prover.rs +++ /dev/null @@ -1,839 +0,0 @@ -use std::sync::atomic::{AtomicBool, Ordering}; -use std::sync::Arc; - -use anyhow::{anyhow, ensure, Result}; -use itertools::Itertools; -use once_cell::sync::Lazy; -use plonky2::field::extension::Extendable; -use plonky2::field::packable::Packable; -use plonky2::field::packed::PackedField; -use plonky2::field::polynomial::{PolynomialCoeffs, PolynomialValues}; -use plonky2::field::types::Field; -use plonky2::field::zero_poly_coset::ZeroPolyOnCoset; -use plonky2::fri::oracle::PolynomialBatch; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::challenger::Challenger; -use plonky2::plonk::config::GenericConfig; -use plonky2::timed; -use plonky2::util::timing::TimingTree; -use plonky2::util::transpose; -use plonky2_maybe_rayon::*; -use plonky2_util::{log2_ceil, log2_strict}; - -use crate::all_stark::{AllStark, Table, NUM_TABLES}; -use crate::config::StarkConfig; -use crate::constraint_consumer::ConstraintConsumer; -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cross_table_lookup::{ - cross_table_lookup_data, get_grand_product_challenge_set, CtlCheckVars, CtlData, - GrandProductChallengeSet, -}; -use crate::evaluation_frame::StarkEvaluationFrame; -use crate::generation::{generate_traces, GenerationInputs}; -use crate::get_challenges::observe_public_values; -use crate::lookup::{lookup_helper_columns, Lookup, LookupCheckVars}; -use crate::proof::{AllProof, PublicValues, StarkOpeningSet, StarkProof, StarkProofWithMetadata}; -use crate::stark::Stark; -use crate::vanishing_poly::eval_vanishing_poly; -#[cfg(test)] -use crate::{ - cross_table_lookup::testutils::check_ctls, verifier::testutils::get_memory_extra_looking_values, -}; - -/// Generate traces, then create all STARK proofs. -pub fn prove( - all_stark: &AllStark, - config: &StarkConfig, - inputs: GenerationInputs, - timing: &mut TimingTree, - abort_signal: Option>, -) -> Result> -where - F: RichField + Extendable, - C: GenericConfig, -{ - timed!(timing, "build kernel", Lazy::force(&KERNEL)); - let (traces, public_values) = timed!( - timing, - "generate all traces", - generate_traces(all_stark, inputs, config, timing)? - ); - check_abort_signal(abort_signal.clone())?; - - let proof = prove_with_traces( - all_stark, - config, - traces, - public_values, - timing, - abort_signal, - )?; - Ok(proof) -} - -/// Compute all STARK proofs. -pub(crate) fn prove_with_traces( - all_stark: &AllStark, - config: &StarkConfig, - trace_poly_values: [Vec>; NUM_TABLES], - public_values: PublicValues, - timing: &mut TimingTree, - abort_signal: Option>, -) -> Result> -where - F: RichField + Extendable, - C: GenericConfig, -{ - let rate_bits = config.fri_config.rate_bits; - let cap_height = config.fri_config.cap_height; - - // For each STARK, we compute the polynomial commitments for the polynomials interpolating its trace. - let trace_commitments = timed!( - timing, - "compute all trace commitments", - trace_poly_values - .iter() - .zip_eq(Table::all()) - .map(|(trace, table)| { - timed!( - timing, - &format!("compute trace commitment for {:?}", table), - PolynomialBatch::::from_values( - trace.clone(), - rate_bits, - false, - cap_height, - timing, - None, - ) - ) - }) - .collect::>() - ); - - // Get the Merkle caps for all trace commitments and observe them. - let trace_caps = trace_commitments - .iter() - .map(|c| c.merkle_tree.cap.clone()) - .collect::>(); - let mut challenger = Challenger::::new(); - for cap in &trace_caps { - challenger.observe_cap(cap); - } - - observe_public_values::(&mut challenger, &public_values) - .map_err(|_| anyhow::Error::msg("Invalid conversion of public values."))?; - - // Get challenges for the cross-table lookups. - let ctl_challenges = get_grand_product_challenge_set(&mut challenger, config.num_challenges); - // For each STARK, compute its cross-table lookup Z polynomials and get the associated `CtlData`. - let ctl_data_per_table = timed!( - timing, - "compute CTL data", - cross_table_lookup_data::( - &trace_poly_values, - &all_stark.cross_table_lookups, - &ctl_challenges, - all_stark.arithmetic_stark.constraint_degree() - ) - ); - - let stark_proofs = timed!( - timing, - "compute all proofs given commitments", - prove_with_commitments( - all_stark, - config, - &trace_poly_values, - trace_commitments, - ctl_data_per_table, - &mut challenger, - &ctl_challenges, - timing, - abort_signal, - )? - ); - - #[cfg(test)] - { - check_ctls( - &trace_poly_values, - &all_stark.cross_table_lookups, - &get_memory_extra_looking_values(&public_values), - ); - } - - Ok(AllProof { - stark_proofs, - ctl_challenges, - public_values, - }) -} - -/// Generates a proof for each STARK. -/// At this stage, we have computed the trace polynomials commitments for the various STARKs, -/// and we have the cross-table lookup data for each table, including the associated challenges. -/// - `trace_poly_values` are the trace values for each STARK. -/// - `trace_commitments` are the trace polynomials commitments for each STARK. -/// - `ctl_data_per_table` group all the cross-table lookup data for each STARK. -/// Each STARK uses its associated data to generate a proof. -fn prove_with_commitments( - all_stark: &AllStark, - config: &StarkConfig, - trace_poly_values: &[Vec>; NUM_TABLES], - trace_commitments: Vec>, - ctl_data_per_table: [CtlData; NUM_TABLES], - challenger: &mut Challenger, - ctl_challenges: &GrandProductChallengeSet, - timing: &mut TimingTree, - abort_signal: Option>, -) -> Result<[StarkProofWithMetadata; NUM_TABLES]> -where - F: RichField + Extendable, - C: GenericConfig, -{ - let arithmetic_proof = timed!( - timing, - "prove Arithmetic STARK", - prove_single_table( - &all_stark.arithmetic_stark, - config, - &trace_poly_values[Table::Arithmetic as usize], - &trace_commitments[Table::Arithmetic as usize], - &ctl_data_per_table[Table::Arithmetic as usize], - ctl_challenges, - challenger, - timing, - abort_signal.clone(), - )? - ); - let byte_packing_proof = timed!( - timing, - "prove byte packing STARK", - prove_single_table( - &all_stark.byte_packing_stark, - config, - &trace_poly_values[Table::BytePacking as usize], - &trace_commitments[Table::BytePacking as usize], - &ctl_data_per_table[Table::BytePacking as usize], - ctl_challenges, - challenger, - timing, - abort_signal.clone(), - )? - ); - let cpu_proof = timed!( - timing, - "prove CPU STARK", - prove_single_table( - &all_stark.cpu_stark, - config, - &trace_poly_values[Table::Cpu as usize], - &trace_commitments[Table::Cpu as usize], - &ctl_data_per_table[Table::Cpu as usize], - ctl_challenges, - challenger, - timing, - abort_signal.clone(), - )? - ); - let keccak_proof = timed!( - timing, - "prove Keccak STARK", - prove_single_table( - &all_stark.keccak_stark, - config, - &trace_poly_values[Table::Keccak as usize], - &trace_commitments[Table::Keccak as usize], - &ctl_data_per_table[Table::Keccak as usize], - ctl_challenges, - challenger, - timing, - abort_signal.clone(), - )? - ); - let keccak_sponge_proof = timed!( - timing, - "prove Keccak sponge STARK", - prove_single_table( - &all_stark.keccak_sponge_stark, - config, - &trace_poly_values[Table::KeccakSponge as usize], - &trace_commitments[Table::KeccakSponge as usize], - &ctl_data_per_table[Table::KeccakSponge as usize], - ctl_challenges, - challenger, - timing, - abort_signal.clone(), - )? - ); - let logic_proof = timed!( - timing, - "prove logic STARK", - prove_single_table( - &all_stark.logic_stark, - config, - &trace_poly_values[Table::Logic as usize], - &trace_commitments[Table::Logic as usize], - &ctl_data_per_table[Table::Logic as usize], - ctl_challenges, - challenger, - timing, - abort_signal.clone(), - )? - ); - let memory_proof = timed!( - timing, - "prove memory STARK", - prove_single_table( - &all_stark.memory_stark, - config, - &trace_poly_values[Table::Memory as usize], - &trace_commitments[Table::Memory as usize], - &ctl_data_per_table[Table::Memory as usize], - ctl_challenges, - challenger, - timing, - abort_signal, - )? - ); - - Ok([ - arithmetic_proof, - byte_packing_proof, - cpu_proof, - keccak_proof, - keccak_sponge_proof, - logic_proof, - memory_proof, - ]) -} - -/// Computes a proof for a single STARK table, including: -/// - the initial state of the challenger, -/// - all the requires Merkle caps, -/// - all the required polynomial and FRI argument openings. -pub(crate) fn prove_single_table( - stark: &S, - config: &StarkConfig, - trace_poly_values: &[PolynomialValues], - trace_commitment: &PolynomialBatch, - ctl_data: &CtlData, - ctl_challenges: &GrandProductChallengeSet, - challenger: &mut Challenger, - timing: &mut TimingTree, - abort_signal: Option>, -) -> Result> -where - F: RichField + Extendable, - C: GenericConfig, - S: Stark, -{ - check_abort_signal(abort_signal.clone())?; - - let degree = trace_poly_values[0].len(); - let degree_bits = log2_strict(degree); - let fri_params = config.fri_params(degree_bits); - let rate_bits = config.fri_config.rate_bits; - let cap_height = config.fri_config.cap_height; - assert!( - fri_params.total_arities() <= degree_bits + rate_bits - cap_height, - "FRI total reduction arity is too large.", - ); - - let init_challenger_state = challenger.compact(); - - let constraint_degree = stark.constraint_degree(); - let lookup_challenges = stark.uses_lookups().then(|| { - ctl_challenges - .challenges - .iter() - .map(|ch| ch.beta) - .collect::>() - }); - let lookups = stark.lookups(); - let lookup_helper_columns = timed!( - timing, - "compute lookup helper columns", - lookup_challenges.as_ref().map(|challenges| { - let mut columns = Vec::new(); - for lookup in &lookups { - for &challenge in challenges { - columns.extend(lookup_helper_columns( - lookup, - trace_poly_values, - challenge, - constraint_degree, - )); - } - } - columns - }) - ); - let num_lookup_columns = lookup_helper_columns.as_ref().map(|v| v.len()).unwrap_or(0); - - // We add CTLs to the permutation arguments so that we can batch commit to - // all auxiliary polynomials. - let auxiliary_polys = match lookup_helper_columns { - None => { - let mut ctl_polys = ctl_data.ctl_helper_polys(); - ctl_polys.extend(ctl_data.ctl_z_polys()); - ctl_polys - } - Some(mut lookup_columns) => { - lookup_columns.extend(ctl_data.ctl_helper_polys()); - lookup_columns.extend(ctl_data.ctl_z_polys()); - lookup_columns - } - }; - assert!(!auxiliary_polys.is_empty(), "No CTL?"); - - // Get the polynomial commitments for all auxiliary polynomials. - let auxiliary_polys_commitment = timed!( - timing, - "compute auxiliary polynomials commitment", - PolynomialBatch::from_values( - auxiliary_polys, - rate_bits, - false, - config.fri_config.cap_height, - timing, - None, - ) - ); - - let auxiliary_polys_cap = auxiliary_polys_commitment.merkle_tree.cap.clone(); - challenger.observe_cap(&auxiliary_polys_cap); - - let alphas = challenger.get_n_challenges(config.num_challenges); - - let num_ctl_polys = ctl_data.num_ctl_helper_polys(); - - #[cfg(test)] - { - check_constraints( - stark, - trace_commitment, - &auxiliary_polys_commitment, - lookup_challenges.as_ref(), - &lookups, - ctl_data, - alphas.clone(), - degree_bits, - num_lookup_columns, - &num_ctl_polys, - ); - } - - check_abort_signal(abort_signal.clone())?; - - let quotient_polys = timed!( - timing, - "compute quotient polys", - compute_quotient_polys::::Packing, C, S, D>( - stark, - trace_commitment, - &auxiliary_polys_commitment, - lookup_challenges.as_ref(), - &lookups, - ctl_data, - alphas, - degree_bits, - num_lookup_columns, - &num_ctl_polys, - config, - ) - ); - let all_quotient_chunks = timed!( - timing, - "split quotient polys", - quotient_polys - .into_par_iter() - .flat_map(|mut quotient_poly| { - quotient_poly - .trim_to_len(degree * stark.quotient_degree_factor()) - .expect( - "Quotient has failed, the vanishing polynomial is not divisible by Z_H", - ); - // Split quotient into degree-n chunks. - quotient_poly.chunks(degree) - }) - .collect() - ); - // Commit to the quotient polynomials. - let quotient_commitment = timed!( - timing, - "compute quotient commitment", - PolynomialBatch::from_coeffs( - all_quotient_chunks, - rate_bits, - false, - config.fri_config.cap_height, - timing, - None, - ) - ); - // Observe the quotient polynomials Merkle cap. - let quotient_polys_cap = quotient_commitment.merkle_tree.cap.clone(); - challenger.observe_cap("ient_polys_cap); - - let zeta = challenger.get_extension_challenge::(); - // To avoid leaking witness data, we want to ensure that our opening locations, `zeta` and - // `g * zeta`, are not in our subgroup `H`. It suffices to check `zeta` only, since - // `(g * zeta)^n = zeta^n`, where `n` is the order of `g`. - let g = F::primitive_root_of_unity(degree_bits); - ensure!( - zeta.exp_power_of_2(degree_bits) != F::Extension::ONE, - "Opening point is in the subgroup." - ); - - // Compute all openings: evaluate all committed polynomials at `zeta` and, when necessary, at `g * zeta`. - let openings = StarkOpeningSet::new( - zeta, - g, - trace_commitment, - &auxiliary_polys_commitment, - "ient_commitment, - stark.num_lookup_helper_columns(config), - &num_ctl_polys, - ); - // Get the FRI openings and observe them. - challenger.observe_openings(&openings.to_fri_openings()); - - let initial_merkle_trees = vec![ - trace_commitment, - &auxiliary_polys_commitment, - "ient_commitment, - ]; - - check_abort_signal(abort_signal.clone())?; - - let opening_proof = timed!( - timing, - "compute openings proof", - PolynomialBatch::prove_openings( - &stark.fri_instance(zeta, g, num_ctl_polys.iter().sum(), num_ctl_polys, config), - &initial_merkle_trees, - challenger, - &fri_params, - timing, - ) - ); - - let proof = StarkProof { - trace_cap: trace_commitment.merkle_tree.cap.clone(), - auxiliary_polys_cap, - quotient_polys_cap, - openings, - opening_proof, - }; - Ok(StarkProofWithMetadata { - init_challenger_state, - proof, - }) -} - -/// Computes the quotient polynomials `(sum alpha^i C_i(x)) / Z_H(x)` for `alpha` in `alphas`, -/// where the `C_i`s are the Stark constraints. -fn compute_quotient_polys<'a, F, P, C, S, const D: usize>( - stark: &S, - trace_commitment: &'a PolynomialBatch, - auxiliary_polys_commitment: &'a PolynomialBatch, - lookup_challenges: Option<&'a Vec>, - lookups: &[Lookup], - ctl_data: &CtlData, - alphas: Vec, - degree_bits: usize, - num_lookup_columns: usize, - num_ctl_columns: &[usize], - config: &StarkConfig, -) -> Vec> -where - F: RichField + Extendable, - P: PackedField, - C: GenericConfig, - S: Stark, -{ - let degree = 1 << degree_bits; - let rate_bits = config.fri_config.rate_bits; - let total_num_helper_cols: usize = num_ctl_columns.iter().sum(); - - let quotient_degree_bits = log2_ceil(stark.quotient_degree_factor()); - assert!( - quotient_degree_bits <= rate_bits, - "Having constraints of degree higher than the rate is not supported yet." - ); - let step = 1 << (rate_bits - quotient_degree_bits); - // When opening the `Z`s polys at the "next" point, need to look at the point `next_step` steps away. - let next_step = 1 << quotient_degree_bits; - - // Evaluation of the first Lagrange polynomial on the LDE domain. - let lagrange_first = PolynomialValues::selector(degree, 0).lde_onto_coset(quotient_degree_bits); - // Evaluation of the last Lagrange polynomial on the LDE domain. - let lagrange_last = - PolynomialValues::selector(degree, degree - 1).lde_onto_coset(quotient_degree_bits); - - let z_h_on_coset = ZeroPolyOnCoset::::new(degree_bits, quotient_degree_bits); - - // Retrieve the LDE values at index `i`. - let get_trace_values_packed = - |i_start| -> Vec

{ trace_commitment.get_lde_values_packed(i_start, step) }; - - // Last element of the subgroup. - let last = F::primitive_root_of_unity(degree_bits).inverse(); - let size = degree << quotient_degree_bits; - let coset = F::cyclic_subgroup_coset_known_order( - F::primitive_root_of_unity(degree_bits + quotient_degree_bits), - F::coset_shift(), - size, - ); - - // We will step by `P::WIDTH`, and in each iteration, evaluate the quotient polynomial at - // a batch of `P::WIDTH` points. - let quotient_values = (0..size) - .into_par_iter() - .step_by(P::WIDTH) - .flat_map_iter(|i_start| { - let i_next_start = (i_start + next_step) % size; - let i_range = i_start..i_start + P::WIDTH; - - let x = *P::from_slice(&coset[i_range.clone()]); - let z_last = x - last; - let lagrange_basis_first = *P::from_slice(&lagrange_first.values[i_range.clone()]); - let lagrange_basis_last = *P::from_slice(&lagrange_last.values[i_range]); - - let mut consumer = ConstraintConsumer::new( - alphas.clone(), - z_last, - lagrange_basis_first, - lagrange_basis_last, - ); - // Get the local and next row evaluations for the current STARK. - let vars = S::EvaluationFrame::from_values( - &get_trace_values_packed(i_start), - &get_trace_values_packed(i_next_start), - ); - // Get the local and next row evaluations for the permutation argument, as well as the associated challenges. - let lookup_vars = lookup_challenges.map(|challenges| LookupCheckVars { - local_values: auxiliary_polys_commitment.get_lde_values_packed(i_start, step) - [..num_lookup_columns] - .to_vec(), - next_values: auxiliary_polys_commitment.get_lde_values_packed(i_next_start, step), - challenges: challenges.to_vec(), - }); - - // Get all the data for this STARK's CTLs: - // - the local and next row evaluations for the CTL Z polynomials - // - the associated challenges. - // - for each CTL: - // - the filter `Column` - // - the `Column`s that form the looking/looked table. - - let mut start_index = 0; - let ctl_vars = ctl_data - .zs_columns - .iter() - .enumerate() - .map(|(i, zs_columns)| { - let num_ctl_helper_cols = num_ctl_columns[i]; - let helper_columns = auxiliary_polys_commitment - .get_lde_values_packed(i_start, step)[num_lookup_columns - + start_index - ..num_lookup_columns + start_index + num_ctl_helper_cols] - .to_vec(); - - let ctl_vars = CtlCheckVars:: { - helper_columns, - local_z: auxiliary_polys_commitment.get_lde_values_packed(i_start, step) - [num_lookup_columns + total_num_helper_cols + i], - next_z: auxiliary_polys_commitment - .get_lde_values_packed(i_next_start, step) - [num_lookup_columns + total_num_helper_cols + i], - challenges: zs_columns.challenge, - columns: zs_columns.columns.clone(), - filter: zs_columns.filter.clone(), - }; - - start_index += num_ctl_helper_cols; - - ctl_vars - }) - .collect::>(); - - // Evaluate the polynomial combining all constraints, including those associated - // to the permutation and CTL arguments. - eval_vanishing_poly::( - stark, - &vars, - lookups, - lookup_vars, - &ctl_vars, - &mut consumer, - ); - let mut constraints_evals = consumer.accumulators(); - // We divide the constraints evaluations by `Z_H(x)`. - let denominator_inv: P = z_h_on_coset.eval_inverse_packed(i_start); - for eval in &mut constraints_evals { - *eval *= denominator_inv; - } - - let num_challenges = alphas.len(); - - (0..P::WIDTH).map(move |i| { - (0..num_challenges) - .map(|j| constraints_evals[j].as_slice()[i]) - .collect() - }) - }) - .collect::>(); - - transpose("ient_values) - .into_par_iter() - .map(PolynomialValues::new) - .map(|values| values.coset_ifft(F::coset_shift())) - .collect() -} - -/// Utility method that checks whether a kill signal has been emitted by one of the workers, -/// which will result in an early abort for all the other processes involved in the same set -/// of transactions. -pub fn check_abort_signal(abort_signal: Option>) -> Result<()> { - if let Some(signal) = abort_signal { - if signal.load(Ordering::Relaxed) { - return Err(anyhow!("Stopping job from abort signal.")); - } - } - - Ok(()) -} - -#[cfg(test)] -/// Check that all constraints evaluate to zero on `H`. -/// Can also be used to check the degree of the constraints by evaluating on a larger subgroup. -fn check_constraints<'a, F, C, S, const D: usize>( - stark: &S, - trace_commitment: &'a PolynomialBatch, - auxiliary_commitment: &'a PolynomialBatch, - lookup_challenges: Option<&'a Vec>, - lookups: &[Lookup], - ctl_data: &CtlData, - alphas: Vec, - degree_bits: usize, - num_lookup_columns: usize, - num_ctl_helper_cols: &[usize], -) where - F: RichField + Extendable, - C: GenericConfig, - S: Stark, -{ - let degree = 1 << degree_bits; - let rate_bits = 0; // Set this to higher value to check constraint degree. - - let total_num_helper_cols: usize = num_ctl_helper_cols.iter().sum(); - - let size = degree << rate_bits; - let step = 1 << rate_bits; - - // Evaluation of the first Lagrange polynomial. - let lagrange_first = PolynomialValues::selector(degree, 0).lde(rate_bits); - // Evaluation of the last Lagrange polynomial. - let lagrange_last = PolynomialValues::selector(degree, degree - 1).lde(rate_bits); - - let subgroup = F::two_adic_subgroup(degree_bits + rate_bits); - - // Get the evaluations of a batch of polynomials over our subgroup. - let get_subgroup_evals = |comm: &PolynomialBatch| -> Vec> { - let values = comm - .polynomials - .par_iter() - .map(|coeffs| coeffs.clone().fft().values) - .collect::>(); - transpose(&values) - }; - - // Get batch evaluations of the trace, permutation and CTL polynomials over our subgroup. - let trace_subgroup_evals = get_subgroup_evals(trace_commitment); - let auxiliary_subgroup_evals = get_subgroup_evals(auxiliary_commitment); - - // Last element of the subgroup. - let last = F::primitive_root_of_unity(degree_bits).inverse(); - - let constraint_values = (0..size) - .map(|i| { - let i_next = (i + step) % size; - - let x = subgroup[i]; - let z_last = x - last; - let lagrange_basis_first = lagrange_first.values[i]; - let lagrange_basis_last = lagrange_last.values[i]; - - let mut consumer = ConstraintConsumer::new( - alphas.clone(), - z_last, - lagrange_basis_first, - lagrange_basis_last, - ); - // Get the local and next row evaluations for the current STARK's trace. - let vars = S::EvaluationFrame::from_values( - &trace_subgroup_evals[i], - &trace_subgroup_evals[i_next], - ); - // Get the local and next row evaluations for the current STARK's permutation argument. - let lookup_vars = lookup_challenges.map(|challenges| LookupCheckVars { - local_values: auxiliary_subgroup_evals[i][..num_lookup_columns].to_vec(), - next_values: auxiliary_subgroup_evals[i_next][..num_lookup_columns].to_vec(), - challenges: challenges.to_vec(), - }); - - // Get the local and next row evaluations for the current STARK's CTL Z polynomials. - let mut start_index = 0; - let ctl_vars = ctl_data - .zs_columns - .iter() - .enumerate() - .map(|(iii, zs_columns)| { - let num_helper_cols = num_ctl_helper_cols[iii]; - let helper_columns = auxiliary_subgroup_evals[i][num_lookup_columns - + start_index - ..num_lookup_columns + start_index + num_helper_cols] - .to_vec(); - let ctl_vars = CtlCheckVars:: { - helper_columns, - local_z: auxiliary_subgroup_evals[i] - [num_lookup_columns + total_num_helper_cols + iii], - next_z: auxiliary_subgroup_evals[i_next] - [num_lookup_columns + total_num_helper_cols + iii], - challenges: zs_columns.challenge, - columns: zs_columns.columns.clone(), - filter: zs_columns.filter.clone(), - }; - - start_index += num_helper_cols; - - ctl_vars - }) - .collect::>(); - - // Evaluate the polynomial combining all constraints, including those associated - // to the permutation and CTL arguments. - eval_vanishing_poly::( - stark, - &vars, - lookups, - lookup_vars, - &ctl_vars, - &mut consumer, - ); - consumer.accumulators() - }) - .collect::>(); - - // Assert that all constraints evaluate to 0 over our subgroup. - for v in constraint_values { - assert!( - v.iter().all(|x| x.is_zero()), - "Constraint failed in {}", - std::any::type_name::() - ); - } -} diff --git a/evm/src/recursive_verifier.rs b/evm/src/recursive_verifier.rs deleted file mode 100644 index 5220ba32a7..0000000000 --- a/evm/src/recursive_verifier.rs +++ /dev/null @@ -1,1051 +0,0 @@ -use core::array::from_fn; -use core::fmt::Debug; - -use anyhow::Result; -use ethereum_types::{BigEndianHash, U256}; -use plonky2::field::extension::Extendable; -use plonky2::field::types::Field; -use plonky2::fri::witness_util::set_fri_proof_target; -use plonky2::gates::exponentiation::ExponentiationGate; -use plonky2::gates::gate::GateRef; -use plonky2::gates::noop::NoopGate; -use plonky2::hash::hash_types::RichField; -use plonky2::hash::hashing::PlonkyPermutation; -use plonky2::iop::challenger::RecursiveChallenger; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::iop::target::Target; -use plonky2::iop::witness::{PartialWitness, Witness, WitnessWrite}; -use plonky2::plonk::circuit_builder::CircuitBuilder; -use plonky2::plonk::circuit_data::{CircuitConfig, CircuitData}; -use plonky2::plonk::config::{AlgebraicHasher, GenericConfig}; -use plonky2::plonk::proof::{ProofWithPublicInputs, ProofWithPublicInputsTarget}; -use plonky2::util::reducing::ReducingFactorTarget; -use plonky2::util::serialization::{ - Buffer, GateSerializer, IoResult, Read, WitnessGeneratorSerializer, Write, -}; -use plonky2::with_context; -use plonky2_util::log2_ceil; - -use crate::all_stark::Table; -use crate::config::StarkConfig; -use crate::constraint_consumer::RecursiveConstraintConsumer; -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cross_table_lookup::{CrossTableLookup, CtlCheckVarsTarget, GrandProductChallengeSet}; -use crate::evaluation_frame::StarkEvaluationFrame; -use crate::lookup::{GrandProductChallenge, LookupCheckVarsTarget}; -use crate::memory::segments::Segment; -use crate::memory::VALUE_LIMBS; -use crate::proof::{ - BlockHashes, BlockHashesTarget, BlockMetadata, BlockMetadataTarget, ExtraBlockData, - ExtraBlockDataTarget, PublicValues, PublicValuesTarget, StarkOpeningSetTarget, StarkProof, - StarkProofChallengesTarget, StarkProofTarget, StarkProofWithMetadata, TrieRoots, - TrieRootsTarget, -}; -use crate::stark::Stark; -use crate::util::{h256_limbs, u256_limbs, u256_to_u32, u256_to_u64}; -use crate::vanishing_poly::eval_vanishing_poly_circuit; -use crate::witness::errors::ProgramError; - -pub(crate) struct PublicInputs> -{ - pub(crate) trace_cap: Vec>, - pub(crate) ctl_zs_first: Vec, - pub(crate) ctl_challenges: GrandProductChallengeSet, - pub(crate) challenger_state_before: P, - pub(crate) challenger_state_after: P, -} - -impl> PublicInputs { - pub(crate) fn from_vec(v: &[T], config: &StarkConfig) -> Self { - // TODO: Document magic number 4; probably comes from - // Ethereum 256 bits = 4 * Goldilocks 64 bits - let nelts = config.fri_config.num_cap_elements(); - let mut trace_cap = Vec::with_capacity(nelts); - for i in 0..nelts { - trace_cap.push(v[4 * i..4 * (i + 1)].to_vec()); - } - let mut iter = v.iter().copied().skip(4 * nelts); - let ctl_challenges = GrandProductChallengeSet { - challenges: (0..config.num_challenges) - .map(|_| GrandProductChallenge { - beta: iter.next().unwrap(), - gamma: iter.next().unwrap(), - }) - .collect(), - }; - let challenger_state_before = P::new(&mut iter); - let challenger_state_after = P::new(&mut iter); - let ctl_zs_first: Vec<_> = iter.collect(); - - Self { - trace_cap, - ctl_zs_first, - ctl_challenges, - challenger_state_before, - challenger_state_after, - } - } -} - -/// Represents a circuit which recursively verifies a STARK proof. -#[derive(Eq, PartialEq, Debug)] -pub(crate) struct StarkWrapperCircuit -where - F: RichField + Extendable, - C: GenericConfig, - C::Hasher: AlgebraicHasher, -{ - pub(crate) circuit: CircuitData, - pub(crate) stark_proof_target: StarkProofTarget, - pub(crate) ctl_challenges_target: GrandProductChallengeSet, - pub(crate) init_challenger_state_target: - >::AlgebraicPermutation, - pub(crate) zero_target: Target, -} - -impl StarkWrapperCircuit -where - F: RichField + Extendable, - C: GenericConfig, - C::Hasher: AlgebraicHasher, -{ - pub(crate) fn to_buffer( - &self, - buffer: &mut Vec, - gate_serializer: &dyn GateSerializer, - generator_serializer: &dyn WitnessGeneratorSerializer, - ) -> IoResult<()> { - buffer.write_circuit_data(&self.circuit, gate_serializer, generator_serializer)?; - buffer.write_target_vec(self.init_challenger_state_target.as_ref())?; - buffer.write_target(self.zero_target)?; - self.stark_proof_target.to_buffer(buffer)?; - self.ctl_challenges_target.to_buffer(buffer)?; - Ok(()) - } - - pub(crate) fn from_buffer( - buffer: &mut Buffer, - gate_serializer: &dyn GateSerializer, - generator_serializer: &dyn WitnessGeneratorSerializer, - ) -> IoResult { - let circuit = buffer.read_circuit_data(gate_serializer, generator_serializer)?; - let target_vec = buffer.read_target_vec()?; - let init_challenger_state_target = - >::AlgebraicPermutation::new(target_vec); - let zero_target = buffer.read_target()?; - let stark_proof_target = StarkProofTarget::from_buffer(buffer)?; - let ctl_challenges_target = GrandProductChallengeSet::from_buffer(buffer)?; - Ok(Self { - circuit, - stark_proof_target, - ctl_challenges_target, - init_challenger_state_target, - zero_target, - }) - } - - pub(crate) fn prove( - &self, - proof_with_metadata: &StarkProofWithMetadata, - ctl_challenges: &GrandProductChallengeSet, - ) -> Result> { - let mut inputs = PartialWitness::new(); - - set_stark_proof_target( - &mut inputs, - &self.stark_proof_target, - &proof_with_metadata.proof, - self.zero_target, - ); - - for (challenge_target, challenge) in self - .ctl_challenges_target - .challenges - .iter() - .zip(&ctl_challenges.challenges) - { - inputs.set_target(challenge_target.beta, challenge.beta); - inputs.set_target(challenge_target.gamma, challenge.gamma); - } - - inputs.set_target_arr( - self.init_challenger_state_target.as_ref(), - proof_with_metadata.init_challenger_state.as_ref(), - ); - - self.circuit.prove(inputs) - } -} - -/// Represents a circuit which recursively verifies a PLONK proof. -#[derive(Eq, PartialEq, Debug)] -pub(crate) struct PlonkWrapperCircuit -where - F: RichField + Extendable, - C: GenericConfig, -{ - pub(crate) circuit: CircuitData, - pub(crate) proof_with_pis_target: ProofWithPublicInputsTarget, -} - -impl PlonkWrapperCircuit -where - F: RichField + Extendable, - C: GenericConfig, - C::Hasher: AlgebraicHasher, -{ - pub(crate) fn prove( - &self, - proof: &ProofWithPublicInputs, - ) -> Result> { - let mut inputs = PartialWitness::new(); - inputs.set_proof_with_pis_target(&self.proof_with_pis_target, proof); - self.circuit.prove(inputs) - } -} - -/// Returns the recursive Stark circuit. -pub(crate) fn recursive_stark_circuit< - F: RichField + Extendable, - C: GenericConfig, - S: Stark, - const D: usize, ->( - table: Table, - stark: &S, - degree_bits: usize, - cross_table_lookups: &[CrossTableLookup], - inner_config: &StarkConfig, - circuit_config: &CircuitConfig, - min_degree_bits: usize, -) -> StarkWrapperCircuit -where - C::Hasher: AlgebraicHasher, -{ - let mut builder = CircuitBuilder::::new(circuit_config.clone()); - let zero_target = builder.zero(); - - let num_lookup_columns = stark.num_lookup_helper_columns(inner_config); - let (total_num_helpers, num_ctl_zs, num_helpers_by_ctl) = - CrossTableLookup::num_ctl_helpers_zs_all( - cross_table_lookups, - *table, - inner_config.num_challenges, - stark.constraint_degree(), - ); - let num_ctl_helper_zs = num_ctl_zs + total_num_helpers; - - let proof_target = add_virtual_stark_proof( - &mut builder, - stark, - inner_config, - degree_bits, - num_ctl_helper_zs, - num_ctl_zs, - ); - - builder.register_public_inputs( - &proof_target - .trace_cap - .0 - .iter() - .flat_map(|h| h.elements) - .collect::>(), - ); - - let ctl_challenges_target = GrandProductChallengeSet { - challenges: (0..inner_config.num_challenges) - .map(|_| GrandProductChallenge { - beta: builder.add_virtual_public_input(), - gamma: builder.add_virtual_public_input(), - }) - .collect(), - }; - - let ctl_vars = CtlCheckVarsTarget::from_proof( - *table, - &proof_target, - cross_table_lookups, - &ctl_challenges_target, - num_lookup_columns, - total_num_helpers, - &num_helpers_by_ctl, - ); - - let init_challenger_state_target = - >::AlgebraicPermutation::new(std::iter::from_fn(|| { - Some(builder.add_virtual_public_input()) - })); - let mut challenger = - RecursiveChallenger::::from_state(init_challenger_state_target); - let challenges = - proof_target.get_challenges::(&mut builder, &mut challenger, inner_config); - let challenger_state = challenger.compact(&mut builder); - builder.register_public_inputs(challenger_state.as_ref()); - - builder.register_public_inputs(&proof_target.openings.ctl_zs_first); - - verify_stark_proof_with_challenges_circuit::( - &mut builder, - stark, - &proof_target, - &challenges, - &ctl_vars, - &ctl_challenges_target, - inner_config, - ); - - add_common_recursion_gates(&mut builder); - - // Pad to the minimum degree. - while log2_ceil(builder.num_gates()) < min_degree_bits { - builder.add_gate(NoopGate, vec![]); - } - - let circuit = builder.build::(); - StarkWrapperCircuit { - circuit, - stark_proof_target: proof_target, - ctl_challenges_target, - init_challenger_state_target, - zero_target, - } -} - -/// Add gates that are sometimes used by recursive circuits, even if it's not actually used by this -/// particular recursive circuit. This is done for uniformity. We sometimes want all recursion -/// circuits to have the same gate set, so that we can do 1-of-n conditional recursion efficiently. -pub(crate) fn add_common_recursion_gates, const D: usize>( - builder: &mut CircuitBuilder, -) { - builder.add_gate_to_gate_set(GateRef::new(ExponentiationGate::new_from_config( - &builder.config, - ))); -} - -/// Recursively verifies an inner proof. -fn verify_stark_proof_with_challenges_circuit< - F: RichField + Extendable, - C: GenericConfig, - S: Stark, - const D: usize, ->( - builder: &mut CircuitBuilder, - stark: &S, - proof: &StarkProofTarget, - challenges: &StarkProofChallengesTarget, - ctl_vars: &[CtlCheckVarsTarget], - ctl_challenges: &GrandProductChallengeSet, - inner_config: &StarkConfig, -) where - C::Hasher: AlgebraicHasher, -{ - let zero = builder.zero(); - let one = builder.one_extension(); - - let num_ctl_polys = ctl_vars - .iter() - .map(|ctl| ctl.helper_columns.len()) - .sum::(); - - let StarkOpeningSetTarget { - local_values, - next_values, - auxiliary_polys, - auxiliary_polys_next, - ctl_zs_first, - quotient_polys, - } = &proof.openings; - let vars = S::EvaluationFrameTarget::from_values(local_values, next_values); - - let degree_bits = proof.recover_degree_bits(inner_config); - let zeta_pow_deg = builder.exp_power_of_2_extension(challenges.stark_zeta, degree_bits); - let z_h_zeta = builder.sub_extension(zeta_pow_deg, one); - let (l_0, l_last) = - eval_l_0_and_l_last_circuit(builder, degree_bits, challenges.stark_zeta, z_h_zeta); - let last = - builder.constant_extension(F::Extension::primitive_root_of_unity(degree_bits).inverse()); - let z_last = builder.sub_extension(challenges.stark_zeta, last); - - let mut consumer = RecursiveConstraintConsumer::::new( - builder.zero_extension(), - challenges.stark_alphas.clone(), - z_last, - l_0, - l_last, - ); - - let num_lookup_columns = stark.num_lookup_helper_columns(inner_config); - let lookup_challenges = (num_lookup_columns > 0).then(|| { - ctl_challenges - .challenges - .iter() - .map(|ch| ch.beta) - .collect::>() - }); - - let lookup_vars = stark.uses_lookups().then(|| LookupCheckVarsTarget { - local_values: auxiliary_polys[..num_lookup_columns].to_vec(), - next_values: auxiliary_polys_next[..num_lookup_columns].to_vec(), - challenges: lookup_challenges.unwrap(), - }); - - with_context!( - builder, - "evaluate vanishing polynomial", - eval_vanishing_poly_circuit::( - builder, - stark, - &vars, - lookup_vars, - ctl_vars, - &mut consumer, - ) - ); - let vanishing_polys_zeta = consumer.accumulators(); - - // Check each polynomial identity, of the form `vanishing(x) = Z_H(x) quotient(x)`, at zeta. - let mut scale = ReducingFactorTarget::new(zeta_pow_deg); - for (i, chunk) in quotient_polys - .chunks(stark.quotient_degree_factor()) - .enumerate() - { - let recombined_quotient = scale.reduce(chunk, builder); - let computed_vanishing_poly = builder.mul_extension(z_h_zeta, recombined_quotient); - builder.connect_extension(vanishing_polys_zeta[i], computed_vanishing_poly); - } - - let merkle_caps = vec![ - proof.trace_cap.clone(), - proof.auxiliary_polys_cap.clone(), - proof.quotient_polys_cap.clone(), - ]; - - let fri_instance = stark.fri_instance_target( - builder, - challenges.stark_zeta, - F::primitive_root_of_unity(degree_bits), - num_ctl_polys, - ctl_zs_first.len(), - inner_config, - ); - builder.verify_fri_proof::( - &fri_instance, - &proof.openings.to_fri_openings(zero), - &challenges.fri_challenges, - &merkle_caps, - &proof.opening_proof, - &inner_config.fri_params(degree_bits), - ); -} - -/// Recursive version of `get_memory_extra_looking_sum`. -pub(crate) fn get_memory_extra_looking_sum_circuit, const D: usize>( - builder: &mut CircuitBuilder, - public_values: &PublicValuesTarget, - challenge: GrandProductChallenge, -) -> Target { - let mut sum = builder.zero(); - - // Add metadata writes. - let block_fields_scalars = [ - ( - GlobalMetadata::BlockTimestamp, - public_values.block_metadata.block_timestamp, - ), - ( - GlobalMetadata::BlockNumber, - public_values.block_metadata.block_number, - ), - ( - GlobalMetadata::BlockDifficulty, - public_values.block_metadata.block_difficulty, - ), - ( - GlobalMetadata::BlockGasLimit, - public_values.block_metadata.block_gaslimit, - ), - ( - GlobalMetadata::BlockChainId, - public_values.block_metadata.block_chain_id, - ), - ( - GlobalMetadata::BlockGasUsed, - public_values.block_metadata.block_gas_used, - ), - ( - GlobalMetadata::BlockGasUsedBefore, - public_values.extra_block_data.gas_used_before, - ), - ( - GlobalMetadata::BlockGasUsedAfter, - public_values.extra_block_data.gas_used_after, - ), - ( - GlobalMetadata::TxnNumberBefore, - public_values.extra_block_data.txn_number_before, - ), - ( - GlobalMetadata::TxnNumberAfter, - public_values.extra_block_data.txn_number_after, - ), - ]; - - let beneficiary_random_base_fee_cur_hash_fields: [(GlobalMetadata, &[Target]); 4] = [ - ( - GlobalMetadata::BlockBeneficiary, - &public_values.block_metadata.block_beneficiary, - ), - ( - GlobalMetadata::BlockRandom, - &public_values.block_metadata.block_random, - ), - ( - GlobalMetadata::BlockBaseFee, - &public_values.block_metadata.block_base_fee, - ), - ( - GlobalMetadata::BlockCurrentHash, - &public_values.block_hashes.cur_hash, - ), - ]; - - let metadata_segment = - builder.constant(F::from_canonical_usize(Segment::GlobalMetadata.unscale())); - block_fields_scalars.map(|(field, target)| { - // Each of those fields fit in 32 bits, hence in a single Target. - sum = add_data_write( - builder, - challenge, - sum, - metadata_segment, - field.unscale(), - &[target], - ); - }); - - beneficiary_random_base_fee_cur_hash_fields.map(|(field, targets)| { - sum = add_data_write( - builder, - challenge, - sum, - metadata_segment, - field.unscale(), - targets, - ); - }); - - // Add block hashes writes. - let block_hashes_segment = - builder.constant(F::from_canonical_usize(Segment::BlockHashes.unscale())); - for i in 0..256 { - sum = add_data_write( - builder, - challenge, - sum, - block_hashes_segment, - i, - &public_values.block_hashes.prev_hashes[8 * i..8 * (i + 1)], - ); - } - - // Add block bloom filters writes. - let bloom_segment = - builder.constant(F::from_canonical_usize(Segment::GlobalBlockBloom.unscale())); - for i in 0..8 { - sum = add_data_write( - builder, - challenge, - sum, - bloom_segment, - i, - &public_values.block_metadata.block_bloom[i * 8..(i + 1) * 8], - ); - } - - // Add trie roots writes. - let trie_fields = [ - ( - GlobalMetadata::StateTrieRootDigestBefore, - public_values.trie_roots_before.state_root, - ), - ( - GlobalMetadata::TransactionTrieRootDigestBefore, - public_values.trie_roots_before.transactions_root, - ), - ( - GlobalMetadata::ReceiptTrieRootDigestBefore, - public_values.trie_roots_before.receipts_root, - ), - ( - GlobalMetadata::StateTrieRootDigestAfter, - public_values.trie_roots_after.state_root, - ), - ( - GlobalMetadata::TransactionTrieRootDigestAfter, - public_values.trie_roots_after.transactions_root, - ), - ( - GlobalMetadata::ReceiptTrieRootDigestAfter, - public_values.trie_roots_after.receipts_root, - ), - ]; - - trie_fields.map(|(field, targets)| { - sum = add_data_write( - builder, - challenge, - sum, - metadata_segment, - field.unscale(), - &targets, - ); - }); - - // Add kernel hash and kernel length. - let kernel_hash_limbs = h256_limbs::(KERNEL.code_hash); - let kernel_hash_targets: [Target; 8] = from_fn(|i| builder.constant(kernel_hash_limbs[i])); - sum = add_data_write( - builder, - challenge, - sum, - metadata_segment, - GlobalMetadata::KernelHash.unscale(), - &kernel_hash_targets, - ); - let kernel_len_target = builder.constant(F::from_canonical_usize(KERNEL.code.len())); - sum = add_data_write( - builder, - challenge, - sum, - metadata_segment, - GlobalMetadata::KernelLen.unscale(), - &[kernel_len_target], - ); - - sum -} - -fn add_data_write, const D: usize>( - builder: &mut CircuitBuilder, - challenge: GrandProductChallenge, - running_sum: Target, - segment: Target, - idx: usize, - val: &[Target], -) -> Target { - debug_assert!(val.len() <= VALUE_LIMBS); - let len = core::cmp::min(val.len(), VALUE_LIMBS); - - let row = builder.add_virtual_targets(13); - // is_read = false - builder.assert_zero(row[0]); - // context = 0 - builder.assert_zero(row[1]); - // segment - builder.connect(row[2], segment); - // virtual - let field_target = builder.constant(F::from_canonical_usize(idx)); - builder.connect(row[3], field_target); - - // values - for j in 0..len { - // connect the actual value limbs - builder.connect(row[4 + j], val[j]); - } - for j in len..VALUE_LIMBS { - // assert that the remaining limbs are 0 - builder.assert_zero(row[4 + j]); - } - - // timestamp = 1 - builder.assert_one(row[12]); - - let combined = challenge.combine_base_circuit(builder, &row); - let inverse = builder.inverse(combined); - builder.add(running_sum, inverse) -} - -fn eval_l_0_and_l_last_circuit, const D: usize>( - builder: &mut CircuitBuilder, - log_n: usize, - x: ExtensionTarget, - z_x: ExtensionTarget, -) -> (ExtensionTarget, ExtensionTarget) { - let n = builder.constant_extension(F::Extension::from_canonical_usize(1 << log_n)); - let g = builder.constant_extension(F::Extension::primitive_root_of_unity(log_n)); - let one = builder.one_extension(); - let l_0_deno = builder.mul_sub_extension(n, x, n); - let l_last_deno = builder.mul_sub_extension(g, x, one); - let l_last_deno = builder.mul_extension(n, l_last_deno); - - ( - builder.div_extension(z_x, l_0_deno), - builder.div_extension(z_x, l_last_deno), - ) -} - -pub(crate) fn add_virtual_public_values, const D: usize>( - builder: &mut CircuitBuilder, -) -> PublicValuesTarget { - let trie_roots_before = add_virtual_trie_roots(builder); - let trie_roots_after = add_virtual_trie_roots(builder); - let block_metadata = add_virtual_block_metadata(builder); - let block_hashes = add_virtual_block_hashes(builder); - let extra_block_data = add_virtual_extra_block_data(builder); - PublicValuesTarget { - trie_roots_before, - trie_roots_after, - block_metadata, - block_hashes, - extra_block_data, - } -} - -pub(crate) fn add_virtual_trie_roots, const D: usize>( - builder: &mut CircuitBuilder, -) -> TrieRootsTarget { - let state_root = builder.add_virtual_public_input_arr(); - let transactions_root = builder.add_virtual_public_input_arr(); - let receipts_root = builder.add_virtual_public_input_arr(); - TrieRootsTarget { - state_root, - transactions_root, - receipts_root, - } -} - -pub(crate) fn add_virtual_block_metadata, const D: usize>( - builder: &mut CircuitBuilder, -) -> BlockMetadataTarget { - let block_beneficiary = builder.add_virtual_public_input_arr(); - let block_timestamp = builder.add_virtual_public_input(); - let block_number = builder.add_virtual_public_input(); - let block_difficulty = builder.add_virtual_public_input(); - let block_random = builder.add_virtual_public_input_arr(); - let block_gaslimit = builder.add_virtual_public_input(); - let block_chain_id = builder.add_virtual_public_input(); - let block_base_fee = builder.add_virtual_public_input_arr(); - let block_gas_used = builder.add_virtual_public_input(); - let block_bloom = builder.add_virtual_public_input_arr(); - BlockMetadataTarget { - block_beneficiary, - block_timestamp, - block_number, - block_difficulty, - block_random, - block_gaslimit, - block_chain_id, - block_base_fee, - block_gas_used, - block_bloom, - } -} - -pub(crate) fn add_virtual_block_hashes, const D: usize>( - builder: &mut CircuitBuilder, -) -> BlockHashesTarget { - let prev_hashes = builder.add_virtual_public_input_arr(); - let cur_hash = builder.add_virtual_public_input_arr(); - BlockHashesTarget { - prev_hashes, - cur_hash, - } -} -pub(crate) fn add_virtual_extra_block_data, const D: usize>( - builder: &mut CircuitBuilder, -) -> ExtraBlockDataTarget { - let checkpoint_state_trie_root = builder.add_virtual_public_input_arr(); - let txn_number_before = builder.add_virtual_public_input(); - let txn_number_after = builder.add_virtual_public_input(); - let gas_used_before = builder.add_virtual_public_input(); - let gas_used_after = builder.add_virtual_public_input(); - ExtraBlockDataTarget { - checkpoint_state_trie_root, - txn_number_before, - txn_number_after, - gas_used_before, - gas_used_after, - } -} - -pub(crate) fn add_virtual_stark_proof< - F: RichField + Extendable, - S: Stark, - const D: usize, ->( - builder: &mut CircuitBuilder, - stark: &S, - config: &StarkConfig, - degree_bits: usize, - num_ctl_helper_zs: usize, - num_ctl_zs: usize, -) -> StarkProofTarget { - let fri_params = config.fri_params(degree_bits); - let cap_height = fri_params.config.cap_height; - - let num_leaves_per_oracle = vec![ - S::COLUMNS, - stark.num_lookup_helper_columns(config) + num_ctl_helper_zs, - stark.quotient_degree_factor() * config.num_challenges, - ]; - - let auxiliary_polys_cap = builder.add_virtual_cap(cap_height); - - StarkProofTarget { - trace_cap: builder.add_virtual_cap(cap_height), - auxiliary_polys_cap, - quotient_polys_cap: builder.add_virtual_cap(cap_height), - openings: add_virtual_stark_opening_set::( - builder, - stark, - num_ctl_helper_zs, - num_ctl_zs, - config, - ), - opening_proof: builder.add_virtual_fri_proof(&num_leaves_per_oracle, &fri_params), - } -} - -fn add_virtual_stark_opening_set, S: Stark, const D: usize>( - builder: &mut CircuitBuilder, - stark: &S, - num_ctl_helper_zs: usize, - num_ctl_zs: usize, - config: &StarkConfig, -) -> StarkOpeningSetTarget { - let num_challenges = config.num_challenges; - StarkOpeningSetTarget { - local_values: builder.add_virtual_extension_targets(S::COLUMNS), - next_values: builder.add_virtual_extension_targets(S::COLUMNS), - auxiliary_polys: builder.add_virtual_extension_targets( - stark.num_lookup_helper_columns(config) + num_ctl_helper_zs, - ), - auxiliary_polys_next: builder.add_virtual_extension_targets( - stark.num_lookup_helper_columns(config) + num_ctl_helper_zs, - ), - ctl_zs_first: builder.add_virtual_targets(num_ctl_zs), - quotient_polys: builder - .add_virtual_extension_targets(stark.quotient_degree_factor() * num_challenges), - } -} - -pub(crate) fn set_stark_proof_target, W, const D: usize>( - witness: &mut W, - proof_target: &StarkProofTarget, - proof: &StarkProof, - zero: Target, -) where - F: RichField + Extendable, - C::Hasher: AlgebraicHasher, - W: Witness, -{ - witness.set_cap_target(&proof_target.trace_cap, &proof.trace_cap); - witness.set_cap_target(&proof_target.quotient_polys_cap, &proof.quotient_polys_cap); - - witness.set_fri_openings( - &proof_target.openings.to_fri_openings(zero), - &proof.openings.to_fri_openings(), - ); - - witness.set_cap_target( - &proof_target.auxiliary_polys_cap, - &proof.auxiliary_polys_cap, - ); - - set_fri_proof_target(witness, &proof_target.opening_proof, &proof.opening_proof); -} - -pub fn set_public_value_targets( - witness: &mut W, - public_values_target: &PublicValuesTarget, - public_values: &PublicValues, -) -> Result<(), ProgramError> -where - F: RichField + Extendable, - W: Witness, -{ - set_trie_roots_target( - witness, - &public_values_target.trie_roots_before, - &public_values.trie_roots_before, - ); - set_trie_roots_target( - witness, - &public_values_target.trie_roots_after, - &public_values.trie_roots_after, - ); - set_block_metadata_target( - witness, - &public_values_target.block_metadata, - &public_values.block_metadata, - )?; - set_block_hashes_target( - witness, - &public_values_target.block_hashes, - &public_values.block_hashes, - ); - set_extra_public_values_target( - witness, - &public_values_target.extra_block_data, - &public_values.extra_block_data, - )?; - - Ok(()) -} - -pub(crate) fn set_trie_roots_target( - witness: &mut W, - trie_roots_target: &TrieRootsTarget, - trie_roots: &TrieRoots, -) where - F: RichField + Extendable, - W: Witness, -{ - for (i, limb) in trie_roots.state_root.into_uint().0.into_iter().enumerate() { - witness.set_target( - trie_roots_target.state_root[2 * i], - F::from_canonical_u32(limb as u32), - ); - witness.set_target( - trie_roots_target.state_root[2 * i + 1], - F::from_canonical_u32((limb >> 32) as u32), - ); - } - - for (i, limb) in trie_roots - .transactions_root - .into_uint() - .0 - .into_iter() - .enumerate() - { - witness.set_target( - trie_roots_target.transactions_root[2 * i], - F::from_canonical_u32(limb as u32), - ); - witness.set_target( - trie_roots_target.transactions_root[2 * i + 1], - F::from_canonical_u32((limb >> 32) as u32), - ); - } - - for (i, limb) in trie_roots - .receipts_root - .into_uint() - .0 - .into_iter() - .enumerate() - { - witness.set_target( - trie_roots_target.receipts_root[2 * i], - F::from_canonical_u32(limb as u32), - ); - witness.set_target( - trie_roots_target.receipts_root[2 * i + 1], - F::from_canonical_u32((limb >> 32) as u32), - ); - } -} - -pub(crate) fn set_block_metadata_target( - witness: &mut W, - block_metadata_target: &BlockMetadataTarget, - block_metadata: &BlockMetadata, -) -> Result<(), ProgramError> -where - F: RichField + Extendable, - W: Witness, -{ - let beneficiary_limbs: [F; 5] = - u256_limbs::(U256::from_big_endian(&block_metadata.block_beneficiary.0))[..5] - .try_into() - .unwrap(); - witness.set_target_arr(&block_metadata_target.block_beneficiary, &beneficiary_limbs); - witness.set_target( - block_metadata_target.block_timestamp, - u256_to_u32(block_metadata.block_timestamp)?, - ); - witness.set_target( - block_metadata_target.block_number, - u256_to_u32(block_metadata.block_number)?, - ); - witness.set_target( - block_metadata_target.block_difficulty, - u256_to_u32(block_metadata.block_difficulty)?, - ); - witness.set_target_arr( - &block_metadata_target.block_random, - &h256_limbs(block_metadata.block_random), - ); - witness.set_target( - block_metadata_target.block_gaslimit, - u256_to_u32(block_metadata.block_gaslimit)?, - ); - witness.set_target( - block_metadata_target.block_chain_id, - u256_to_u32(block_metadata.block_chain_id)?, - ); - // Basefee fits in 2 limbs - let basefee = u256_to_u64(block_metadata.block_base_fee)?; - witness.set_target(block_metadata_target.block_base_fee[0], basefee.0); - witness.set_target(block_metadata_target.block_base_fee[1], basefee.1); - witness.set_target( - block_metadata_target.block_gas_used, - u256_to_u32(block_metadata.block_gas_used)?, - ); - let mut block_bloom_limbs = [F::ZERO; 64]; - for (i, limbs) in block_bloom_limbs.chunks_exact_mut(8).enumerate() { - limbs.copy_from_slice(&u256_limbs(block_metadata.block_bloom[i])); - } - witness.set_target_arr(&block_metadata_target.block_bloom, &block_bloom_limbs); - - Ok(()) -} - -pub(crate) fn set_block_hashes_target( - witness: &mut W, - block_hashes_target: &BlockHashesTarget, - block_hashes: &BlockHashes, -) where - F: RichField + Extendable, - W: Witness, -{ - for i in 0..256 { - let block_hash_limbs: [F; 8] = h256_limbs::(block_hashes.prev_hashes[i]); - witness.set_target_arr( - &block_hashes_target.prev_hashes[8 * i..8 * (i + 1)], - &block_hash_limbs, - ); - } - let cur_block_hash_limbs: [F; 8] = h256_limbs::(block_hashes.cur_hash); - witness.set_target_arr(&block_hashes_target.cur_hash, &cur_block_hash_limbs); -} - -pub(crate) fn set_extra_public_values_target( - witness: &mut W, - ed_target: &ExtraBlockDataTarget, - ed: &ExtraBlockData, -) -> Result<(), ProgramError> -where - F: RichField + Extendable, - W: Witness, -{ - witness.set_target_arr( - &ed_target.checkpoint_state_trie_root, - &h256_limbs::(ed.checkpoint_state_trie_root), - ); - witness.set_target( - ed_target.txn_number_before, - u256_to_u32(ed.txn_number_before)?, - ); - witness.set_target( - ed_target.txn_number_after, - u256_to_u32(ed.txn_number_after)?, - ); - witness.set_target(ed_target.gas_used_before, u256_to_u32(ed.gas_used_before)?); - witness.set_target(ed_target.gas_used_after, u256_to_u32(ed.gas_used_after)?); - - Ok(()) -} diff --git a/evm/src/stark.rs b/evm/src/stark.rs deleted file mode 100644 index 5ff578f9fc..0000000000 --- a/evm/src/stark.rs +++ /dev/null @@ -1,228 +0,0 @@ -use plonky2::field::extension::{Extendable, FieldExtension}; -use plonky2::field::packed::PackedField; -use plonky2::field::types::Field; -use plonky2::fri::structure::{ - FriBatchInfo, FriBatchInfoTarget, FriInstanceInfo, FriInstanceInfoTarget, FriOracleInfo, - FriPolynomialInfo, -}; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::plonk::circuit_builder::CircuitBuilder; - -use crate::config::StarkConfig; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::evaluation_frame::StarkEvaluationFrame; -use crate::lookup::Lookup; - -const TRACE_ORACLE_INDEX: usize = 0; -const AUXILIARY_ORACLE_INDEX: usize = 1; -const QUOTIENT_ORACLE_INDEX: usize = 2; - -/// Represents a STARK system. -pub trait Stark, const D: usize>: Sync { - /// The total number of columns in the trace. - const COLUMNS: usize = Self::EvaluationFrameTarget::COLUMNS; - - /// This is used to evaluate constraints natively. - type EvaluationFrame: StarkEvaluationFrame

- where - FE: FieldExtension, - P: PackedField; - - /// The `Target` version of `Self::EvaluationFrame`, used to evaluate constraints recursively. - type EvaluationFrameTarget: StarkEvaluationFrame>; - - /// Evaluate constraints at a vector of points. - /// - /// The points are elements of a field `FE`, a degree `D2` extension of `F`. This lets us - /// evaluate constraints over a larger domain if desired. This can also be called with `FE = F` - /// and `D2 = 1`, in which case we are using the trivial extension, i.e. just evaluating - /// constraints over `F`. - fn eval_packed_generic( - &self, - vars: &Self::EvaluationFrame, - yield_constr: &mut ConstraintConsumer

, - ) where - FE: FieldExtension, - P: PackedField; - - /// Evaluate constraints at a vector of points from the base field `F`. - fn eval_packed_base>( - &self, - vars: &Self::EvaluationFrame, - yield_constr: &mut ConstraintConsumer

, - ) { - self.eval_packed_generic(vars, yield_constr) - } - - /// Evaluate constraints at a single point from the degree `D` extension field. - fn eval_ext( - &self, - vars: &Self::EvaluationFrame, - yield_constr: &mut ConstraintConsumer, - ) { - self.eval_packed_generic(vars, yield_constr) - } - - /// Evaluate constraints at a vector of points from the degree `D` extension field. This is like - /// `eval_ext`, except in the context of a recursive circuit. - /// Note: constraints must be added through`yield_constr.constraint(builder, constraint)` in the - /// same order as they are given in `eval_packed_generic`. - fn eval_ext_circuit( - &self, - builder: &mut CircuitBuilder, - vars: &Self::EvaluationFrameTarget, - yield_constr: &mut RecursiveConstraintConsumer, - ); - - /// The maximum constraint degree. - fn constraint_degree(&self) -> usize; - - /// The maximum constraint degree. - fn quotient_degree_factor(&self) -> usize { - 1.max(self.constraint_degree() - 1) - } - - fn num_quotient_polys(&self, config: &StarkConfig) -> usize { - self.quotient_degree_factor() * config.num_challenges - } - - /// Computes the FRI instance used to prove this Stark. - fn fri_instance( - &self, - zeta: F::Extension, - g: F, - num_ctl_helpers: usize, - num_ctl_zs: Vec, - config: &StarkConfig, - ) -> FriInstanceInfo { - let trace_oracle = FriOracleInfo { - num_polys: Self::COLUMNS, - blinding: false, - }; - let trace_info = FriPolynomialInfo::from_range(TRACE_ORACLE_INDEX, 0..Self::COLUMNS); - - let num_lookup_columns = self.num_lookup_helper_columns(config); - let num_auxiliary_polys = num_lookup_columns + num_ctl_helpers + num_ctl_zs.len(); - let auxiliary_oracle = FriOracleInfo { - num_polys: num_auxiliary_polys, - blinding: false, - }; - let auxiliary_polys_info = - FriPolynomialInfo::from_range(AUXILIARY_ORACLE_INDEX, 0..num_auxiliary_polys); - - let ctl_zs_info = FriPolynomialInfo::from_range( - AUXILIARY_ORACLE_INDEX, - num_lookup_columns + num_ctl_helpers..num_auxiliary_polys, - ); - - let num_quotient_polys = self.num_quotient_polys(config); - let quotient_oracle = FriOracleInfo { - num_polys: num_quotient_polys, - blinding: false, - }; - let quotient_info = - FriPolynomialInfo::from_range(QUOTIENT_ORACLE_INDEX, 0..num_quotient_polys); - - let zeta_batch = FriBatchInfo { - point: zeta, - polynomials: [ - trace_info.clone(), - auxiliary_polys_info.clone(), - quotient_info, - ] - .concat(), - }; - let zeta_next_batch = FriBatchInfo { - point: zeta.scalar_mul(g), - polynomials: [trace_info, auxiliary_polys_info].concat(), - }; - let ctl_first_batch = FriBatchInfo { - point: F::Extension::ONE, - polynomials: ctl_zs_info, - }; - FriInstanceInfo { - oracles: vec![trace_oracle, auxiliary_oracle, quotient_oracle], - batches: vec![zeta_batch, zeta_next_batch, ctl_first_batch], - } - } - - /// Computes the FRI instance used to prove this Stark. - fn fri_instance_target( - &self, - builder: &mut CircuitBuilder, - zeta: ExtensionTarget, - g: F, - num_ctl_helper_polys: usize, - num_ctl_zs: usize, - inner_config: &StarkConfig, - ) -> FriInstanceInfoTarget { - let trace_oracle = FriOracleInfo { - num_polys: Self::COLUMNS, - blinding: false, - }; - let trace_info = FriPolynomialInfo::from_range(TRACE_ORACLE_INDEX, 0..Self::COLUMNS); - - let num_lookup_columns = self.num_lookup_helper_columns(inner_config); - let num_auxiliary_polys = num_lookup_columns + num_ctl_helper_polys + num_ctl_zs; - let auxiliary_oracle = FriOracleInfo { - num_polys: num_auxiliary_polys, - blinding: false, - }; - let auxiliary_polys_info = - FriPolynomialInfo::from_range(AUXILIARY_ORACLE_INDEX, 0..num_auxiliary_polys); - - let ctl_zs_info = FriPolynomialInfo::from_range( - AUXILIARY_ORACLE_INDEX, - num_lookup_columns + num_ctl_helper_polys - ..num_lookup_columns + num_ctl_helper_polys + num_ctl_zs, - ); - - let num_quotient_polys = self.num_quotient_polys(inner_config); - let quotient_oracle = FriOracleInfo { - num_polys: num_quotient_polys, - blinding: false, - }; - let quotient_info = - FriPolynomialInfo::from_range(QUOTIENT_ORACLE_INDEX, 0..num_quotient_polys); - - let zeta_batch = FriBatchInfoTarget { - point: zeta, - polynomials: [ - trace_info.clone(), - auxiliary_polys_info.clone(), - quotient_info, - ] - .concat(), - }; - let zeta_next = builder.mul_const_extension(g, zeta); - let zeta_next_batch = FriBatchInfoTarget { - point: zeta_next, - polynomials: [trace_info, auxiliary_polys_info].concat(), - }; - let ctl_first_batch = FriBatchInfoTarget { - point: builder.one_extension(), - polynomials: ctl_zs_info, - }; - FriInstanceInfoTarget { - oracles: vec![trace_oracle, auxiliary_oracle, quotient_oracle], - batches: vec![zeta_batch, zeta_next_batch, ctl_first_batch], - } - } - - fn lookups(&self) -> Vec> { - vec![] - } - - fn num_lookup_helper_columns(&self, config: &StarkConfig) -> usize { - self.lookups() - .iter() - .map(|lookup| lookup.num_helper_columns(self.constraint_degree())) - .sum::() - * config.num_challenges - } - - fn uses_lookups(&self) -> bool { - !self.lookups().is_empty() - } -} diff --git a/evm/src/stark_testing.rs b/evm/src/stark_testing.rs deleted file mode 100644 index 3568f00433..0000000000 --- a/evm/src/stark_testing.rs +++ /dev/null @@ -1,157 +0,0 @@ -use anyhow::{ensure, Result}; -use plonky2::field::extension::{Extendable, FieldExtension}; -use plonky2::field::polynomial::{PolynomialCoeffs, PolynomialValues}; -use plonky2::field::types::{Field, Sample}; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::witness::{PartialWitness, WitnessWrite}; -use plonky2::plonk::circuit_builder::CircuitBuilder; -use plonky2::plonk::circuit_data::CircuitConfig; -use plonky2::plonk::config::GenericConfig; -use plonky2::util::transpose; -use plonky2_util::{log2_ceil, log2_strict}; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::evaluation_frame::StarkEvaluationFrame; -use crate::stark::Stark; - -const WITNESS_SIZE: usize = 1 << 5; - -/// Tests that the constraints imposed by the given STARK are low-degree by applying them to random -/// low-degree witness polynomials. -pub(crate) fn test_stark_low_degree< - F: RichField + Extendable, - S: Stark, - const D: usize, ->( - stark: S, -) -> Result<()> { - let rate_bits = log2_ceil(stark.constraint_degree() + 1); - - let trace_ldes = random_low_degree_matrix::(S::COLUMNS, rate_bits); - let size = trace_ldes.len(); - - let lagrange_first = PolynomialValues::selector(WITNESS_SIZE, 0).lde(rate_bits); - let lagrange_last = PolynomialValues::selector(WITNESS_SIZE, WITNESS_SIZE - 1).lde(rate_bits); - - let last = F::primitive_root_of_unity(log2_strict(WITNESS_SIZE)).inverse(); - let subgroup = - F::cyclic_subgroup_known_order(F::primitive_root_of_unity(log2_strict(size)), size); - let alpha = F::rand(); - let constraint_evals = (0..size) - .map(|i| { - let vars = S::EvaluationFrame::from_values( - &trace_ldes[i], - &trace_ldes[(i + (1 << rate_bits)) % size], - ); - - let mut consumer = ConstraintConsumer::::new( - vec![alpha], - subgroup[i] - last, - lagrange_first.values[i], - lagrange_last.values[i], - ); - stark.eval_packed_base(&vars, &mut consumer); - consumer.accumulators()[0] - }) - .collect::>(); - - let constraint_poly_values = PolynomialValues::new(constraint_evals); - if !constraint_poly_values.is_zero() { - let constraint_eval_degree = constraint_poly_values.degree(); - let maximum_degree = WITNESS_SIZE * stark.constraint_degree() - 1; - - ensure!( - constraint_eval_degree <= maximum_degree, - "Expected degrees at most {} * {} - 1 = {}, actual {:?}", - WITNESS_SIZE, - stark.constraint_degree(), - maximum_degree, - constraint_eval_degree - ); - } - - Ok(()) -} - -/// Tests that the circuit constraints imposed by the given STARK are coherent with the native constraints. -pub(crate) fn test_stark_circuit_constraints< - F: RichField + Extendable, - C: GenericConfig, - S: Stark, - const D: usize, ->( - stark: S, -) -> Result<()> { - // Compute native constraint evaluation on random values. - let vars = S::EvaluationFrame::from_values( - &F::Extension::rand_vec(S::COLUMNS), - &F::Extension::rand_vec(S::COLUMNS), - ); - - let alphas = F::rand_vec(1); - let z_last = F::Extension::rand(); - let lagrange_first = F::Extension::rand(); - let lagrange_last = F::Extension::rand(); - let mut consumer = ConstraintConsumer::::new( - alphas - .iter() - .copied() - .map(F::Extension::from_basefield) - .collect(), - z_last, - lagrange_first, - lagrange_last, - ); - stark.eval_ext(&vars, &mut consumer); - let native_eval = consumer.accumulators()[0]; - - // Compute circuit constraint evaluation on same random values. - let circuit_config = CircuitConfig::standard_recursion_config(); - let mut builder = CircuitBuilder::::new(circuit_config); - let mut pw = PartialWitness::::new(); - - let locals_t = builder.add_virtual_extension_targets(S::COLUMNS); - pw.set_extension_targets(&locals_t, vars.get_local_values()); - let nexts_t = builder.add_virtual_extension_targets(S::COLUMNS); - pw.set_extension_targets(&nexts_t, vars.get_next_values()); - let alphas_t = builder.add_virtual_targets(1); - pw.set_target(alphas_t[0], alphas[0]); - let z_last_t = builder.add_virtual_extension_target(); - pw.set_extension_target(z_last_t, z_last); - let lagrange_first_t = builder.add_virtual_extension_target(); - pw.set_extension_target(lagrange_first_t, lagrange_first); - let lagrange_last_t = builder.add_virtual_extension_target(); - pw.set_extension_target(lagrange_last_t, lagrange_last); - - let vars = S::EvaluationFrameTarget::from_values(&locals_t, &nexts_t); - let mut consumer = RecursiveConstraintConsumer::::new( - builder.zero_extension(), - alphas_t, - z_last_t, - lagrange_first_t, - lagrange_last_t, - ); - stark.eval_ext_circuit(&mut builder, &vars, &mut consumer); - let circuit_eval = consumer.accumulators()[0]; - let native_eval_t = builder.constant_extension(native_eval); - builder.connect_extension(circuit_eval, native_eval_t); - - let data = builder.build::(); - let proof = data.prove(pw)?; - data.verify(proof) -} - -fn random_low_degree_matrix(num_polys: usize, rate_bits: usize) -> Vec> { - let polys = (0..num_polys) - .map(|_| random_low_degree_values(rate_bits)) - .collect::>(); - - transpose(&polys) -} - -fn random_low_degree_values(rate_bits: usize) -> Vec { - PolynomialCoeffs::new(F::rand_vec(WITNESS_SIZE)) - .lde(rate_bits) - .fft() - .values -} diff --git a/evm/src/util.rs b/evm/src/util.rs deleted file mode 100644 index aec2e63e17..0000000000 --- a/evm/src/util.rs +++ /dev/null @@ -1,264 +0,0 @@ -use core::mem::{size_of, transmute_copy, ManuallyDrop}; - -use ethereum_types::{H160, H256, U256}; -use itertools::Itertools; -use num::BigUint; -use plonky2::field::extension::Extendable; -use plonky2::field::packed::PackedField; -use plonky2::field::polynomial::PolynomialValues; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::util::transpose; - -use crate::witness::errors::ProgramError; - -/// Construct an integer from its constituent bits (in little-endian order) -pub(crate) fn limb_from_bits_le(iter: impl IntoIterator) -> P { - // TODO: This is technically wrong, as 1 << i won't be canonical for all fields... - iter.into_iter() - .enumerate() - .map(|(i, bit)| bit * P::Scalar::from_canonical_u64(1 << i)) - .sum() -} - -/// Construct an integer from its constituent bits (in little-endian order): recursive edition -pub(crate) fn limb_from_bits_le_recursive, const D: usize>( - builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder, - iter: impl IntoIterator>, -) -> ExtensionTarget { - iter.into_iter() - .enumerate() - .fold(builder.zero_extension(), |acc, (i, bit)| { - // TODO: This is technically wrong, as 1 << i won't be canonical for all fields... - builder.mul_const_add_extension(F::from_canonical_u64(1 << i), bit, acc) - }) -} - -/// A helper function to transpose a row-wise trace and put it in the format that `prove` expects. -pub(crate) fn trace_rows_to_poly_values( - trace_rows: Vec<[F; COLUMNS]>, -) -> Vec> { - let trace_row_vecs = trace_rows.into_iter().map(|row| row.to_vec()).collect_vec(); - let trace_col_vecs: Vec> = transpose(&trace_row_vecs); - trace_col_vecs - .into_iter() - .map(|column| PolynomialValues::new(column)) - .collect() -} - -/// Returns the lowest LE 32-bit limb of a `U256` as a field element, -/// and errors if the integer is actually greater. -pub(crate) fn u256_to_u32(u256: U256) -> Result { - if TryInto::::try_into(u256).is_err() { - return Err(ProgramError::IntegerTooLarge); - } - - Ok(F::from_canonical_u32(u256.low_u32())) -} - -/// Returns the lowest LE 64-bit word of a `U256` as two field elements -/// each storing a 32-bit limb, and errors if the integer is actually greater. -pub(crate) fn u256_to_u64(u256: U256) -> Result<(F, F), ProgramError> { - if TryInto::::try_into(u256).is_err() { - return Err(ProgramError::IntegerTooLarge); - } - - Ok(( - F::from_canonical_u32(u256.low_u64() as u32), - F::from_canonical_u32((u256.low_u64() >> 32) as u32), - )) -} - -/// Safe alternative to `U256::as_usize()`, which errors in case of overflow instead of panicking. -pub(crate) fn u256_to_usize(u256: U256) -> Result { - u256.try_into().map_err(|_| ProgramError::IntegerTooLarge) -} - -/// Converts a `U256` to a `u8`, erroring in case of overflow instead of panicking. -pub(crate) fn u256_to_u8(u256: U256) -> Result { - u256.try_into().map_err(|_| ProgramError::IntegerTooLarge) -} - -/// Converts a `U256` to a `bool`, erroring in case of overflow instead of panicking. -pub(crate) fn u256_to_bool(u256: U256) -> Result { - if u256 == U256::zero() { - Ok(false) - } else if u256 == U256::one() { - Ok(true) - } else { - Err(ProgramError::IntegerTooLarge) - } -} - -/// Converts a `U256` to a `H160`, erroring in case of overflow instead of panicking. -pub(crate) fn u256_to_h160(u256: U256) -> Result { - if u256.bits() / 8 > 20 { - return Err(ProgramError::IntegerTooLarge); - } - let mut bytes = [0u8; 32]; - u256.to_big_endian(&mut bytes); - Ok(H160( - bytes[12..] - .try_into() - .expect("This conversion cannot fail."), - )) -} - -/// Returns the 32-bit little-endian limbs of a `U256`. -pub(crate) fn u256_limbs(u256: U256) -> [F; 8] { - u256.0 - .into_iter() - .flat_map(|limb_64| { - let lo = limb_64 as u32; - let hi = (limb_64 >> 32) as u32; - [lo, hi] - }) - .map(F::from_canonical_u32) - .collect_vec() - .try_into() - .unwrap() -} - -/// Returns the 32-bit little-endian limbs of a `H256`. -pub(crate) fn h256_limbs(h256: H256) -> [F; 8] { - let mut temp_h256 = h256.0; - temp_h256.reverse(); - temp_h256 - .chunks(4) - .map(|chunk| u32::from_le_bytes(chunk.try_into().unwrap())) - .map(F::from_canonical_u32) - .collect_vec() - .try_into() - .unwrap() -} - -/// Returns the 32-bit limbs of a `U160`. -pub(crate) fn h160_limbs(h160: H160) -> [F; 5] { - h160.0 - .chunks(4) - .map(|chunk| u32::from_le_bytes(chunk.try_into().unwrap())) - .map(F::from_canonical_u32) - .collect_vec() - .try_into() - .unwrap() -} - -pub(crate) const fn indices_arr() -> [usize; N] { - let mut indices_arr = [0; N]; - let mut i = 0; - while i < N { - indices_arr[i] = i; - i += 1; - } - indices_arr -} - -pub(crate) unsafe fn transmute_no_compile_time_size_checks(value: T) -> U { - debug_assert_eq!(size_of::(), size_of::()); - // Need ManuallyDrop so that `value` is not dropped by this function. - let value = ManuallyDrop::new(value); - // Copy the bit pattern. The original value is no longer safe to use. - transmute_copy(&value) -} - -pub(crate) fn addmod(x: U256, y: U256, m: U256) -> U256 { - if m.is_zero() { - return m; - } - let x = u256_to_biguint(x); - let y = u256_to_biguint(y); - let m = u256_to_biguint(m); - biguint_to_u256((x + y) % m) -} - -pub(crate) fn mulmod(x: U256, y: U256, m: U256) -> U256 { - if m.is_zero() { - return m; - } - let x = u256_to_biguint(x); - let y = u256_to_biguint(y); - let m = u256_to_biguint(m); - biguint_to_u256(x * y % m) -} - -pub(crate) fn submod(x: U256, y: U256, m: U256) -> U256 { - if m.is_zero() { - return m; - } - let mut x = u256_to_biguint(x); - let y = u256_to_biguint(y); - let m = u256_to_biguint(m); - while x < y { - x += &m; - } - biguint_to_u256((x - y) % m) -} - -pub(crate) fn u256_to_biguint(x: U256) -> BigUint { - let mut bytes = [0u8; 32]; - x.to_little_endian(&mut bytes); - BigUint::from_bytes_le(&bytes) -} - -pub(crate) fn biguint_to_u256(x: BigUint) -> U256 { - let bytes = x.to_bytes_le(); - // This could panic if `bytes.len() > 32` but this is only - // used here with `BigUint` constructed from `U256`. - U256::from_little_endian(&bytes) -} - -pub(crate) fn mem_vec_to_biguint(x: &[U256]) -> BigUint { - BigUint::from_slice( - &x.iter() - .map(|&n| n.try_into().unwrap()) - .flat_map(|a: u128| { - [ - (a % (1 << 32)) as u32, - ((a >> 32) % (1 << 32)) as u32, - ((a >> 64) % (1 << 32)) as u32, - ((a >> 96) % (1 << 32)) as u32, - ] - }) - .collect::>(), - ) -} - -pub(crate) fn biguint_to_mem_vec(x: BigUint) -> Vec { - let num_limbs = ((x.bits() + 127) / 128) as usize; - - let mut digits = x.iter_u64_digits(); - - let mut mem_vec = Vec::with_capacity(num_limbs); - while let Some(lo) = digits.next() { - let hi = digits.next().unwrap_or(0); - mem_vec.push(U256::from(lo as u128 | (hi as u128) << 64)); - } - mem_vec -} - -pub(crate) fn h2u(h: H256) -> U256 { - U256::from_big_endian(&h.0) -} - -pub(crate) fn get_h160(slice: &[F]) -> H160 { - H160::from_slice( - &slice - .iter() - .rev() - .map(|x| x.to_canonical_u64() as u32) - .flat_map(|limb| limb.to_be_bytes()) - .collect_vec(), - ) -} - -pub(crate) fn get_h256(slice: &[F]) -> H256 { - H256::from_slice( - &slice - .iter() - .rev() - .map(|x| x.to_canonical_u64() as u32) - .flat_map(|limb| limb.to_be_bytes()) - .collect_vec(), - ) -} diff --git a/evm/src/vanishing_poly.rs b/evm/src/vanishing_poly.rs deleted file mode 100644 index c1f2d0f92b..0000000000 --- a/evm/src/vanishing_poly.rs +++ /dev/null @@ -1,81 +0,0 @@ -use plonky2::field::extension::{Extendable, FieldExtension}; -use plonky2::field::packed::PackedField; -use plonky2::hash::hash_types::RichField; -use plonky2::plonk::circuit_builder::CircuitBuilder; - -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::cross_table_lookup::{ - eval_cross_table_lookup_checks, eval_cross_table_lookup_checks_circuit, CtlCheckVars, - CtlCheckVarsTarget, -}; -use crate::lookup::{ - eval_ext_lookups_circuit, eval_packed_lookups_generic, Lookup, LookupCheckVars, - LookupCheckVarsTarget, -}; -use crate::stark::Stark; - -/// Evaluates all constraint, permutation and cross-table lookup polynomials -/// of the current STARK at the local and next values. -pub(crate) fn eval_vanishing_poly( - stark: &S, - vars: &S::EvaluationFrame, - lookups: &[Lookup], - lookup_vars: Option>, - ctl_vars: &[CtlCheckVars], - consumer: &mut ConstraintConsumer

, -) where - F: RichField + Extendable, - FE: FieldExtension, - P: PackedField, - S: Stark, -{ - // Evaluate all of the STARK's table constraints. - stark.eval_packed_generic(vars, consumer); - if let Some(lookup_vars) = lookup_vars { - // Evaluate the STARK constraints related to the permutation arguments. - eval_packed_lookups_generic::( - stark, - lookups, - vars, - lookup_vars, - consumer, - ); - } - // Evaluate the STARK constraints related to the cross-table lookups. - eval_cross_table_lookup_checks::( - vars, - ctl_vars, - consumer, - stark.constraint_degree(), - ); -} - -/// Circuit version of `eval_vanishing_poly`. -/// Evaluates all constraint, permutation and cross-table lookup polynomials -/// of the current STARK at the local and next values. -pub(crate) fn eval_vanishing_poly_circuit( - builder: &mut CircuitBuilder, - stark: &S, - vars: &S::EvaluationFrameTarget, - lookup_vars: Option>, - ctl_vars: &[CtlCheckVarsTarget], - consumer: &mut RecursiveConstraintConsumer, -) where - F: RichField + Extendable, - S: Stark, -{ - // Evaluate all of the STARK's table constraints. - stark.eval_ext_circuit(builder, vars, consumer); - if let Some(lookup_vars) = lookup_vars { - // Evaluate all of the STARK's constraints related to the permutation argument. - eval_ext_lookups_circuit::(builder, stark, vars, lookup_vars, consumer); - } - // Evaluate all of the STARK's constraints related to the cross-table lookups. - eval_cross_table_lookup_checks_circuit::( - builder, - vars, - ctl_vars, - consumer, - stark.constraint_degree(), - ); -} diff --git a/evm/src/verifier.rs b/evm/src/verifier.rs deleted file mode 100644 index 3e284c7fc4..0000000000 --- a/evm/src/verifier.rs +++ /dev/null @@ -1,635 +0,0 @@ -use core::any::type_name; - -use anyhow::{ensure, Result}; -use ethereum_types::{BigEndianHash, U256}; -use itertools::Itertools; -use plonky2::field::extension::{Extendable, FieldExtension}; -use plonky2::field::types::Field; -use plonky2::fri::verifier::verify_fri_proof; -use plonky2::hash::hash_types::RichField; -use plonky2::plonk::config::GenericConfig; -use plonky2::plonk::plonk_common::reduce_with_powers; - -use crate::all_stark::{AllStark, Table, NUM_TABLES}; -use crate::config::StarkConfig; -use crate::constraint_consumer::ConstraintConsumer; -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::cross_table_lookup::{ - num_ctl_helper_columns_by_table, verify_cross_table_lookups, CtlCheckVars, - GrandProductChallengeSet, -}; -use crate::evaluation_frame::StarkEvaluationFrame; -use crate::lookup::{GrandProductChallenge, LookupCheckVars}; -use crate::memory::segments::Segment; -use crate::memory::VALUE_LIMBS; -use crate::proof::{ - AllProof, AllProofChallenges, PublicValues, StarkOpeningSet, StarkProof, StarkProofChallenges, -}; -use crate::stark::Stark; -use crate::util::h2u; -use crate::vanishing_poly::eval_vanishing_poly; - -pub fn verify_proof, C: GenericConfig, const D: usize>( - all_stark: &AllStark, - all_proof: AllProof, - config: &StarkConfig, -) -> Result<()> -where -{ - let AllProofChallenges { - stark_challenges, - ctl_challenges, - } = all_proof - .get_challenges(config) - .map_err(|_| anyhow::Error::msg("Invalid sampling of proof challenges."))?; - - let num_lookup_columns = all_stark.num_lookups_helper_columns(config); - - let AllStark { - arithmetic_stark, - byte_packing_stark, - cpu_stark, - keccak_stark, - keccak_sponge_stark, - logic_stark, - memory_stark, - cross_table_lookups, - } = all_stark; - - let num_ctl_helper_cols = num_ctl_helper_columns_by_table( - cross_table_lookups, - all_stark.arithmetic_stark.constraint_degree(), - ); - - let ctl_vars_per_table = CtlCheckVars::from_proofs( - &all_proof.stark_proofs, - cross_table_lookups, - &ctl_challenges, - &num_lookup_columns, - &num_ctl_helper_cols, - ); - - verify_stark_proof_with_challenges( - arithmetic_stark, - &all_proof.stark_proofs[Table::Arithmetic as usize].proof, - &stark_challenges[Table::Arithmetic as usize], - &ctl_vars_per_table[Table::Arithmetic as usize], - &ctl_challenges, - config, - )?; - verify_stark_proof_with_challenges( - byte_packing_stark, - &all_proof.stark_proofs[Table::BytePacking as usize].proof, - &stark_challenges[Table::BytePacking as usize], - &ctl_vars_per_table[Table::BytePacking as usize], - &ctl_challenges, - config, - )?; - verify_stark_proof_with_challenges( - cpu_stark, - &all_proof.stark_proofs[Table::Cpu as usize].proof, - &stark_challenges[Table::Cpu as usize], - &ctl_vars_per_table[Table::Cpu as usize], - &ctl_challenges, - config, - )?; - verify_stark_proof_with_challenges( - keccak_stark, - &all_proof.stark_proofs[Table::Keccak as usize].proof, - &stark_challenges[Table::Keccak as usize], - &ctl_vars_per_table[Table::Keccak as usize], - &ctl_challenges, - config, - )?; - verify_stark_proof_with_challenges( - keccak_sponge_stark, - &all_proof.stark_proofs[Table::KeccakSponge as usize].proof, - &stark_challenges[Table::KeccakSponge as usize], - &ctl_vars_per_table[Table::KeccakSponge as usize], - &ctl_challenges, - config, - )?; - verify_stark_proof_with_challenges( - logic_stark, - &all_proof.stark_proofs[Table::Logic as usize].proof, - &stark_challenges[Table::Logic as usize], - &ctl_vars_per_table[Table::Logic as usize], - &ctl_challenges, - config, - )?; - verify_stark_proof_with_challenges( - memory_stark, - &all_proof.stark_proofs[Table::Memory as usize].proof, - &stark_challenges[Table::Memory as usize], - &ctl_vars_per_table[Table::Memory as usize], - &ctl_challenges, - config, - )?; - - let public_values = all_proof.public_values; - - // Extra sums to add to the looked last value. - // Only necessary for the Memory values. - let mut extra_looking_sums = vec![vec![F::ZERO; config.num_challenges]; NUM_TABLES]; - - // Memory - extra_looking_sums[Table::Memory as usize] = (0..config.num_challenges) - .map(|i| get_memory_extra_looking_sum(&public_values, ctl_challenges.challenges[i])) - .collect_vec(); - - verify_cross_table_lookups::( - cross_table_lookups, - all_proof - .stark_proofs - .map(|p| p.proof.openings.ctl_zs_first), - extra_looking_sums, - config, - ) -} - -/// Computes the extra product to multiply to the looked value. It contains memory operations not in the CPU trace: -/// - block metadata writes, -/// - trie roots writes. -pub(crate) fn get_memory_extra_looking_sum( - public_values: &PublicValues, - challenge: GrandProductChallenge, -) -> F -where - F: RichField + Extendable, -{ - let mut sum = F::ZERO; - - // Add metadata and tries writes. - let fields = [ - ( - GlobalMetadata::BlockBeneficiary, - U256::from_big_endian(&public_values.block_metadata.block_beneficiary.0), - ), - ( - GlobalMetadata::BlockTimestamp, - public_values.block_metadata.block_timestamp, - ), - ( - GlobalMetadata::BlockNumber, - public_values.block_metadata.block_number, - ), - ( - GlobalMetadata::BlockRandom, - public_values.block_metadata.block_random.into_uint(), - ), - ( - GlobalMetadata::BlockDifficulty, - public_values.block_metadata.block_difficulty, - ), - ( - GlobalMetadata::BlockGasLimit, - public_values.block_metadata.block_gaslimit, - ), - ( - GlobalMetadata::BlockChainId, - public_values.block_metadata.block_chain_id, - ), - ( - GlobalMetadata::BlockBaseFee, - public_values.block_metadata.block_base_fee, - ), - ( - GlobalMetadata::BlockCurrentHash, - h2u(public_values.block_hashes.cur_hash), - ), - ( - GlobalMetadata::BlockGasUsed, - public_values.block_metadata.block_gas_used, - ), - ( - GlobalMetadata::TxnNumberBefore, - public_values.extra_block_data.txn_number_before, - ), - ( - GlobalMetadata::TxnNumberAfter, - public_values.extra_block_data.txn_number_after, - ), - ( - GlobalMetadata::BlockGasUsedBefore, - public_values.extra_block_data.gas_used_before, - ), - ( - GlobalMetadata::BlockGasUsedAfter, - public_values.extra_block_data.gas_used_after, - ), - ( - GlobalMetadata::StateTrieRootDigestBefore, - h2u(public_values.trie_roots_before.state_root), - ), - ( - GlobalMetadata::TransactionTrieRootDigestBefore, - h2u(public_values.trie_roots_before.transactions_root), - ), - ( - GlobalMetadata::ReceiptTrieRootDigestBefore, - h2u(public_values.trie_roots_before.receipts_root), - ), - ( - GlobalMetadata::StateTrieRootDigestAfter, - h2u(public_values.trie_roots_after.state_root), - ), - ( - GlobalMetadata::TransactionTrieRootDigestAfter, - h2u(public_values.trie_roots_after.transactions_root), - ), - ( - GlobalMetadata::ReceiptTrieRootDigestAfter, - h2u(public_values.trie_roots_after.receipts_root), - ), - (GlobalMetadata::KernelHash, h2u(KERNEL.code_hash)), - (GlobalMetadata::KernelLen, KERNEL.code.len().into()), - ]; - - let segment = F::from_canonical_usize(Segment::GlobalMetadata.unscale()); - - fields.map(|(field, val)| { - // These fields are already scaled by their segment, and are in context 0 (kernel). - sum = add_data_write(challenge, segment, sum, field.unscale(), val) - }); - - // Add block bloom writes. - let bloom_segment = F::from_canonical_usize(Segment::GlobalBlockBloom.unscale()); - for index in 0..8 { - let val = public_values.block_metadata.block_bloom[index]; - sum = add_data_write(challenge, bloom_segment, sum, index, val); - } - - // Add Blockhashes writes. - let block_hashes_segment = F::from_canonical_usize(Segment::BlockHashes.unscale()); - for index in 0..256 { - let val = h2u(public_values.block_hashes.prev_hashes[index]); - sum = add_data_write(challenge, block_hashes_segment, sum, index, val); - } - - sum -} - -fn add_data_write( - challenge: GrandProductChallenge, - segment: F, - running_sum: F, - index: usize, - val: U256, -) -> F -where - F: RichField + Extendable, -{ - let mut row = [F::ZERO; 13]; - row[0] = F::ZERO; // is_read - row[1] = F::ZERO; // context - row[2] = segment; - row[3] = F::from_canonical_usize(index); - - for j in 0..VALUE_LIMBS { - row[j + 4] = F::from_canonical_u32((val >> (j * 32)).low_u32()); - } - row[12] = F::ONE; // timestamp - running_sum + challenge.combine(row.iter()).inverse() -} - -pub(crate) fn verify_stark_proof_with_challenges< - F: RichField + Extendable, - C: GenericConfig, - S: Stark, - const D: usize, ->( - stark: &S, - proof: &StarkProof, - challenges: &StarkProofChallenges, - ctl_vars: &[CtlCheckVars], - ctl_challenges: &GrandProductChallengeSet, - config: &StarkConfig, -) -> Result<()> { - log::debug!("Checking proof: {}", type_name::()); - let num_ctl_polys = ctl_vars - .iter() - .map(|ctl| ctl.helper_columns.len()) - .sum::(); - let num_ctl_z_polys = ctl_vars.len(); - validate_proof_shape(stark, proof, config, num_ctl_polys, num_ctl_z_polys)?; - let StarkOpeningSet { - local_values, - next_values, - auxiliary_polys, - auxiliary_polys_next, - ctl_zs_first: _, - quotient_polys, - } = &proof.openings; - let vars = S::EvaluationFrame::from_values(local_values, next_values); - - let degree_bits = proof.recover_degree_bits(config); - let (l_0, l_last) = eval_l_0_and_l_last(degree_bits, challenges.stark_zeta); - let last = F::primitive_root_of_unity(degree_bits).inverse(); - let z_last = challenges.stark_zeta - last.into(); - let mut consumer = ConstraintConsumer::::new( - challenges - .stark_alphas - .iter() - .map(|&alpha| F::Extension::from_basefield(alpha)) - .collect::>(), - z_last, - l_0, - l_last, - ); - let num_lookup_columns = stark.num_lookup_helper_columns(config); - let lookup_challenges = (num_lookup_columns > 0).then(|| { - ctl_challenges - .challenges - .iter() - .map(|ch| ch.beta) - .collect::>() - }); - - let lookup_vars = stark.uses_lookups().then(|| LookupCheckVars { - local_values: auxiliary_polys[..num_lookup_columns].to_vec(), - next_values: auxiliary_polys_next[..num_lookup_columns].to_vec(), - challenges: lookup_challenges.unwrap(), - }); - let lookups = stark.lookups(); - eval_vanishing_poly::( - stark, - &vars, - &lookups, - lookup_vars, - ctl_vars, - &mut consumer, - ); - let vanishing_polys_zeta = consumer.accumulators(); - - // Check each polynomial identity, of the form `vanishing(x) = Z_H(x) quotient(x)`, at zeta. - let zeta_pow_deg = challenges.stark_zeta.exp_power_of_2(degree_bits); - let z_h_zeta = zeta_pow_deg - F::Extension::ONE; - // `quotient_polys_zeta` holds `num_challenges * quotient_degree_factor` evaluations. - // Each chunk of `quotient_degree_factor` holds the evaluations of `t_0(zeta),...,t_{quotient_degree_factor-1}(zeta)` - // where the "real" quotient polynomial is `t(X) = t_0(X) + t_1(X)*X^n + t_2(X)*X^{2n} + ...`. - // So to reconstruct `t(zeta)` we can compute `reduce_with_powers(chunk, zeta^n)` for each - // `quotient_degree_factor`-sized chunk of the original evaluations. - for (i, chunk) in quotient_polys - .chunks(stark.quotient_degree_factor()) - .enumerate() - { - ensure!( - vanishing_polys_zeta[i] == z_h_zeta * reduce_with_powers(chunk, zeta_pow_deg), - "Mismatch between evaluation and opening of quotient polynomial" - ); - } - - let merkle_caps = vec![ - proof.trace_cap.clone(), - proof.auxiliary_polys_cap.clone(), - proof.quotient_polys_cap.clone(), - ]; - - let num_ctl_zs = ctl_vars - .iter() - .map(|ctl| ctl.helper_columns.len()) - .collect::>(); - verify_fri_proof::( - &stark.fri_instance( - challenges.stark_zeta, - F::primitive_root_of_unity(degree_bits), - num_ctl_polys, - num_ctl_zs, - config, - ), - &proof.openings.to_fri_openings(), - &challenges.fri_challenges, - &merkle_caps, - &proof.opening_proof, - &config.fri_params(degree_bits), - )?; - - Ok(()) -} - -fn validate_proof_shape( - stark: &S, - proof: &StarkProof, - config: &StarkConfig, - num_ctl_helpers: usize, - num_ctl_zs: usize, -) -> anyhow::Result<()> -where - F: RichField + Extendable, - C: GenericConfig, - S: Stark, -{ - let StarkProof { - trace_cap, - auxiliary_polys_cap, - quotient_polys_cap, - openings, - // The shape of the opening proof will be checked in the FRI verifier (see - // validate_fri_proof_shape), so we ignore it here. - opening_proof: _, - } = proof; - - let StarkOpeningSet { - local_values, - next_values, - auxiliary_polys, - auxiliary_polys_next, - ctl_zs_first, - quotient_polys, - } = openings; - - let degree_bits = proof.recover_degree_bits(config); - let fri_params = config.fri_params(degree_bits); - let cap_height = fri_params.config.cap_height; - - let num_auxiliary = num_ctl_helpers + stark.num_lookup_helper_columns(config) + num_ctl_zs; - - ensure!(trace_cap.height() == cap_height); - ensure!(auxiliary_polys_cap.height() == cap_height); - ensure!(quotient_polys_cap.height() == cap_height); - - ensure!(local_values.len() == S::COLUMNS); - ensure!(next_values.len() == S::COLUMNS); - ensure!(auxiliary_polys.len() == num_auxiliary); - ensure!(auxiliary_polys_next.len() == num_auxiliary); - ensure!(ctl_zs_first.len() == num_ctl_zs); - ensure!(quotient_polys.len() == stark.num_quotient_polys(config)); - - Ok(()) -} - -/// Evaluate the Lagrange polynomials `L_0` and `L_(n-1)` at a point `x`. -/// `L_0(x) = (x^n - 1)/(n * (x - 1))` -/// `L_(n-1)(x) = (x^n - 1)/(n * (g * x - 1))`, with `g` the first element of the subgroup. -fn eval_l_0_and_l_last(log_n: usize, x: F) -> (F, F) { - let n = F::from_canonical_usize(1 << log_n); - let g = F::primitive_root_of_unity(log_n); - let z_x = x.exp_power_of_2(log_n) - F::ONE; - let invs = F::batch_multiplicative_inverse(&[n * (x - F::ONE), n * (g * x - F::ONE)]); - - (z_x * invs[0], z_x * invs[1]) -} - -#[cfg(test)] -pub(crate) mod testutils { - use super::*; - - /// Output all the extra memory rows that don't appear in the CPU trace but are - /// necessary to correctly check the MemoryStark CTL. - pub(crate) fn get_memory_extra_looking_values( - public_values: &PublicValues, - ) -> Vec> - where - F: RichField + Extendable, - { - // Add metadata and tries writes. - let fields = [ - ( - GlobalMetadata::BlockBeneficiary, - U256::from_big_endian(&public_values.block_metadata.block_beneficiary.0), - ), - ( - GlobalMetadata::BlockTimestamp, - public_values.block_metadata.block_timestamp, - ), - ( - GlobalMetadata::BlockNumber, - public_values.block_metadata.block_number, - ), - ( - GlobalMetadata::BlockRandom, - public_values.block_metadata.block_random.into_uint(), - ), - ( - GlobalMetadata::BlockDifficulty, - public_values.block_metadata.block_difficulty, - ), - ( - GlobalMetadata::BlockGasLimit, - public_values.block_metadata.block_gaslimit, - ), - ( - GlobalMetadata::BlockChainId, - public_values.block_metadata.block_chain_id, - ), - ( - GlobalMetadata::BlockBaseFee, - public_values.block_metadata.block_base_fee, - ), - ( - GlobalMetadata::BlockCurrentHash, - h2u(public_values.block_hashes.cur_hash), - ), - ( - GlobalMetadata::BlockGasUsed, - public_values.block_metadata.block_gas_used, - ), - ( - GlobalMetadata::TxnNumberBefore, - public_values.extra_block_data.txn_number_before, - ), - ( - GlobalMetadata::TxnNumberAfter, - public_values.extra_block_data.txn_number_after, - ), - ( - GlobalMetadata::BlockGasUsedBefore, - public_values.extra_block_data.gas_used_before, - ), - ( - GlobalMetadata::BlockGasUsedAfter, - public_values.extra_block_data.gas_used_after, - ), - ( - GlobalMetadata::StateTrieRootDigestBefore, - h2u(public_values.trie_roots_before.state_root), - ), - ( - GlobalMetadata::TransactionTrieRootDigestBefore, - h2u(public_values.trie_roots_before.transactions_root), - ), - ( - GlobalMetadata::ReceiptTrieRootDigestBefore, - h2u(public_values.trie_roots_before.receipts_root), - ), - ( - GlobalMetadata::StateTrieRootDigestAfter, - h2u(public_values.trie_roots_after.state_root), - ), - ( - GlobalMetadata::TransactionTrieRootDigestAfter, - h2u(public_values.trie_roots_after.transactions_root), - ), - ( - GlobalMetadata::ReceiptTrieRootDigestAfter, - h2u(public_values.trie_roots_after.receipts_root), - ), - (GlobalMetadata::KernelHash, h2u(KERNEL.code_hash)), - (GlobalMetadata::KernelLen, KERNEL.code.len().into()), - ]; - - let segment = F::from_canonical_usize(Segment::GlobalMetadata.unscale()); - let mut extra_looking_rows = Vec::new(); - - fields.map(|(field, val)| { - extra_looking_rows.push(add_extra_looking_row(segment, field.unscale(), val)) - }); - - // Add block bloom writes. - let bloom_segment = F::from_canonical_usize(Segment::GlobalBlockBloom.unscale()); - for index in 0..8 { - let val = public_values.block_metadata.block_bloom[index]; - extra_looking_rows.push(add_extra_looking_row(bloom_segment, index, val)); - } - - // Add Blockhashes writes. - let block_hashes_segment = F::from_canonical_usize(Segment::BlockHashes.unscale()); - for index in 0..256 { - let val = h2u(public_values.block_hashes.prev_hashes[index]); - extra_looking_rows.push(add_extra_looking_row(block_hashes_segment, index, val)); - } - - extra_looking_rows - } - - fn add_extra_looking_row(segment: F, index: usize, val: U256) -> Vec - where - F: RichField + Extendable, - { - let mut row = vec![F::ZERO; 13]; - row[0] = F::ZERO; // is_read - row[1] = F::ZERO; // context - row[2] = segment; - row[3] = F::from_canonical_usize(index); - - for j in 0..VALUE_LIMBS { - row[j + 4] = F::from_canonical_u32((val >> (j * 32)).low_u32()); - } - row[12] = F::ONE; // timestamp - row - } -} -#[cfg(test)] -mod tests { - use plonky2::field::goldilocks_field::GoldilocksField; - use plonky2::field::polynomial::PolynomialValues; - use plonky2::field::types::Sample; - - use crate::verifier::eval_l_0_and_l_last; - - #[test] - fn test_eval_l_0_and_l_last() { - type F = GoldilocksField; - let log_n = 5; - let n = 1 << log_n; - - let x = F::rand(); // challenge point - let expected_l_first_x = PolynomialValues::selector(n, 0).ifft().eval(x); - let expected_l_last_x = PolynomialValues::selector(n, n - 1).ifft().eval(x); - - let (l_first_x, l_last_x) = eval_l_0_and_l_last(log_n, x); - assert_eq!(l_first_x, expected_l_first_x); - assert_eq!(l_last_x, expected_l_last_x); - } -} diff --git a/evm/src/witness/errors.rs b/evm/src/witness/errors.rs deleted file mode 100644 index 1b266aefde..0000000000 --- a/evm/src/witness/errors.rs +++ /dev/null @@ -1,41 +0,0 @@ -use ethereum_types::U256; - -#[derive(Debug)] -pub enum ProgramError { - OutOfGas, - InvalidOpcode, - StackUnderflow, - InvalidRlp, - InvalidJumpDestination, - InvalidJumpiDestination, - StackOverflow, - KernelPanic, - MemoryError(MemoryError), - GasLimitError, - InterpreterError, - IntegerTooLarge, - ProverInputError(ProverInputError), - UnknownContractCode, -} - -#[allow(clippy::enum_variant_names)] -#[derive(Debug)] -pub enum MemoryError { - ContextTooLarge { context: U256 }, - SegmentTooLarge { segment: U256 }, - VirtTooLarge { virt: U256 }, -} - -#[derive(Debug)] -pub enum ProverInputError { - OutOfMptData, - OutOfRlpData, - OutOfWithdrawalData, - CodeHashNotFound, - InvalidMptInput, - InvalidInput, - InvalidFunction, - NumBitsError, - InvalidJumpDestination, - InvalidJumpdestSimulation, -} diff --git a/evm/src/witness/gas.rs b/evm/src/witness/gas.rs deleted file mode 100644 index 54597a3ebc..0000000000 --- a/evm/src/witness/gas.rs +++ /dev/null @@ -1,56 +0,0 @@ -use crate::witness::operation::Operation; - -pub(crate) const KERNEL_ONLY_INSTR: u64 = 0; -pub(crate) const G_JUMPDEST: u64 = 1; -pub(crate) const G_BASE: u64 = 2; -pub(crate) const G_VERYLOW: u64 = 3; -pub(crate) const G_LOW: u64 = 5; -pub(crate) const G_MID: u64 = 8; -pub(crate) const G_HIGH: u64 = 10; - -pub(crate) const fn gas_to_charge(op: Operation) -> u64 { - use crate::arithmetic::BinaryOperator::*; - use crate::arithmetic::TernaryOperator::*; - use crate::witness::operation::Operation::*; - match op { - Iszero => G_VERYLOW, - Not => G_VERYLOW, - Syscall(_, _, _) => KERNEL_ONLY_INSTR, - Eq => G_VERYLOW, - BinaryLogic(_) => G_VERYLOW, - BinaryArithmetic(Add) => G_VERYLOW, - BinaryArithmetic(Mul) => G_LOW, - BinaryArithmetic(Sub) => G_VERYLOW, - BinaryArithmetic(Div) => G_LOW, - BinaryArithmetic(Mod) => G_LOW, - BinaryArithmetic(Lt) => G_VERYLOW, - BinaryArithmetic(Gt) => G_VERYLOW, - BinaryArithmetic(Byte) => G_VERYLOW, - BinaryArithmetic(Shl) => G_VERYLOW, - BinaryArithmetic(Shr) => G_VERYLOW, - BinaryArithmetic(AddFp254) => KERNEL_ONLY_INSTR, - BinaryArithmetic(MulFp254) => KERNEL_ONLY_INSTR, - BinaryArithmetic(SubFp254) => KERNEL_ONLY_INSTR, - TernaryArithmetic(AddMod) => G_MID, - TernaryArithmetic(MulMod) => G_MID, - TernaryArithmetic(SubMod) => KERNEL_ONLY_INSTR, - KeccakGeneral => KERNEL_ONLY_INSTR, - ProverInput => KERNEL_ONLY_INSTR, - Pop => G_BASE, - Jump => G_MID, - Jumpi => G_HIGH, - Pc => G_BASE, - Jumpdest => G_JUMPDEST, - Push(0) => G_BASE, - Push(1..) => G_VERYLOW, - Dup(_) => G_VERYLOW, - Swap(_) => G_VERYLOW, - GetContext => KERNEL_ONLY_INSTR, - SetContext => KERNEL_ONLY_INSTR, - Mload32Bytes => KERNEL_ONLY_INSTR, - Mstore32Bytes(_) => KERNEL_ONLY_INSTR, - ExitKernel => KERNEL_ONLY_INSTR, - MloadGeneral => KERNEL_ONLY_INSTR, - MstoreGeneral => KERNEL_ONLY_INSTR, - } -} diff --git a/evm/src/witness/memory.rs b/evm/src/witness/memory.rs deleted file mode 100644 index e6cb14f987..0000000000 --- a/evm/src/witness/memory.rs +++ /dev/null @@ -1,282 +0,0 @@ -use ethereum_types::U256; - -use crate::cpu::membus::{NUM_CHANNELS, NUM_GP_CHANNELS}; - -#[derive(Clone, Copy, Debug)] -pub(crate) enum MemoryChannel { - Code, - GeneralPurpose(usize), - PartialChannel, -} - -use MemoryChannel::{Code, GeneralPurpose, PartialChannel}; - -use super::operation::CONTEXT_SCALING_FACTOR; -use crate::cpu::kernel::constants::global_metadata::GlobalMetadata; -use crate::memory::segments::{Segment, SEGMENT_SCALING_FACTOR}; -use crate::witness::errors::MemoryError::{ContextTooLarge, SegmentTooLarge, VirtTooLarge}; -use crate::witness::errors::ProgramError; -use crate::witness::errors::ProgramError::MemoryError; - -impl MemoryChannel { - pub(crate) fn index(&self) -> usize { - match *self { - Code => 0, - GeneralPurpose(n) => { - assert!(n < NUM_GP_CHANNELS); - n + 1 - } - PartialChannel => NUM_GP_CHANNELS + 1, - } - } -} - -#[derive(Clone, Copy, Debug, Eq, PartialEq, Hash)] -pub(crate) struct MemoryAddress { - pub(crate) context: usize, - pub(crate) segment: usize, - pub(crate) virt: usize, -} - -impl MemoryAddress { - pub(crate) const fn new(context: usize, segment: Segment, virt: usize) -> Self { - Self { - context, - // segment is scaled - segment: segment.unscale(), - virt, - } - } - - pub(crate) fn new_u256s( - context: U256, - segment: U256, - virt: U256, - ) -> Result { - if context.bits() > 32 { - return Err(MemoryError(ContextTooLarge { context })); - } - if segment >= Segment::COUNT.into() { - return Err(MemoryError(SegmentTooLarge { segment })); - } - if virt.bits() > 32 { - return Err(MemoryError(VirtTooLarge { virt })); - } - - // Calling `as_usize` here is safe as those have been checked above. - Ok(Self { - context: context.as_usize(), - segment: segment.as_usize(), - virt: virt.as_usize(), - }) - } - - /// Creates a new `MemoryAddress` from a bundled address fitting a `U256`. - /// It will recover the virtual offset as the lowest 32-bit limb, the segment - /// as the next limb, and the context as the next one. - pub(crate) fn new_bundle(addr: U256) -> Result { - let virt = addr.low_u32().into(); - let segment = (addr >> SEGMENT_SCALING_FACTOR).low_u32().into(); - let context = (addr >> CONTEXT_SCALING_FACTOR).low_u32().into(); - - Self::new_u256s(context, segment, virt) - } - - pub(crate) fn increment(&mut self) { - self.virt = self.virt.saturating_add(1); - } -} - -#[derive(Clone, Copy, Debug, Eq, PartialEq)] -pub(crate) enum MemoryOpKind { - Read, - Write, -} - -#[derive(Clone, Copy, Debug)] -pub(crate) struct MemoryOp { - /// true if this is an actual memory operation, or false if it's a padding row. - pub filter: bool, - pub timestamp: usize, - pub address: MemoryAddress, - pub kind: MemoryOpKind, - pub value: U256, -} - -pub(crate) static DUMMY_MEMOP: MemoryOp = MemoryOp { - filter: false, - timestamp: 0, - address: MemoryAddress { - context: 0, - segment: 0, - virt: 0, - }, - kind: MemoryOpKind::Read, - value: U256::zero(), -}; - -impl MemoryOp { - pub(crate) fn new( - channel: MemoryChannel, - clock: usize, - address: MemoryAddress, - kind: MemoryOpKind, - value: U256, - ) -> Self { - let timestamp = clock * NUM_CHANNELS + channel.index(); - MemoryOp { - filter: true, - timestamp, - address, - kind, - value, - } - } - - pub(crate) const fn new_dummy_read( - address: MemoryAddress, - timestamp: usize, - value: U256, - ) -> Self { - Self { - filter: false, - timestamp, - address, - kind: MemoryOpKind::Read, - value, - } - } - - pub(crate) const fn sorting_key(&self) -> (usize, usize, usize, usize) { - ( - self.address.context, - self.address.segment, - self.address.virt, - self.timestamp, - ) - } -} - -#[derive(Clone, Debug)] -pub(crate) struct MemoryState { - pub(crate) contexts: Vec, -} - -impl MemoryState { - pub(crate) fn new(kernel_code: &[u8]) -> Self { - let code_u256s = kernel_code.iter().map(|&x| x.into()).collect(); - let mut result = Self::default(); - result.contexts[0].segments[Segment::Code.unscale()].content = code_u256s; - result - } - - pub(crate) fn apply_ops(&mut self, ops: &[MemoryOp]) { - for &op in ops { - let MemoryOp { - address, - kind, - value, - .. - } = op; - if kind == MemoryOpKind::Write { - self.set(address, value); - } - } - } - - pub(crate) fn get(&self, address: MemoryAddress) -> U256 { - if address.context >= self.contexts.len() { - return U256::zero(); - } - - let segment = Segment::all()[address.segment]; - - if let Some(constant) = Segment::constant(&segment, address.virt) { - return constant; - } - - let val = self.contexts[address.context].segments[address.segment].get(address.virt); - assert!( - val.bits() <= segment.bit_range(), - "Value {} exceeds {:?} range of {} bits", - val, - segment, - segment.bit_range() - ); - val - } - - pub(crate) fn set(&mut self, address: MemoryAddress, val: U256) { - while address.context >= self.contexts.len() { - self.contexts.push(MemoryContextState::default()); - } - - let segment = Segment::all()[address.segment]; - - if let Some(constant) = Segment::constant(&segment, address.virt) { - assert!( - constant == val, - "Attempting to set constant {} to incorrect value", - address.virt - ); - return; - } - assert!( - val.bits() <= segment.bit_range(), - "Value {} exceeds {:?} range of {} bits", - val, - segment, - segment.bit_range() - ); - self.contexts[address.context].segments[address.segment].set(address.virt, val); - } - - // These fields are already scaled by their respective segment. - pub(crate) fn read_global_metadata(&self, field: GlobalMetadata) -> U256 { - self.get(MemoryAddress::new_bundle(U256::from(field as usize)).unwrap()) - } -} - -impl Default for MemoryState { - fn default() -> Self { - Self { - // We start with an initial context for the kernel. - contexts: vec![MemoryContextState::default()], - } - } -} - -#[derive(Clone, Debug)] -pub(crate) struct MemoryContextState { - /// The content of each memory segment. - pub(crate) segments: [MemorySegmentState; Segment::COUNT], -} - -impl Default for MemoryContextState { - fn default() -> Self { - Self { - segments: std::array::from_fn(|_| MemorySegmentState::default()), - } - } -} - -#[derive(Clone, Default, Debug)] -pub(crate) struct MemorySegmentState { - pub(crate) content: Vec, -} - -impl MemorySegmentState { - pub(crate) fn get(&self, virtual_addr: usize) -> U256 { - self.content - .get(virtual_addr) - .copied() - .unwrap_or(U256::zero()) - } - - pub(crate) fn set(&mut self, virtual_addr: usize, value: U256) { - if virtual_addr >= self.content.len() { - self.content.resize(virtual_addr + 1, U256::zero()); - } - self.content[virtual_addr] = value; - } -} diff --git a/evm/src/witness/mod.rs b/evm/src/witness/mod.rs deleted file mode 100644 index a38a552299..0000000000 --- a/evm/src/witness/mod.rs +++ /dev/null @@ -1,8 +0,0 @@ -pub(crate) mod errors; -pub(crate) mod gas; -pub(crate) mod memory; -pub(crate) mod operation; -pub(crate) mod state; -pub(crate) mod traces; -pub mod transition; -pub(crate) mod util; diff --git a/evm/src/witness/operation.rs b/evm/src/witness/operation.rs deleted file mode 100644 index 8c09fa00a2..0000000000 --- a/evm/src/witness/operation.rs +++ /dev/null @@ -1,1003 +0,0 @@ -use ethereum_types::{BigEndianHash, U256}; -use itertools::Itertools; -use keccak_hash::keccak; -use plonky2::field::types::Field; - -use super::util::{ - byte_packing_log, byte_unpacking_log, mem_read_with_log, mem_write_log, - mem_write_partial_log_and_fill, push_no_write, push_with_write, -}; -use crate::arithmetic::BinaryOperator; -use crate::cpu::columns::CpuColumnsView; -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::assembler::BYTES_PER_OFFSET; -use crate::cpu::kernel::constants::context_metadata::ContextMetadata; -use crate::cpu::membus::NUM_GP_CHANNELS; -use crate::cpu::simple_logic::eq_iszero::generate_pinv_diff; -use crate::cpu::stack::MAX_USER_STACK_SIZE; -use crate::extension_tower::BN_BASE; -use crate::generation::state::GenerationState; -use crate::memory::segments::Segment; -use crate::util::u256_to_usize; -use crate::witness::errors::MemoryError::VirtTooLarge; -use crate::witness::errors::ProgramError; -use crate::witness::memory::{MemoryAddress, MemoryChannel, MemoryOp, MemoryOpKind}; -use crate::witness::operation::MemoryChannel::GeneralPurpose; -use crate::witness::transition::fill_stack_fields; -use crate::witness::util::{ - keccak_sponge_log, mem_read_gp_with_log_and_fill, mem_write_gp_log_and_fill, - stack_pop_with_log_and_fill, -}; -use crate::{arithmetic, logic}; - -#[derive(Clone, Copy, Debug, Eq, PartialEq)] -pub(crate) enum Operation { - Iszero, - Not, - Syscall(u8, usize, bool), // (syscall number, minimum stack length, increases stack length) - Eq, - BinaryLogic(logic::Op), - BinaryArithmetic(arithmetic::BinaryOperator), - TernaryArithmetic(arithmetic::TernaryOperator), - KeccakGeneral, - ProverInput, - Pop, - Jump, - Jumpi, - Pc, - Jumpdest, - Push(u8), - Dup(u8), - Swap(u8), - GetContext, - SetContext, - Mload32Bytes, - Mstore32Bytes(u8), - ExitKernel, - MloadGeneral, - MstoreGeneral, -} - -// Contexts in the kernel are shifted by 2^64, so that they can be combined with -// the segment and virtual address components in a single U256 word. -pub(crate) const CONTEXT_SCALING_FACTOR: usize = 64; - -/// Adds a CPU row filled with the two inputs and the output of a logic operation. -/// Generates a new logic operation and adds it to the vector of operation in `LogicStark`. -/// Adds three memory read operations to `MemoryStark`: for the two inputs and the output. -pub(crate) fn generate_binary_logic_op( - op: logic::Op, - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(in0, _), (in1, log_in1)] = stack_pop_with_log_and_fill::<2, _>(state, &mut row)?; - let operation = logic::Operation::new(op, in0, in1); - - push_no_write(state, operation.result); - - state.traces.push_logic(operation); - state.traces.push_memory(log_in1); - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_binary_arithmetic_op( - operator: arithmetic::BinaryOperator, - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(input0, _), (input1, log_in1)] = stack_pop_with_log_and_fill::<2, _>(state, &mut row)?; - let operation = arithmetic::Operation::binary(operator, input0, input1); - - if operator == arithmetic::BinaryOperator::AddFp254 - || operator == arithmetic::BinaryOperator::MulFp254 - || operator == arithmetic::BinaryOperator::SubFp254 - { - let channel = &mut row.mem_channels[2]; - - let val_limbs: [u64; 4] = BN_BASE.0; - for (i, limb) in val_limbs.into_iter().enumerate() { - channel.value[2 * i] = F::from_canonical_u32(limb as u32); - channel.value[2 * i + 1] = F::from_canonical_u32((limb >> 32) as u32); - } - } - - push_no_write(state, operation.result()); - - state.traces.push_arithmetic(operation); - state.traces.push_memory(log_in1); - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_ternary_arithmetic_op( - operator: arithmetic::TernaryOperator, - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(input0, _), (input1, log_in1), (input2, log_in2)] = - stack_pop_with_log_and_fill::<3, _>(state, &mut row)?; - let operation = arithmetic::Operation::ternary(operator, input0, input1, input2); - - push_no_write(state, operation.result()); - - state.traces.push_arithmetic(operation); - state.traces.push_memory(log_in1); - state.traces.push_memory(log_in2); - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_keccak_general( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(addr, _), (len, log_in1)] = stack_pop_with_log_and_fill::<2, _>(state, &mut row)?; - let len = u256_to_usize(len)?; - - let base_address = MemoryAddress::new_bundle(addr)?; - let input = (0..len) - .map(|i| { - let address = MemoryAddress { - virt: base_address.virt.saturating_add(i), - ..base_address - }; - let val = state.memory.get(address); - val.low_u32() as u8 - }) - .collect_vec(); - log::debug!("Hashing {:?}", input); - - let hash = keccak(&input); - push_no_write(state, hash.into_uint()); - - keccak_sponge_log(state, base_address, input); - - state.traces.push_memory(log_in1); - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_prover_input( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let pc = state.registers.program_counter; - let input_fn = &KERNEL.prover_inputs[&pc]; - let input = state.prover_input(input_fn)?; - let opcode = 0x49.into(); - // `ArithmeticStark` range checks `mem_channels[0]`, which contains - // the top of the stack, `mem_channels[1]`, `mem_channels[2]` and - // next_row's `mem_channels[0]` which contains the next top of the stack. - // Our goal here is to range-check the input, in the next stack top. - let range_check_op = arithmetic::Operation::range_check( - state.registers.stack_top, - U256::from(0), - U256::from(0), - opcode, - input, - ); - - push_with_write(state, &mut row, input)?; - - state.traces.push_arithmetic(range_check_op); - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_pop( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(_, _)] = stack_pop_with_log_and_fill::<1, _>(state, &mut row)?; - - let diff = row.stack_len - F::ONE; - if let Some(inv) = diff.try_inverse() { - row.general.stack_mut().stack_inv = inv; - row.general.stack_mut().stack_inv_aux = F::ONE; - row.general.stack_mut().stack_inv_aux_2 = F::ONE; - state.registers.is_stack_top_read = true; - } else { - row.general.stack_mut().stack_inv = F::ZERO; - row.general.stack_mut().stack_inv_aux = F::ZERO; - } - - state.traces.push_cpu(row); - - Ok(()) -} - -pub(crate) fn generate_jump( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(dst, _)] = stack_pop_with_log_and_fill::<1, _>(state, &mut row)?; - - let dst: u32 = dst - .try_into() - .map_err(|_| ProgramError::InvalidJumpDestination)?; - - let (jumpdest_bit, jumpdest_bit_log) = mem_read_gp_with_log_and_fill( - NUM_GP_CHANNELS - 1, - MemoryAddress::new(state.registers.context, Segment::JumpdestBits, dst as usize), - state, - &mut row, - ); - - row.mem_channels[1].value[0] = F::ONE; - - if state.registers.is_kernel { - // Don't actually do the read, just set the address, etc. - let channel = &mut row.mem_channels[NUM_GP_CHANNELS - 1]; - channel.used = F::ZERO; - channel.value[0] = F::ONE; - } else { - if jumpdest_bit != U256::one() { - return Err(ProgramError::InvalidJumpDestination); - } - state.traces.push_memory(jumpdest_bit_log); - } - - // Extra fields required by the constraints. - row.general.jumps_mut().should_jump = F::ONE; - row.general.jumps_mut().cond_sum_pinv = F::ONE; - - let diff = row.stack_len - F::ONE; - if let Some(inv) = diff.try_inverse() { - row.general.stack_mut().stack_inv = inv; - row.general.stack_mut().stack_inv_aux = F::ONE; - } else { - row.general.stack_mut().stack_inv = F::ZERO; - row.general.stack_mut().stack_inv_aux = F::ZERO; - } - - state.traces.push_cpu(row); - state.jump_to(dst as usize)?; - Ok(()) -} - -pub(crate) fn generate_jumpi( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(dst, _), (cond, log_cond)] = stack_pop_with_log_and_fill::<2, _>(state, &mut row)?; - - let should_jump = !cond.is_zero(); - if should_jump { - row.general.jumps_mut().should_jump = F::ONE; - let cond_sum_u64 = cond - .0 - .into_iter() - .map(|limb| ((limb as u32) as u64) + (limb >> 32)) - .sum(); - let cond_sum = F::from_canonical_u64(cond_sum_u64); - row.general.jumps_mut().cond_sum_pinv = cond_sum.inverse(); - - let dst: u32 = dst - .try_into() - .map_err(|_| ProgramError::InvalidJumpiDestination)?; - state.jump_to(dst as usize)?; - } else { - row.general.jumps_mut().should_jump = F::ZERO; - row.general.jumps_mut().cond_sum_pinv = F::ZERO; - state.registers.program_counter += 1; - } - - let (jumpdest_bit, jumpdest_bit_log) = mem_read_gp_with_log_and_fill( - NUM_GP_CHANNELS - 1, - MemoryAddress::new( - state.registers.context, - Segment::JumpdestBits, - dst.low_u32() as usize, - ), - state, - &mut row, - ); - if !should_jump || state.registers.is_kernel { - // Don't actually do the read, just set the address, etc. - let channel = &mut row.mem_channels[NUM_GP_CHANNELS - 1]; - channel.used = F::ZERO; - channel.value[0] = F::ONE; - } else { - if jumpdest_bit != U256::one() { - return Err(ProgramError::InvalidJumpiDestination); - } - state.traces.push_memory(jumpdest_bit_log); - } - - let diff = row.stack_len - F::TWO; - if let Some(inv) = diff.try_inverse() { - row.general.stack_mut().stack_inv = inv; - row.general.stack_mut().stack_inv_aux = F::ONE; - } else { - row.general.stack_mut().stack_inv = F::ZERO; - row.general.stack_mut().stack_inv_aux = F::ZERO; - } - - state.traces.push_memory(log_cond); - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_pc( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - push_with_write(state, &mut row, state.registers.program_counter.into())?; - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_jumpdest( - state: &mut GenerationState, - row: CpuColumnsView, -) -> Result<(), ProgramError> { - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_get_context( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - // Same logic as push_with_write, but we have to use channel 3 for stack constraint reasons. - let write = if state.registers.stack_len == 0 { - None - } else { - let address = MemoryAddress::new( - state.registers.context, - Segment::Stack, - state.registers.stack_len - 1, - ); - let res = mem_write_gp_log_and_fill(2, address, state, &mut row, state.registers.stack_top); - Some(res) - }; - push_no_write( - state, - // The fetched value needs to be scaled before being pushed. - U256::from(state.registers.context) << CONTEXT_SCALING_FACTOR, - ); - if let Some(log) = write { - state.traces.push_memory(log); - } - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_set_context( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(ctx, _)] = stack_pop_with_log_and_fill::<1, _>(state, &mut row)?; - - let sp_to_save = state.registers.stack_len.into(); - - let old_ctx = state.registers.context; - // The popped value needs to be scaled down. - let new_ctx = u256_to_usize(ctx >> CONTEXT_SCALING_FACTOR)?; - - let sp_field = ContextMetadata::StackSize.unscale(); - let old_sp_addr = MemoryAddress::new(old_ctx, Segment::ContextMetadata, sp_field); - let new_sp_addr = MemoryAddress::new(new_ctx, Segment::ContextMetadata, sp_field); - - // This channel will hold in limb 0 and 1 the one-limb value of two separate memory operations: - // the old stack pointer write and the new stack pointer read. - // Channels only matter for time stamps: the write must happen before the read. - let log_write_old_sp = mem_write_log(GeneralPurpose(1), old_sp_addr, state, sp_to_save); - let (new_sp, log_read_new_sp) = if old_ctx == new_ctx { - let op = MemoryOp::new( - MemoryChannel::GeneralPurpose(2), - state.traces.clock(), - new_sp_addr, - MemoryOpKind::Read, - sp_to_save, - ); - (sp_to_save, op) - } else { - mem_read_with_log(GeneralPurpose(2), new_sp_addr, state) - }; - - // If the new stack isn't empty, read stack_top from memory. - let new_sp = new_sp.as_usize(); - if new_sp > 0 { - // Set up columns to disable the channel if it *is* empty. - let new_sp_field = F::from_canonical_usize(new_sp); - if let Some(inv) = new_sp_field.try_inverse() { - row.general.stack_mut().stack_inv = inv; - row.general.stack_mut().stack_inv_aux = F::ONE; - row.general.stack_mut().stack_inv_aux_2 = F::ONE; - } else { - row.general.stack_mut().stack_inv = F::ZERO; - row.general.stack_mut().stack_inv_aux = F::ZERO; - row.general.stack_mut().stack_inv_aux_2 = F::ZERO; - } - - let new_top_addr = MemoryAddress::new(new_ctx, Segment::Stack, new_sp - 1); - let (new_top, log_read_new_top) = - mem_read_gp_with_log_and_fill(2, new_top_addr, state, &mut row); - state.registers.stack_top = new_top; - state.traces.push_memory(log_read_new_top); - } else { - row.general.stack_mut().stack_inv = F::ZERO; - row.general.stack_mut().stack_inv_aux = F::ZERO; - } - - state.registers.context = new_ctx; - state.registers.stack_len = new_sp; - state.traces.push_memory(log_write_old_sp); - state.traces.push_memory(log_read_new_sp); - state.traces.push_cpu(row); - - Ok(()) -} - -pub(crate) fn generate_push( - n: u8, - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let code_context = state.registers.code_context(); - let num_bytes = n as usize; - if num_bytes > 32 { - // The call to `U256::from_big_endian()` would panic. - return Err(ProgramError::IntegerTooLarge); - } - let initial_offset = state.registers.program_counter + 1; - - let base_address = MemoryAddress::new(code_context, Segment::Code, initial_offset); - // First read val without going through `mem_read_with_log` type methods, so we can pass it - // to stack_push_log_and_fill. - let bytes = (0..num_bytes) - .map(|i| { - state - .memory - .get(MemoryAddress { - virt: base_address.virt + i, - ..base_address - }) - .low_u32() as u8 - }) - .collect_vec(); - - let val = U256::from_big_endian(&bytes); - push_with_write(state, &mut row, val)?; - - byte_packing_log(state, base_address, bytes); - - state.traces.push_cpu(row); - - Ok(()) -} - -// This instruction is special. The order of the operations are: -// - Write `stack_top` at `stack[stack_len - 1]` -// - Read `val` at `stack[stack_len - 1 - n]` -// - Update `stack_top` with `val` and add 1 to `stack_len` -// Since the write must happen before the read, the normal way of assigning -// GP channels doesn't work and we must handle them manually. -pub(crate) fn generate_dup( - n: u8, - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - // Same logic as in `push_with_write`, but we use the channel GP(0) instead. - if !state.registers.is_kernel && state.registers.stack_len >= MAX_USER_STACK_SIZE { - return Err(ProgramError::StackOverflow); - } - if n as usize >= state.registers.stack_len { - return Err(ProgramError::StackUnderflow); - } - let stack_top = state.registers.stack_top; - let address = MemoryAddress::new( - state.registers.context, - Segment::Stack, - state.registers.stack_len - 1, - ); - let log_push = mem_write_gp_log_and_fill(1, address, state, &mut row, stack_top); - state.traces.push_memory(log_push); - - let other_addr = MemoryAddress::new( - state.registers.context, - Segment::Stack, - state.registers.stack_len - 1 - n as usize, - ); - - // If n = 0, we read a value that hasn't been written to memory: the corresponding write - // is buffered in the mem_ops queue, but hasn't been applied yet. - let (val, log_read) = if n == 0 { - let op = MemoryOp::new( - MemoryChannel::GeneralPurpose(2), - state.traces.clock(), - other_addr, - MemoryOpKind::Read, - stack_top, - ); - - let channel = &mut row.mem_channels[2]; - assert_eq!(channel.used, F::ZERO); - channel.used = F::ONE; - channel.is_read = F::ONE; - channel.addr_context = F::from_canonical_usize(other_addr.context); - channel.addr_segment = F::from_canonical_usize(other_addr.segment); - channel.addr_virtual = F::from_canonical_usize(other_addr.virt); - let val_limbs: [u64; 4] = state.registers.stack_top.0; - for (i, limb) in val_limbs.into_iter().enumerate() { - channel.value[2 * i] = F::from_canonical_u32(limb as u32); - channel.value[2 * i + 1] = F::from_canonical_u32((limb >> 32) as u32); - } - - (stack_top, op) - } else { - mem_read_gp_with_log_and_fill(2, other_addr, state, &mut row) - }; - push_no_write(state, val); - - state.traces.push_memory(log_read); - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_swap( - n: u8, - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let other_addr_lo = state - .registers - .stack_len - .checked_sub(2 + (n as usize)) - .ok_or(ProgramError::StackUnderflow)?; - let other_addr = MemoryAddress::new(state.registers.context, Segment::Stack, other_addr_lo); - - let [(in0, _)] = stack_pop_with_log_and_fill::<1, _>(state, &mut row)?; - let (in1, log_in1) = mem_read_gp_with_log_and_fill(1, other_addr, state, &mut row); - let log_out0 = mem_write_gp_log_and_fill(2, other_addr, state, &mut row, in0); - push_no_write(state, in1); - - state.traces.push_memory(log_in1); - state.traces.push_memory(log_out0); - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_not( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(x, _)] = stack_pop_with_log_and_fill::<1, _>(state, &mut row)?; - let result = !x; - push_no_write(state, result); - - // This is necessary for the stack constraints for POP, - // since the two flags are combined. - let diff = row.stack_len - F::ONE; - if let Some(inv) = diff.try_inverse() { - row.general.stack_mut().stack_inv = inv; - row.general.stack_mut().stack_inv_aux = F::ONE; - } else { - row.general.stack_mut().stack_inv = F::ZERO; - row.general.stack_mut().stack_inv_aux = F::ZERO; - } - - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_iszero( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(x, _)] = stack_pop_with_log_and_fill::<1, _>(state, &mut row)?; - let is_zero = x.is_zero(); - let result = { - let t: u64 = is_zero.into(); - t.into() - }; - - generate_pinv_diff(x, U256::zero(), &mut row); - - push_no_write(state, result); - state.traces.push_cpu(row); - Ok(()) -} - -fn append_shift( - state: &mut GenerationState, - mut row: CpuColumnsView, - is_shl: bool, - input0: U256, - input1: U256, - log_in1: MemoryOp, - result: U256, -) -> Result<(), ProgramError> { - const LOOKUP_CHANNEL: usize = 2; - let lookup_addr = MemoryAddress::new(0, Segment::ShiftTable, input0.low_u32() as usize); - if input0.bits() <= 32 { - let (_, read) = mem_read_gp_with_log_and_fill(LOOKUP_CHANNEL, lookup_addr, state, &mut row); - state.traces.push_memory(read); - } else { - // The shift constraints still expect the address to be set, even though no read will occur. - let channel = &mut row.mem_channels[LOOKUP_CHANNEL]; - channel.addr_context = F::from_canonical_usize(lookup_addr.context); - channel.addr_segment = F::from_canonical_usize(lookup_addr.segment); - channel.addr_virtual = F::from_canonical_usize(lookup_addr.virt); - - // Extra field required by the constraints for large shifts. - let high_limb_sum = row.mem_channels[0].value[1..].iter().copied().sum::(); - row.general.shift_mut().high_limb_sum_inv = high_limb_sum.inverse(); - } - - let operator = if is_shl { - BinaryOperator::Shl - } else { - BinaryOperator::Shr - }; - let operation = arithmetic::Operation::binary(operator, input0, input1); - - state.traces.push_arithmetic(operation); - push_no_write(state, result); - state.traces.push_memory(log_in1); - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_shl( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(input0, _), (input1, log_in1)] = stack_pop_with_log_and_fill::<2, _>(state, &mut row)?; - - let result = if input0 > U256::from(255u64) { - U256::zero() - } else { - input1 << input0 - }; - append_shift(state, row, true, input0, input1, log_in1, result) -} - -pub(crate) fn generate_shr( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(input0, _), (input1, log_in1)] = stack_pop_with_log_and_fill::<2, _>(state, &mut row)?; - - let result = if input0 > U256::from(255u64) { - U256::zero() - } else { - input1 >> input0 - }; - append_shift(state, row, false, input0, input1, log_in1, result) -} - -pub(crate) fn generate_syscall( - opcode: u8, - stack_values_read: usize, - stack_len_increased: bool, - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - if TryInto::::try_into(state.registers.gas_used).is_err() { - return Err(ProgramError::GasLimitError); - } - - if state.registers.stack_len < stack_values_read { - return Err(ProgramError::StackUnderflow); - } - if stack_len_increased - && !state.registers.is_kernel - && state.registers.stack_len >= MAX_USER_STACK_SIZE - { - return Err(ProgramError::StackOverflow); - } - - let handler_jumptable_addr = KERNEL.global_labels["syscall_jumptable"]; - let handler_addr_addr = - handler_jumptable_addr + (opcode as usize) * (BYTES_PER_OFFSET as usize); - assert_eq!(BYTES_PER_OFFSET, 3, "Code below assumes 3 bytes per offset"); - let base_address = MemoryAddress::new(0, Segment::Code, handler_addr_addr); - let bytes = (0..BYTES_PER_OFFSET as usize) - .map(|i| { - let address = MemoryAddress { - virt: base_address.virt + i, - ..base_address - }; - let val = state.memory.get(address); - val.low_u32() as u8 - }) - .collect_vec(); - - let packed_int = U256::from_big_endian(&bytes); - - let jumptable_channel = &mut row.mem_channels[1]; - jumptable_channel.is_read = F::ONE; - jumptable_channel.addr_context = F::ZERO; - jumptable_channel.addr_segment = F::from_canonical_usize(Segment::Code as usize); - jumptable_channel.addr_virtual = F::from_canonical_usize(handler_addr_addr); - jumptable_channel.value[0] = F::from_canonical_usize(u256_to_usize(packed_int)?); - - byte_packing_log(state, base_address, bytes); - - let new_program_counter = u256_to_usize(packed_int)?; - - let gas = U256::from(state.registers.gas_used); - - let syscall_info = U256::from(state.registers.program_counter + 1) - + (U256::from(u64::from(state.registers.is_kernel)) << 32) - + (gas << 192); - - // `ArithmeticStark` range checks `mem_channels[0]`, which contains - // the top of the stack, `mem_channels[1]`, which contains the new PC, - // `mem_channels[2]`, which is empty, and next_row's `mem_channels[0]`, - // which contains the next top of the stack. - // Our goal here is to range-check the gas, contained in syscall_info, - // stored in the next stack top. - let range_check_op = arithmetic::Operation::range_check( - state.registers.stack_top, - packed_int, - U256::from(0), - U256::from(opcode), - syscall_info, - ); - // Set registers before pushing to the stack; in particular, we need to set kernel mode so we - // can't incorrectly trigger a stack overflow. However, note that we have to do it _after_ we - // make `syscall_info`, which should contain the old values. - state.registers.program_counter = new_program_counter; - state.registers.is_kernel = true; - state.registers.gas_used = 0; - - push_with_write(state, &mut row, syscall_info)?; - - log::debug!("Syscall to {}", KERNEL.offset_name(new_program_counter)); - - state.traces.push_arithmetic(range_check_op); - state.traces.push_cpu(row); - - Ok(()) -} - -pub(crate) fn generate_eq( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(in0, _), (in1, log_in1)] = stack_pop_with_log_and_fill::<2, _>(state, &mut row)?; - let eq = in0 == in1; - let result = U256::from(u64::from(eq)); - - generate_pinv_diff(in0, in1, &mut row); - - push_no_write(state, result); - state.traces.push_memory(log_in1); - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_exit_kernel( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(kexit_info, _)] = stack_pop_with_log_and_fill::<1, _>(state, &mut row)?; - let kexit_info_u64 = kexit_info.0[0]; - let program_counter = kexit_info_u64 as u32 as usize; - let is_kernel_mode_val = (kexit_info_u64 >> 32) as u32; - assert!(is_kernel_mode_val == 0 || is_kernel_mode_val == 1); - let is_kernel_mode = is_kernel_mode_val != 0; - let gas_used_val = kexit_info.0[3]; - if TryInto::::try_into(gas_used_val).is_err() { - return Err(ProgramError::GasLimitError); - } - - state.registers.program_counter = program_counter; - state.registers.is_kernel = is_kernel_mode; - state.registers.gas_used = gas_used_val; - log::debug!( - "Exiting to {}, is_kernel={}", - program_counter, - is_kernel_mode - ); - - state.traces.push_cpu(row); - - Ok(()) -} - -pub(crate) fn generate_mload_general( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(addr, _)] = stack_pop_with_log_and_fill::<1, _>(state, &mut row)?; - - let (val, log_read) = - mem_read_gp_with_log_and_fill(1, MemoryAddress::new_bundle(addr)?, state, &mut row); - push_no_write(state, val); - - // Because MLOAD_GENERAL performs 1 pop and 1 push, it does not make use of the `stack_inv_aux` general columns. - // We hence can set the diff to 2 (instead of 1) so that the stack constraint for MSTORE_GENERAL applies to both - // operations, which are combined into a single CPU flag. - let diff = row.stack_len - F::TWO; - if let Some(inv) = diff.try_inverse() { - row.general.stack_mut().stack_inv = inv; - row.general.stack_mut().stack_inv_aux = F::ONE; - } else { - row.general.stack_mut().stack_inv = F::ZERO; - row.general.stack_mut().stack_inv_aux = F::ZERO; - } - - state.traces.push_memory(log_read); - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_mload_32bytes( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(addr, _), (len, log_in1)] = stack_pop_with_log_and_fill::<2, _>(state, &mut row)?; - let len = u256_to_usize(len)?; - if len > 32 { - // The call to `U256::from_big_endian()` would panic. - return Err(ProgramError::IntegerTooLarge); - } - - let base_address = MemoryAddress::new_bundle(addr)?; - if usize::MAX - base_address.virt < len { - return Err(ProgramError::MemoryError(VirtTooLarge { - virt: base_address.virt.into(), - })); - } - let bytes = (0..len) - .map(|i| { - let address = MemoryAddress { - virt: base_address.virt + i, - ..base_address - }; - let val = state.memory.get(address); - val.low_u32() as u8 - }) - .collect_vec(); - - let packed_int = U256::from_big_endian(&bytes); - push_no_write(state, packed_int); - - byte_packing_log(state, base_address, bytes); - - state.traces.push_memory(log_in1); - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_mstore_general( - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(val, _), (addr, log_in1)] = stack_pop_with_log_and_fill::<2, _>(state, &mut row)?; - - let address = MemoryAddress::new_bundle(addr)?; - let log_write = mem_write_partial_log_and_fill(address, state, &mut row, val); - - let diff = row.stack_len - F::TWO; - if let Some(inv) = diff.try_inverse() { - row.general.stack_mut().stack_inv = inv; - row.general.stack_mut().stack_inv_aux = F::ONE; - row.general.stack_mut().stack_inv_aux_2 = F::ONE; - state.registers.is_stack_top_read = true; - } else { - row.general.stack_mut().stack_inv = F::ZERO; - row.general.stack_mut().stack_inv_aux = F::ZERO; - } - - state.traces.push_memory(log_in1); - state.traces.push_memory(log_write); - - state.traces.push_cpu(row); - - Ok(()) -} - -pub(crate) fn generate_mstore_32bytes( - n: u8, - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - let [(addr, _), (val, log_in1)] = stack_pop_with_log_and_fill::<2, _>(state, &mut row)?; - - let base_address = MemoryAddress::new_bundle(addr)?; - - byte_unpacking_log(state, base_address, val, n as usize); - - let new_addr = addr + n; - push_no_write(state, new_addr); - - state.traces.push_memory(log_in1); - state.traces.push_cpu(row); - Ok(()) -} - -pub(crate) fn generate_exception( - exc_code: u8, - state: &mut GenerationState, - mut row: CpuColumnsView, -) -> Result<(), ProgramError> { - if TryInto::::try_into(state.registers.gas_used).is_err() { - return Err(ProgramError::GasLimitError); - } - - row.op.exception = F::ONE; - - if let Some(inv) = row.stack_len.try_inverse() { - row.general.stack_mut().stack_inv = inv; - row.general.stack_mut().stack_inv_aux = F::ONE; - } - - fill_stack_fields(state, &mut row)?; - - row.general.exception_mut().exc_code_bits = [ - F::from_bool(exc_code & 1 != 0), - F::from_bool(exc_code & 2 != 0), - F::from_bool(exc_code & 4 != 0), - ]; - - let handler_jumptable_addr = KERNEL.global_labels["exception_jumptable"]; - let handler_addr_addr = - handler_jumptable_addr + (exc_code as usize) * (BYTES_PER_OFFSET as usize); - assert_eq!(BYTES_PER_OFFSET, 3, "Code below assumes 3 bytes per offset"); - let base_address = MemoryAddress::new(0, Segment::Code, handler_addr_addr); - let bytes = (0..BYTES_PER_OFFSET as usize) - .map(|i| { - let address = MemoryAddress { - virt: base_address.virt + i, - ..base_address - }; - let val = state.memory.get(address); - val.low_u32() as u8 - }) - .collect_vec(); - - let packed_int = U256::from_big_endian(&bytes); - - let jumptable_channel = &mut row.mem_channels[1]; - jumptable_channel.is_read = F::ONE; - jumptable_channel.addr_context = F::ZERO; - jumptable_channel.addr_segment = F::from_canonical_usize(Segment::Code as usize); - jumptable_channel.addr_virtual = F::from_canonical_usize(handler_addr_addr); - jumptable_channel.value[0] = F::from_canonical_usize(u256_to_usize(packed_int)?); - - byte_packing_log(state, base_address, bytes); - let new_program_counter = u256_to_usize(packed_int)?; - - let gas = U256::from(state.registers.gas_used); - - let exc_info = U256::from(state.registers.program_counter) + (gas << 192); - - // Get the opcode so we can provide it to the range_check operation. - let code_context = state.registers.code_context(); - let address = MemoryAddress::new(code_context, Segment::Code, state.registers.program_counter); - let opcode = state.memory.get(address); - - // `ArithmeticStark` range checks `mem_channels[0]`, which contains - // the top of the stack, `mem_channels[1]`, which contains the new PC, - // `mem_channels[2]`, which is empty, and next_row's `mem_channels[0]`, - // which contains the next top of the stack. - // Our goal here is to range-check the gas, contained in syscall_info, - // stored in the next stack top. - let range_check_op = arithmetic::Operation::range_check( - state.registers.stack_top, - packed_int, - U256::from(0), - opcode, - exc_info, - ); - // Set registers before pushing to the stack; in particular, we need to set kernel mode so we - // can't incorrectly trigger a stack overflow. However, note that we have to do it _after_ we - // make `exc_info`, which should contain the old values. - state.registers.program_counter = new_program_counter; - state.registers.is_kernel = true; - state.registers.gas_used = 0; - - push_with_write(state, &mut row, exc_info)?; - - log::debug!("Exception to {}", KERNEL.offset_name(new_program_counter)); - state.traces.push_arithmetic(range_check_op); - state.traces.push_cpu(row); - - Ok(()) -} diff --git a/evm/src/witness/state.rs b/evm/src/witness/state.rs deleted file mode 100644 index 1070ee6439..0000000000 --- a/evm/src/witness/state.rs +++ /dev/null @@ -1,45 +0,0 @@ -use ethereum_types::U256; - -use crate::cpu::kernel::aggregator::KERNEL; - -const KERNEL_CONTEXT: usize = 0; - -#[derive(Clone, Copy, Debug, Eq, PartialEq)] -pub struct RegistersState { - pub program_counter: usize, - pub is_kernel: bool, - pub stack_len: usize, - pub stack_top: U256, - // Indicates if you read the new stack_top from memory to set the channel accordingly. - pub is_stack_top_read: bool, - // Indicates if the previous operation might have caused an overflow, and we must check - // if it's the case. - pub check_overflow: bool, - pub context: usize, - pub gas_used: u64, -} - -impl RegistersState { - pub(crate) const fn code_context(&self) -> usize { - if self.is_kernel { - KERNEL_CONTEXT - } else { - self.context - } - } -} - -impl Default for RegistersState { - fn default() -> Self { - Self { - program_counter: KERNEL.global_labels["main"], - is_kernel: true, - stack_len: 0, - stack_top: U256::zero(), - is_stack_top_read: false, - check_overflow: false, - context: 0, - gas_used: 0, - } - } -} diff --git a/evm/src/witness/traces.rs b/evm/src/witness/traces.rs deleted file mode 100644 index f7f5c9d365..0000000000 --- a/evm/src/witness/traces.rs +++ /dev/null @@ -1,242 +0,0 @@ -use core::mem::size_of; - -use itertools::Itertools; -use plonky2::field::extension::Extendable; -use plonky2::field::polynomial::PolynomialValues; -use plonky2::hash::hash_types::RichField; -use plonky2::timed; -use plonky2::util::timing::TimingTree; - -use crate::all_stark::{AllStark, NUM_TABLES}; -use crate::arithmetic::{BinaryOperator, Operation}; -use crate::byte_packing::byte_packing_stark::BytePackingOp; -use crate::config::StarkConfig; -use crate::cpu::columns::CpuColumnsView; -use crate::keccak_sponge::columns::KECCAK_WIDTH_BYTES; -use crate::keccak_sponge::keccak_sponge_stark::KeccakSpongeOp; -use crate::util::trace_rows_to_poly_values; -use crate::witness::memory::MemoryOp; -use crate::{arithmetic, keccak, keccak_sponge, logic}; - -#[derive(Clone, Copy, Debug)] -pub(crate) struct TraceCheckpoint { - pub(self) arithmetic_len: usize, - pub(self) byte_packing_len: usize, - pub(self) cpu_len: usize, - pub(self) keccak_len: usize, - pub(self) keccak_sponge_len: usize, - pub(self) logic_len: usize, - pub(self) memory_len: usize, -} - -#[derive(Debug)] -pub(crate) struct Traces { - pub(crate) arithmetic_ops: Vec, - pub(crate) byte_packing_ops: Vec, - pub(crate) cpu: Vec>, - pub(crate) logic_ops: Vec, - pub(crate) memory_ops: Vec, - pub(crate) keccak_inputs: Vec<([u64; keccak::keccak_stark::NUM_INPUTS], usize)>, - pub(crate) keccak_sponge_ops: Vec, -} - -impl Traces { - pub(crate) fn new() -> Self { - Traces { - arithmetic_ops: vec![], - byte_packing_ops: vec![], - cpu: vec![], - logic_ops: vec![], - memory_ops: vec![], - keccak_inputs: vec![], - keccak_sponge_ops: vec![], - } - } - - /// Returns the actual trace lengths for each STARK module. - // Uses a `TraceCheckPoint` as return object for convenience. - pub(crate) fn get_lengths(&self) -> TraceCheckpoint { - TraceCheckpoint { - arithmetic_len: self - .arithmetic_ops - .iter() - .map(|op| match op { - Operation::TernaryOperation { .. } => 2, - Operation::BinaryOperation { operator, .. } => match operator { - BinaryOperator::Div | BinaryOperator::Mod => 2, - _ => 1, - }, - Operation::RangeCheckOperation { .. } => 1, - }) - .sum(), - byte_packing_len: self - .byte_packing_ops - .iter() - .map(|op| usize::from(!op.bytes.is_empty())) - .sum(), - cpu_len: self.cpu.len(), - keccak_len: self.keccak_inputs.len() * keccak::keccak_stark::NUM_ROUNDS, - keccak_sponge_len: self - .keccak_sponge_ops - .iter() - .map(|op| op.input.len() / keccak_sponge::columns::KECCAK_RATE_BYTES + 1) - .sum(), - logic_len: self.logic_ops.len(), - // This is technically a lower-bound, as we may fill gaps, - // but this gives a relatively good estimate. - memory_len: self.memory_ops.len(), - } - } - - /// Returns the number of operations for each STARK module. - pub(crate) fn checkpoint(&self) -> TraceCheckpoint { - TraceCheckpoint { - arithmetic_len: self.arithmetic_ops.len(), - byte_packing_len: self.byte_packing_ops.len(), - cpu_len: self.cpu.len(), - keccak_len: self.keccak_inputs.len(), - keccak_sponge_len: self.keccak_sponge_ops.len(), - logic_len: self.logic_ops.len(), - memory_len: self.memory_ops.len(), - } - } - - pub(crate) fn rollback(&mut self, checkpoint: TraceCheckpoint) { - self.arithmetic_ops.truncate(checkpoint.arithmetic_len); - self.byte_packing_ops.truncate(checkpoint.byte_packing_len); - self.cpu.truncate(checkpoint.cpu_len); - self.keccak_inputs.truncate(checkpoint.keccak_len); - self.keccak_sponge_ops - .truncate(checkpoint.keccak_sponge_len); - self.logic_ops.truncate(checkpoint.logic_len); - self.memory_ops.truncate(checkpoint.memory_len); - } - - pub(crate) fn mem_ops_since(&self, checkpoint: TraceCheckpoint) -> &[MemoryOp] { - &self.memory_ops[checkpoint.memory_len..] - } - - pub(crate) fn push_cpu(&mut self, val: CpuColumnsView) { - self.cpu.push(val); - } - - pub(crate) fn push_logic(&mut self, op: logic::Operation) { - self.logic_ops.push(op); - } - - pub(crate) fn push_arithmetic(&mut self, op: arithmetic::Operation) { - self.arithmetic_ops.push(op); - } - - pub(crate) fn push_memory(&mut self, op: MemoryOp) { - self.memory_ops.push(op); - } - - pub(crate) fn push_byte_packing(&mut self, op: BytePackingOp) { - self.byte_packing_ops.push(op); - } - - pub(crate) fn push_keccak( - &mut self, - input: [u64; keccak::keccak_stark::NUM_INPUTS], - clock: usize, - ) { - self.keccak_inputs.push((input, clock)); - } - - pub(crate) fn push_keccak_bytes(&mut self, input: [u8; KECCAK_WIDTH_BYTES], clock: usize) { - let chunks = input - .chunks(size_of::()) - .map(|chunk| u64::from_le_bytes(chunk.try_into().unwrap())) - .collect_vec() - .try_into() - .unwrap(); - self.push_keccak(chunks, clock); - } - - pub(crate) fn push_keccak_sponge(&mut self, op: KeccakSpongeOp) { - self.keccak_sponge_ops.push(op); - } - - pub(crate) fn clock(&self) -> usize { - self.cpu.len() - } - - pub(crate) fn into_tables( - self, - all_stark: &AllStark, - config: &StarkConfig, - timing: &mut TimingTree, - ) -> [Vec>; NUM_TABLES] - where - T: RichField + Extendable, - { - let cap_elements = config.fri_config.num_cap_elements(); - let Traces { - arithmetic_ops, - byte_packing_ops, - cpu, - logic_ops, - memory_ops, - keccak_inputs, - keccak_sponge_ops, - } = self; - - let arithmetic_trace = timed!( - timing, - "generate arithmetic trace", - all_stark.arithmetic_stark.generate_trace(arithmetic_ops) - ); - let byte_packing_trace = timed!( - timing, - "generate byte packing trace", - all_stark - .byte_packing_stark - .generate_trace(byte_packing_ops, cap_elements, timing) - ); - let cpu_rows = cpu.into_iter().map(|x| x.into()).collect(); - let cpu_trace = trace_rows_to_poly_values(cpu_rows); - let keccak_trace = timed!( - timing, - "generate Keccak trace", - all_stark - .keccak_stark - .generate_trace(keccak_inputs, cap_elements, timing) - ); - let keccak_sponge_trace = timed!( - timing, - "generate Keccak sponge trace", - all_stark - .keccak_sponge_stark - .generate_trace(keccak_sponge_ops, cap_elements, timing) - ); - let logic_trace = timed!( - timing, - "generate logic trace", - all_stark - .logic_stark - .generate_trace(logic_ops, cap_elements, timing) - ); - let memory_trace = timed!( - timing, - "generate memory trace", - all_stark.memory_stark.generate_trace(memory_ops, timing) - ); - - [ - arithmetic_trace, - byte_packing_trace, - cpu_trace, - keccak_trace, - keccak_sponge_trace, - logic_trace, - memory_trace, - ] - } -} - -impl Default for Traces { - fn default() -> Self { - Self::new() - } -} diff --git a/evm/src/witness/transition.rs b/evm/src/witness/transition.rs deleted file mode 100644 index aed6ff5397..0000000000 --- a/evm/src/witness/transition.rs +++ /dev/null @@ -1,504 +0,0 @@ -use anyhow::bail; -use log::log_enabled; -use plonky2::field::types::Field; - -use super::memory::{MemoryOp, MemoryOpKind}; -use super::util::fill_channel_with_value; -use crate::cpu::columns::CpuColumnsView; -use crate::cpu::kernel::aggregator::KERNEL; -use crate::cpu::kernel::constants::context_metadata::ContextMetadata; -use crate::cpu::stack::{ - EQ_STACK_BEHAVIOR, IS_ZERO_STACK_BEHAVIOR, JUMPI_OP, JUMP_OP, MAX_USER_STACK_SIZE, - MIGHT_OVERFLOW, STACK_BEHAVIORS, -}; -use crate::generation::state::GenerationState; -use crate::memory::segments::Segment; -use crate::witness::errors::ProgramError; -use crate::witness::gas::gas_to_charge; -use crate::witness::memory::MemoryAddress; -use crate::witness::memory::MemoryChannel::GeneralPurpose; -use crate::witness::operation::*; -use crate::witness::state::RegistersState; -use crate::witness::util::mem_read_code_with_log_and_fill; -use crate::{arithmetic, logic}; - -fn read_code_memory(state: &mut GenerationState, row: &mut CpuColumnsView) -> u8 { - let code_context = state.registers.code_context(); - row.code_context = F::from_canonical_usize(code_context); - - let address = MemoryAddress::new(code_context, Segment::Code, state.registers.program_counter); - let (opcode, mem_log) = mem_read_code_with_log_and_fill(address, state, row); - - state.traces.push_memory(mem_log); - - opcode -} - -pub(crate) fn decode(registers: RegistersState, opcode: u8) -> Result { - match (opcode, registers.is_kernel) { - (0x00, _) => Ok(Operation::Syscall(opcode, 0, false)), // STOP - (0x01, _) => Ok(Operation::BinaryArithmetic(arithmetic::BinaryOperator::Add)), - (0x02, _) => Ok(Operation::BinaryArithmetic(arithmetic::BinaryOperator::Mul)), - (0x03, _) => Ok(Operation::BinaryArithmetic(arithmetic::BinaryOperator::Sub)), - (0x04, _) => Ok(Operation::BinaryArithmetic(arithmetic::BinaryOperator::Div)), - (0x05, _) => Ok(Operation::Syscall(opcode, 2, false)), // SDIV - (0x06, _) => Ok(Operation::BinaryArithmetic(arithmetic::BinaryOperator::Mod)), - (0x07, _) => Ok(Operation::Syscall(opcode, 2, false)), // SMOD - (0x08, _) => Ok(Operation::TernaryArithmetic( - arithmetic::TernaryOperator::AddMod, - )), - (0x09, _) => Ok(Operation::TernaryArithmetic( - arithmetic::TernaryOperator::MulMod, - )), - (0x0a, _) => Ok(Operation::Syscall(opcode, 2, false)), // EXP - (0x0b, _) => Ok(Operation::Syscall(opcode, 2, false)), // SIGNEXTEND - (0x0c, true) => Ok(Operation::BinaryArithmetic( - arithmetic::BinaryOperator::AddFp254, - )), - (0x0d, true) => Ok(Operation::BinaryArithmetic( - arithmetic::BinaryOperator::MulFp254, - )), - (0x0e, true) => Ok(Operation::BinaryArithmetic( - arithmetic::BinaryOperator::SubFp254, - )), - (0x0f, true) => Ok(Operation::TernaryArithmetic( - arithmetic::TernaryOperator::SubMod, - )), - (0x10, _) => Ok(Operation::BinaryArithmetic(arithmetic::BinaryOperator::Lt)), - (0x11, _) => Ok(Operation::BinaryArithmetic(arithmetic::BinaryOperator::Gt)), - (0x12, _) => Ok(Operation::Syscall(opcode, 2, false)), // SLT - (0x13, _) => Ok(Operation::Syscall(opcode, 2, false)), // SGT - (0x14, _) => Ok(Operation::Eq), - (0x15, _) => Ok(Operation::Iszero), - (0x16, _) => Ok(Operation::BinaryLogic(logic::Op::And)), - (0x17, _) => Ok(Operation::BinaryLogic(logic::Op::Or)), - (0x18, _) => Ok(Operation::BinaryLogic(logic::Op::Xor)), - (0x19, _) => Ok(Operation::Not), - (0x1a, _) => Ok(Operation::BinaryArithmetic( - arithmetic::BinaryOperator::Byte, - )), - (0x1b, _) => Ok(Operation::BinaryArithmetic(arithmetic::BinaryOperator::Shl)), - (0x1c, _) => Ok(Operation::BinaryArithmetic(arithmetic::BinaryOperator::Shr)), - (0x1d, _) => Ok(Operation::Syscall(opcode, 2, false)), // SAR - (0x20, _) => Ok(Operation::Syscall(opcode, 2, false)), // KECCAK256 - (0x21, true) => Ok(Operation::KeccakGeneral), - (0x30, _) => Ok(Operation::Syscall(opcode, 0, true)), // ADDRESS - (0x31, _) => Ok(Operation::Syscall(opcode, 1, false)), // BALANCE - (0x32, _) => Ok(Operation::Syscall(opcode, 0, true)), // ORIGIN - (0x33, _) => Ok(Operation::Syscall(opcode, 0, true)), // CALLER - (0x34, _) => Ok(Operation::Syscall(opcode, 0, true)), // CALLVALUE - (0x35, _) => Ok(Operation::Syscall(opcode, 1, false)), // CALLDATALOAD - (0x36, _) => Ok(Operation::Syscall(opcode, 0, true)), // CALLDATASIZE - (0x37, _) => Ok(Operation::Syscall(opcode, 3, false)), // CALLDATACOPY - (0x38, _) => Ok(Operation::Syscall(opcode, 0, true)), // CODESIZE - (0x39, _) => Ok(Operation::Syscall(opcode, 3, false)), // CODECOPY - (0x3a, _) => Ok(Operation::Syscall(opcode, 0, true)), // GASPRICE - (0x3b, _) => Ok(Operation::Syscall(opcode, 1, false)), // EXTCODESIZE - (0x3c, _) => Ok(Operation::Syscall(opcode, 4, false)), // EXTCODECOPY - (0x3d, _) => Ok(Operation::Syscall(opcode, 0, true)), // RETURNDATASIZE - (0x3e, _) => Ok(Operation::Syscall(opcode, 3, false)), // RETURNDATACOPY - (0x3f, _) => Ok(Operation::Syscall(opcode, 1, false)), // EXTCODEHASH - (0x40, _) => Ok(Operation::Syscall(opcode, 1, false)), // BLOCKHASH - (0x41, _) => Ok(Operation::Syscall(opcode, 0, true)), // COINBASE - (0x42, _) => Ok(Operation::Syscall(opcode, 0, true)), // TIMESTAMP - (0x43, _) => Ok(Operation::Syscall(opcode, 0, true)), // NUMBER - (0x44, _) => Ok(Operation::Syscall(opcode, 0, true)), // DIFFICULTY - (0x45, _) => Ok(Operation::Syscall(opcode, 0, true)), // GASLIMIT - (0x46, _) => Ok(Operation::Syscall(opcode, 0, true)), // CHAINID - (0x47, _) => Ok(Operation::Syscall(opcode, 0, true)), // SELFBALANCE - (0x48, _) => Ok(Operation::Syscall(opcode, 0, true)), // BASEFEE - (0x49, true) => Ok(Operation::ProverInput), - (0x50, _) => Ok(Operation::Pop), - (0x51, _) => Ok(Operation::Syscall(opcode, 1, false)), // MLOAD - (0x52, _) => Ok(Operation::Syscall(opcode, 2, false)), // MSTORE - (0x53, _) => Ok(Operation::Syscall(opcode, 2, false)), // MSTORE8 - (0x54, _) => Ok(Operation::Syscall(opcode, 1, false)), // SLOAD - (0x55, _) => Ok(Operation::Syscall(opcode, 2, false)), // SSTORE - (0x56, _) => Ok(Operation::Jump), - (0x57, _) => Ok(Operation::Jumpi), - (0x58, _) => Ok(Operation::Pc), - (0x59, _) => Ok(Operation::Syscall(opcode, 0, true)), // MSIZE - (0x5a, _) => Ok(Operation::Syscall(opcode, 0, true)), // GAS - (0x5b, _) => Ok(Operation::Jumpdest), - (0x5f..=0x7f, _) => Ok(Operation::Push(opcode - 0x5f)), - (0x80..=0x8f, _) => Ok(Operation::Dup(opcode & 0xf)), - (0x90..=0x9f, _) => Ok(Operation::Swap(opcode & 0xf)), - (0xa0, _) => Ok(Operation::Syscall(opcode, 2, false)), // LOG0 - (0xa1, _) => Ok(Operation::Syscall(opcode, 3, false)), // LOG1 - (0xa2, _) => Ok(Operation::Syscall(opcode, 4, false)), // LOG2 - (0xa3, _) => Ok(Operation::Syscall(opcode, 5, false)), // LOG3 - (0xa4, _) => Ok(Operation::Syscall(opcode, 6, false)), // LOG4 - (0xa5, true) => { - log::warn!( - "Kernel panic at {}", - KERNEL.offset_name(registers.program_counter), - ); - Err(ProgramError::KernelPanic) - } - (0xc0..=0xdf, true) => Ok(Operation::Mstore32Bytes(opcode - 0xc0 + 1)), - (0xf0, _) => Ok(Operation::Syscall(opcode, 3, false)), // CREATE - (0xf1, _) => Ok(Operation::Syscall(opcode, 7, false)), // CALL - (0xf2, _) => Ok(Operation::Syscall(opcode, 7, false)), // CALLCODE - (0xf3, _) => Ok(Operation::Syscall(opcode, 2, false)), // RETURN - (0xf4, _) => Ok(Operation::Syscall(opcode, 6, false)), // DELEGATECALL - (0xf5, _) => Ok(Operation::Syscall(opcode, 4, false)), // CREATE2 - (0xf6, true) => Ok(Operation::GetContext), - (0xf7, true) => Ok(Operation::SetContext), - (0xf8, true) => Ok(Operation::Mload32Bytes), - (0xf9, true) => Ok(Operation::ExitKernel), - (0xfa, _) => Ok(Operation::Syscall(opcode, 6, false)), // STATICCALL - (0xfb, true) => Ok(Operation::MloadGeneral), - (0xfc, true) => Ok(Operation::MstoreGeneral), - (0xfd, _) => Ok(Operation::Syscall(opcode, 2, false)), // REVERT - (0xff, _) => Ok(Operation::Syscall(opcode, 1, false)), // SELFDESTRUCT - _ => { - log::warn!("Invalid opcode: {}", opcode); - Err(ProgramError::InvalidOpcode) - } - } -} - -fn fill_op_flag(op: Operation, row: &mut CpuColumnsView) { - let flags = &mut row.op; - *match op { - Operation::Dup(_) | Operation::Swap(_) => &mut flags.dup_swap, - Operation::Iszero | Operation::Eq => &mut flags.eq_iszero, - Operation::Not | Operation::Pop => &mut flags.not_pop, - Operation::Syscall(_, _, _) => &mut flags.syscall, - Operation::BinaryLogic(_) => &mut flags.logic_op, - Operation::BinaryArithmetic(arithmetic::BinaryOperator::AddFp254) - | Operation::BinaryArithmetic(arithmetic::BinaryOperator::MulFp254) - | Operation::BinaryArithmetic(arithmetic::BinaryOperator::SubFp254) => &mut flags.fp254_op, - Operation::BinaryArithmetic(arithmetic::BinaryOperator::Shl) - | Operation::BinaryArithmetic(arithmetic::BinaryOperator::Shr) => &mut flags.shift, - Operation::BinaryArithmetic(_) => &mut flags.binary_op, - Operation::TernaryArithmetic(_) => &mut flags.ternary_op, - Operation::KeccakGeneral | Operation::Jumpdest => &mut flags.jumpdest_keccak_general, - Operation::ProverInput | Operation::Push(1..) => &mut flags.push_prover_input, - Operation::Jump | Operation::Jumpi => &mut flags.jumps, - Operation::Pc | Operation::Push(0) => &mut flags.pc_push0, - Operation::GetContext | Operation::SetContext => &mut flags.context_op, - Operation::Mload32Bytes | Operation::Mstore32Bytes(_) => &mut flags.m_op_32bytes, - Operation::ExitKernel => &mut flags.exit_kernel, - Operation::MloadGeneral | Operation::MstoreGeneral => &mut flags.m_op_general, - } = F::ONE; -} - -// Equal to the number of pops if an operation pops without pushing, and `None` otherwise. -const fn get_op_special_length(op: Operation) -> Option { - let behavior_opt = match op { - Operation::Push(0) | Operation::Pc => STACK_BEHAVIORS.pc_push0, - Operation::Push(1..) | Operation::ProverInput => STACK_BEHAVIORS.push_prover_input, - Operation::Dup(_) | Operation::Swap(_) => STACK_BEHAVIORS.dup_swap, - Operation::Iszero => IS_ZERO_STACK_BEHAVIOR, - Operation::Not | Operation::Pop => STACK_BEHAVIORS.not_pop, - Operation::Syscall(_, _, _) => STACK_BEHAVIORS.syscall, - Operation::Eq => EQ_STACK_BEHAVIOR, - Operation::BinaryLogic(_) => STACK_BEHAVIORS.logic_op, - Operation::BinaryArithmetic(arithmetic::BinaryOperator::AddFp254) - | Operation::BinaryArithmetic(arithmetic::BinaryOperator::MulFp254) - | Operation::BinaryArithmetic(arithmetic::BinaryOperator::SubFp254) => { - STACK_BEHAVIORS.fp254_op - } - Operation::BinaryArithmetic(arithmetic::BinaryOperator::Shl) - | Operation::BinaryArithmetic(arithmetic::BinaryOperator::Shr) => STACK_BEHAVIORS.shift, - Operation::BinaryArithmetic(_) => STACK_BEHAVIORS.binary_op, - Operation::TernaryArithmetic(_) => STACK_BEHAVIORS.ternary_op, - Operation::KeccakGeneral | Operation::Jumpdest => STACK_BEHAVIORS.jumpdest_keccak_general, - Operation::Jump => JUMP_OP, - Operation::Jumpi => JUMPI_OP, - Operation::GetContext | Operation::SetContext => None, - Operation::Mload32Bytes | Operation::Mstore32Bytes(_) => STACK_BEHAVIORS.m_op_32bytes, - Operation::ExitKernel => STACK_BEHAVIORS.exit_kernel, - Operation::MloadGeneral | Operation::MstoreGeneral => STACK_BEHAVIORS.m_op_general, - }; - if let Some(behavior) = behavior_opt { - if behavior.num_pops > 0 && !behavior.pushes { - Some(behavior.num_pops) - } else { - None - } - } else { - None - } -} - -// These operations might trigger a stack overflow, typically those pushing without popping. -// Kernel-only pushing instructions aren't considered; they can't overflow. -const fn might_overflow_op(op: Operation) -> bool { - match op { - Operation::Push(1..) | Operation::ProverInput => MIGHT_OVERFLOW.push_prover_input, - Operation::Dup(_) | Operation::Swap(_) => MIGHT_OVERFLOW.dup_swap, - Operation::Iszero | Operation::Eq => MIGHT_OVERFLOW.eq_iszero, - Operation::Not | Operation::Pop => MIGHT_OVERFLOW.not_pop, - Operation::Syscall(_, _, _) => MIGHT_OVERFLOW.syscall, - Operation::BinaryLogic(_) => MIGHT_OVERFLOW.logic_op, - Operation::BinaryArithmetic(arithmetic::BinaryOperator::AddFp254) - | Operation::BinaryArithmetic(arithmetic::BinaryOperator::MulFp254) - | Operation::BinaryArithmetic(arithmetic::BinaryOperator::SubFp254) => { - MIGHT_OVERFLOW.fp254_op - } - Operation::BinaryArithmetic(arithmetic::BinaryOperator::Shl) - | Operation::BinaryArithmetic(arithmetic::BinaryOperator::Shr) => MIGHT_OVERFLOW.shift, - Operation::BinaryArithmetic(_) => MIGHT_OVERFLOW.binary_op, - Operation::TernaryArithmetic(_) => MIGHT_OVERFLOW.ternary_op, - Operation::KeccakGeneral | Operation::Jumpdest => MIGHT_OVERFLOW.jumpdest_keccak_general, - Operation::Jump | Operation::Jumpi => MIGHT_OVERFLOW.jumps, - Operation::Pc | Operation::Push(0) => MIGHT_OVERFLOW.pc_push0, - Operation::GetContext | Operation::SetContext => MIGHT_OVERFLOW.context_op, - Operation::Mload32Bytes | Operation::Mstore32Bytes(_) => MIGHT_OVERFLOW.m_op_32bytes, - Operation::ExitKernel => MIGHT_OVERFLOW.exit_kernel, - Operation::MloadGeneral | Operation::MstoreGeneral => MIGHT_OVERFLOW.m_op_general, - } -} - -fn perform_op( - state: &mut GenerationState, - op: Operation, - row: CpuColumnsView, -) -> Result { - match op { - Operation::Push(n) => generate_push(n, state, row)?, - Operation::Dup(n) => generate_dup(n, state, row)?, - Operation::Swap(n) => generate_swap(n, state, row)?, - Operation::Iszero => generate_iszero(state, row)?, - Operation::Not => generate_not(state, row)?, - Operation::BinaryArithmetic(arithmetic::BinaryOperator::Shl) => generate_shl(state, row)?, - Operation::BinaryArithmetic(arithmetic::BinaryOperator::Shr) => generate_shr(state, row)?, - Operation::Syscall(opcode, stack_values_read, stack_len_increased) => { - generate_syscall(opcode, stack_values_read, stack_len_increased, state, row)? - } - Operation::Eq => generate_eq(state, row)?, - Operation::BinaryLogic(binary_logic_op) => { - generate_binary_logic_op(binary_logic_op, state, row)? - } - Operation::BinaryArithmetic(op) => generate_binary_arithmetic_op(op, state, row)?, - Operation::TernaryArithmetic(op) => generate_ternary_arithmetic_op(op, state, row)?, - Operation::KeccakGeneral => generate_keccak_general(state, row)?, - Operation::ProverInput => generate_prover_input(state, row)?, - Operation::Pop => generate_pop(state, row)?, - Operation::Jump => generate_jump(state, row)?, - Operation::Jumpi => generate_jumpi(state, row)?, - Operation::Pc => generate_pc(state, row)?, - Operation::Jumpdest => generate_jumpdest(state, row)?, - Operation::GetContext => generate_get_context(state, row)?, - Operation::SetContext => generate_set_context(state, row)?, - Operation::Mload32Bytes => generate_mload_32bytes(state, row)?, - Operation::Mstore32Bytes(n) => generate_mstore_32bytes(n, state, row)?, - Operation::ExitKernel => generate_exit_kernel(state, row)?, - Operation::MloadGeneral => generate_mload_general(state, row)?, - Operation::MstoreGeneral => generate_mstore_general(state, row)?, - }; - - state.registers.program_counter += match op { - Operation::Syscall(_, _, _) | Operation::ExitKernel => 0, - Operation::Push(n) => n as usize + 1, - Operation::Jump | Operation::Jumpi => 0, - _ => 1, - }; - - state.registers.gas_used += gas_to_charge(op); - - let gas_limit_address = MemoryAddress::new( - state.registers.context, - Segment::ContextMetadata, - ContextMetadata::GasLimit.unscale(), // context offsets are already scaled - ); - if !state.registers.is_kernel { - let gas_limit = TryInto::::try_into(state.memory.get(gas_limit_address)); - match gas_limit { - Ok(limit) => { - if state.registers.gas_used > limit { - return Err(ProgramError::OutOfGas); - } - } - Err(_) => return Err(ProgramError::IntegerTooLarge), - } - } - - Ok(op) -} - -/// Row that has the correct values for system registers and the code channel, but is otherwise -/// blank. It fulfills the constraints that are common to successful operations and the exception -/// operation. It also returns the opcode. -fn base_row(state: &mut GenerationState) -> (CpuColumnsView, u8) { - let mut row: CpuColumnsView = CpuColumnsView::default(); - row.clock = F::from_canonical_usize(state.traces.clock()); - row.context = F::from_canonical_usize(state.registers.context); - row.program_counter = F::from_canonical_usize(state.registers.program_counter); - row.is_kernel_mode = F::from_bool(state.registers.is_kernel); - row.gas = F::from_canonical_u64(state.registers.gas_used); - row.stack_len = F::from_canonical_usize(state.registers.stack_len); - fill_channel_with_value(&mut row, 0, state.registers.stack_top); - - let opcode = read_code_memory(state, &mut row); - (row, opcode) -} - -pub(crate) fn fill_stack_fields( - state: &mut GenerationState, - row: &mut CpuColumnsView, -) -> Result<(), ProgramError> { - if state.registers.is_stack_top_read { - let channel = &mut row.mem_channels[0]; - channel.used = F::ONE; - channel.is_read = F::ONE; - channel.addr_context = F::from_canonical_usize(state.registers.context); - channel.addr_segment = F::from_canonical_usize(Segment::Stack.unscale()); - channel.addr_virtual = F::from_canonical_usize(state.registers.stack_len - 1); - - let address = MemoryAddress::new( - state.registers.context, - Segment::Stack, - state.registers.stack_len - 1, - ); - - let mem_op = MemoryOp::new( - GeneralPurpose(0), - state.traces.clock(), - address, - MemoryOpKind::Read, - state.registers.stack_top, - ); - state.traces.push_memory(mem_op); - state.registers.is_stack_top_read = false; - } - - if state.registers.check_overflow { - if state.registers.is_kernel { - row.general.stack_mut().stack_len_bounds_aux = F::ZERO; - } else { - let clock = state.traces.clock(); - let last_row = &mut state.traces.cpu[clock - 1]; - let disallowed_len = F::from_canonical_usize(MAX_USER_STACK_SIZE + 1); - let diff = row.stack_len - disallowed_len; - if let Some(inv) = diff.try_inverse() { - last_row.general.stack_mut().stack_len_bounds_aux = inv; - } else { - // This is a stack overflow that should have been caught earlier. - return Err(ProgramError::InterpreterError); - } - } - state.registers.check_overflow = false; - } - - Ok(()) -} - -fn try_perform_instruction( - state: &mut GenerationState, -) -> Result { - let (mut row, opcode) = base_row(state); - let op = decode(state.registers, opcode)?; - - if state.registers.is_kernel { - log_kernel_instruction(state, op); - } else { - log::debug!("User instruction: {:?}", op); - } - - fill_op_flag(op, &mut row); - - fill_stack_fields(state, &mut row)?; - - // Might write in general CPU columns when it shouldn't, but the correct values will - // overwrite these ones during the op generation. - if let Some(special_len) = get_op_special_length(op) { - let special_len = F::from_canonical_usize(special_len); - let diff = row.stack_len - special_len; - if let Some(inv) = diff.try_inverse() { - row.general.stack_mut().stack_inv = inv; - row.general.stack_mut().stack_inv_aux = F::ONE; - state.registers.is_stack_top_read = true; - } - } else if let Some(inv) = row.stack_len.try_inverse() { - row.general.stack_mut().stack_inv = inv; - row.general.stack_mut().stack_inv_aux = F::ONE; - } - - perform_op(state, op, row) -} - -fn log_kernel_instruction(state: &GenerationState, op: Operation) { - // The logic below is a bit costly, so skip it if debug logs aren't enabled. - if !log_enabled!(log::Level::Debug) { - return; - } - - let pc = state.registers.program_counter; - let is_interesting_offset = KERNEL - .offset_label(pc) - .filter(|label| !label.starts_with("halt")) - .is_some(); - let level = if is_interesting_offset { - log::Level::Debug - } else { - log::Level::Trace - }; - log::log!( - level, - "Cycle {}, ctx={}, pc={}, instruction={:?}, stack={:?}", - state.traces.clock(), - state.registers.context, - KERNEL.offset_name(pc), - op, - state.stack(), - ); - - assert!(pc < KERNEL.code.len(), "Kernel PC is out of range: {}", pc); -} - -fn handle_error(state: &mut GenerationState, err: ProgramError) -> anyhow::Result<()> { - let exc_code: u8 = match err { - ProgramError::OutOfGas => 0, - ProgramError::InvalidOpcode => 1, - ProgramError::StackUnderflow => 2, - ProgramError::InvalidJumpDestination => 3, - ProgramError::InvalidJumpiDestination => 4, - ProgramError::StackOverflow => 5, - _ => bail!("TODO: figure out what to do with this..."), - }; - - let checkpoint = state.checkpoint(); - - let (row, _) = base_row(state); - generate_exception(exc_code, state, row) - .map_err(|_| anyhow::Error::msg("error handling errored..."))?; - - state - .memory - .apply_ops(state.traces.mem_ops_since(checkpoint.traces)); - Ok(()) -} - -pub(crate) fn transition(state: &mut GenerationState) -> anyhow::Result<()> { - let checkpoint = state.checkpoint(); - let result = try_perform_instruction(state); - - match result { - Ok(op) => { - state - .memory - .apply_ops(state.traces.mem_ops_since(checkpoint.traces)); - if might_overflow_op(op) { - state.registers.check_overflow = true; - } - Ok(()) - } - Err(e) => { - if state.registers.is_kernel { - let offset_name = KERNEL.offset_name(state.registers.program_counter); - bail!( - "{:?} in kernel at pc={}, stack={:?}, memory={:?}", - e, - offset_name, - state.stack(), - state.memory.contexts[0].segments[Segment::KernelGeneral.unscale()].content, - ); - } - state.rollback(checkpoint); - handle_error(state, e) - } - } -} diff --git a/evm/src/witness/util.rs b/evm/src/witness/util.rs deleted file mode 100644 index 5f39809392..0000000000 --- a/evm/src/witness/util.rs +++ /dev/null @@ -1,393 +0,0 @@ -use ethereum_types::U256; -use plonky2::field::types::Field; - -use super::memory::DUMMY_MEMOP; -use crate::byte_packing::byte_packing_stark::BytePackingOp; -use crate::cpu::columns::CpuColumnsView; -use crate::cpu::kernel::keccak_util::keccakf_u8s; -use crate::cpu::membus::NUM_CHANNELS; -use crate::cpu::stack::MAX_USER_STACK_SIZE; -use crate::generation::state::GenerationState; -use crate::keccak_sponge::columns::{KECCAK_RATE_BYTES, KECCAK_WIDTH_BYTES}; -use crate::keccak_sponge::keccak_sponge_stark::KeccakSpongeOp; -use crate::logic; -use crate::memory::segments::Segment; -use crate::witness::errors::ProgramError; -use crate::witness::memory::{MemoryAddress, MemoryChannel, MemoryOp, MemoryOpKind}; - -fn to_byte_checked(n: U256) -> u8 { - let res = n.byte(0); - assert_eq!(n, res.into()); - res -} - -fn to_bits_le(n: u8) -> [F; 8] { - let mut res = [F::ZERO; 8]; - for (i, bit) in res.iter_mut().enumerate() { - *bit = F::from_bool(n & (1 << i) != 0); - } - res -} - -/// Peek at the stack item `i`th from the top. If `i=0` this gives the tip. -pub(crate) fn stack_peek( - state: &GenerationState, - i: usize, -) -> Result { - if i >= state.registers.stack_len { - return Err(ProgramError::StackUnderflow); - } - if i == 0 { - return Ok(state.registers.stack_top); - } - - Ok(state.memory.get(MemoryAddress::new( - state.registers.context, - Segment::Stack, - state.registers.stack_len - 1 - i, - ))) -} - -/// Peek at kernel at specified segment and address -pub(crate) fn current_context_peek( - state: &GenerationState, - segment: Segment, - virt: usize, -) -> U256 { - let context = state.registers.context; - state.memory.get(MemoryAddress::new(context, segment, virt)) -} - -pub(crate) fn fill_channel_with_value(row: &mut CpuColumnsView, n: usize, val: U256) { - let channel = &mut row.mem_channels[n]; - let val_limbs: [u64; 4] = val.0; - for (i, limb) in val_limbs.into_iter().enumerate() { - channel.value[2 * i] = F::from_canonical_u32(limb as u32); - channel.value[2 * i + 1] = F::from_canonical_u32((limb >> 32) as u32); - } -} - -/// Pushes without writing in memory. This happens in opcodes where a push immediately follows a pop. -pub(crate) fn push_no_write(state: &mut GenerationState, val: U256) { - state.registers.stack_top = val; - state.registers.stack_len += 1; -} - -/// Pushes and (maybe) writes the previous stack top in memory. This happens in opcodes which only push. -pub(crate) fn push_with_write( - state: &mut GenerationState, - row: &mut CpuColumnsView, - val: U256, -) -> Result<(), ProgramError> { - if !state.registers.is_kernel && state.registers.stack_len >= MAX_USER_STACK_SIZE { - return Err(ProgramError::StackOverflow); - } - - let write = if state.registers.stack_len == 0 { - None - } else { - let address = MemoryAddress::new( - state.registers.context, - Segment::Stack, - state.registers.stack_len - 1, - ); - let res = mem_write_partial_log_and_fill(address, state, row, state.registers.stack_top); - Some(res) - }; - push_no_write(state, val); - if let Some(log) = write { - state.traces.push_memory(log); - row.partial_channel.used = F::ONE; - } - Ok(()) -} - -pub(crate) fn mem_read_with_log( - channel: MemoryChannel, - address: MemoryAddress, - state: &GenerationState, -) -> (U256, MemoryOp) { - let val = state.memory.get(address); - let op = MemoryOp::new( - channel, - state.traces.clock(), - address, - MemoryOpKind::Read, - val, - ); - (val, op) -} - -pub(crate) fn mem_write_log( - channel: MemoryChannel, - address: MemoryAddress, - state: &GenerationState, - val: U256, -) -> MemoryOp { - MemoryOp::new( - channel, - state.traces.clock(), - address, - MemoryOpKind::Write, - val, - ) -} - -pub(crate) fn mem_read_code_with_log_and_fill( - address: MemoryAddress, - state: &GenerationState, - row: &mut CpuColumnsView, -) -> (u8, MemoryOp) { - let (val, op) = mem_read_with_log(MemoryChannel::Code, address, state); - - let val_u8 = to_byte_checked(val); - row.opcode_bits = to_bits_le(val_u8); - - (val_u8, op) -} - -pub(crate) fn mem_read_gp_with_log_and_fill( - n: usize, - address: MemoryAddress, - state: &GenerationState, - row: &mut CpuColumnsView, -) -> (U256, MemoryOp) { - let (val, op) = mem_read_with_log(MemoryChannel::GeneralPurpose(n), address, state); - let val_limbs: [u64; 4] = val.0; - - let channel = &mut row.mem_channels[n]; - assert_eq!(channel.used, F::ZERO); - channel.used = F::ONE; - channel.is_read = F::ONE; - channel.addr_context = F::from_canonical_usize(address.context); - channel.addr_segment = F::from_canonical_usize(address.segment); - channel.addr_virtual = F::from_canonical_usize(address.virt); - for (i, limb) in val_limbs.into_iter().enumerate() { - channel.value[2 * i] = F::from_canonical_u32(limb as u32); - channel.value[2 * i + 1] = F::from_canonical_u32((limb >> 32) as u32); - } - - (val, op) -} - -pub(crate) fn mem_write_gp_log_and_fill( - n: usize, - address: MemoryAddress, - state: &GenerationState, - row: &mut CpuColumnsView, - val: U256, -) -> MemoryOp { - let op = mem_write_log(MemoryChannel::GeneralPurpose(n), address, state, val); - let val_limbs: [u64; 4] = val.0; - - let channel = &mut row.mem_channels[n]; - assert_eq!(channel.used, F::ZERO); - channel.used = F::ONE; - channel.is_read = F::ZERO; - channel.addr_context = F::from_canonical_usize(address.context); - channel.addr_segment = F::from_canonical_usize(address.segment); - channel.addr_virtual = F::from_canonical_usize(address.virt); - for (i, limb) in val_limbs.into_iter().enumerate() { - channel.value[2 * i] = F::from_canonical_u32(limb as u32); - channel.value[2 * i + 1] = F::from_canonical_u32((limb >> 32) as u32); - } - - op -} - -pub(crate) fn mem_write_partial_log_and_fill( - address: MemoryAddress, - state: &GenerationState, - row: &mut CpuColumnsView, - val: U256, -) -> MemoryOp { - let op = mem_write_log(MemoryChannel::PartialChannel, address, state, val); - - let channel = &mut row.partial_channel; - assert!(channel.used.is_zero()); - channel.used = F::ONE; - channel.is_read = F::ZERO; - channel.addr_context = F::from_canonical_usize(address.context); - channel.addr_segment = F::from_canonical_usize(address.segment); - channel.addr_virtual = F::from_canonical_usize(address.virt); - - op -} - -// Channel 0 already contains the top of the stack. You only need to read -// from the second popped element. -// If the resulting stack isn't empty, update `stack_top`. -pub(crate) fn stack_pop_with_log_and_fill( - state: &mut GenerationState, - row: &mut CpuColumnsView, -) -> Result<[(U256, MemoryOp); N], ProgramError> { - if state.registers.stack_len < N { - return Err(ProgramError::StackUnderflow); - } - - let new_stack_top = if state.registers.stack_len == N { - None - } else { - Some(stack_peek(state, N)?) - }; - - let result = core::array::from_fn(|i| { - if i == 0 { - (state.registers.stack_top, DUMMY_MEMOP) - } else { - let address = MemoryAddress::new( - state.registers.context, - Segment::Stack, - state.registers.stack_len - 1 - i, - ); - - mem_read_gp_with_log_and_fill(i, address, state, row) - } - }); - - state.registers.stack_len -= N; - - if let Some(val) = new_stack_top { - state.registers.stack_top = val; - } - - Ok(result) -} - -fn xor_into_sponge( - state: &mut GenerationState, - sponge_state: &mut [u8; KECCAK_WIDTH_BYTES], - block: &[u8; KECCAK_RATE_BYTES], -) { - for i in (0..KECCAK_RATE_BYTES).step_by(32) { - let range = i..KECCAK_RATE_BYTES.min(i + 32); - let lhs = U256::from_little_endian(&sponge_state[range.clone()]); - let rhs = U256::from_little_endian(&block[range]); - state - .traces - .push_logic(logic::Operation::new(logic::Op::Xor, lhs, rhs)); - } - for i in 0..KECCAK_RATE_BYTES { - sponge_state[i] ^= block[i]; - } -} - -pub(crate) fn keccak_sponge_log( - state: &mut GenerationState, - base_address: MemoryAddress, - input: Vec, -) { - let clock = state.traces.clock(); - - let mut address = base_address; - let mut input_blocks = input.chunks_exact(KECCAK_RATE_BYTES); - let mut sponge_state = [0u8; KECCAK_WIDTH_BYTES]; - for block in input_blocks.by_ref() { - for &byte in block { - state.traces.push_memory(MemoryOp::new( - MemoryChannel::Code, - clock, - address, - MemoryOpKind::Read, - byte.into(), - )); - address.increment(); - } - xor_into_sponge(state, &mut sponge_state, block.try_into().unwrap()); - state - .traces - .push_keccak_bytes(sponge_state, clock * NUM_CHANNELS); - keccakf_u8s(&mut sponge_state); - } - - for &byte in input_blocks.remainder() { - state.traces.push_memory(MemoryOp::new( - MemoryChannel::Code, - clock, - address, - MemoryOpKind::Read, - byte.into(), - )); - address.increment(); - } - let mut final_block = [0u8; KECCAK_RATE_BYTES]; - final_block[..input_blocks.remainder().len()].copy_from_slice(input_blocks.remainder()); - // pad10*1 rule - if input_blocks.remainder().len() == KECCAK_RATE_BYTES - 1 { - // Both 1s are placed in the same byte. - final_block[input_blocks.remainder().len()] = 0b10000001; - } else { - final_block[input_blocks.remainder().len()] = 1; - final_block[KECCAK_RATE_BYTES - 1] = 0b10000000; - } - xor_into_sponge(state, &mut sponge_state, &final_block); - state - .traces - .push_keccak_bytes(sponge_state, clock * NUM_CHANNELS); - - state.traces.push_keccak_sponge(KeccakSpongeOp { - base_address, - timestamp: clock * NUM_CHANNELS, - input, - }); -} - -pub(crate) fn byte_packing_log( - state: &mut GenerationState, - base_address: MemoryAddress, - bytes: Vec, -) { - let clock = state.traces.clock(); - - let mut address = base_address; - for &byte in &bytes { - state.traces.push_memory(MemoryOp::new( - MemoryChannel::Code, - clock, - address, - MemoryOpKind::Read, - byte.into(), - )); - address.increment(); - } - - state.traces.push_byte_packing(BytePackingOp { - is_read: true, - base_address, - timestamp: clock * NUM_CHANNELS, - bytes, - }); -} - -pub(crate) fn byte_unpacking_log( - state: &mut GenerationState, - base_address: MemoryAddress, - val: U256, - len: usize, -) { - let clock = state.traces.clock(); - - let mut bytes = vec![0; 32]; - val.to_little_endian(&mut bytes); - bytes.resize(len, 0); - bytes.reverse(); - - let mut address = base_address; - for &byte in &bytes { - state.traces.push_memory(MemoryOp::new( - MemoryChannel::Code, - clock, - address, - MemoryOpKind::Write, - byte.into(), - )); - address.increment(); - } - - state.traces.push_byte_packing(BytePackingOp { - is_read: false, - base_address, - timestamp: clock * NUM_CHANNELS, - bytes, - }); -} diff --git a/evm/tests/add11_yml.rs b/evm/tests/add11_yml.rs deleted file mode 100644 index 6a15dfc06d..0000000000 --- a/evm/tests/add11_yml.rs +++ /dev/null @@ -1,179 +0,0 @@ -use std::collections::HashMap; -use std::str::FromStr; -use std::time::Duration; - -use env_logger::{try_init_from_env, Env, DEFAULT_FILTER_ENV}; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{Address, BigEndianHash, H256}; -use hex_literal::hex; -use keccak_hash::keccak; -use plonky2::field::goldilocks_field::GoldilocksField; -use plonky2::plonk::config::KeccakGoldilocksConfig; -use plonky2::util::timing::TimingTree; -use plonky2_evm::all_stark::AllStark; -use plonky2_evm::config::StarkConfig; -use plonky2_evm::generation::mpt::{AccountRlp, LegacyReceiptRlp}; -use plonky2_evm::generation::{GenerationInputs, TrieInputs}; -use plonky2_evm::proof::{BlockHashes, BlockMetadata, TrieRoots}; -use plonky2_evm::prover::prove; -use plonky2_evm::verifier::verify_proof; -use plonky2_evm::Node; - -type F = GoldilocksField; -const D: usize = 2; -type C = KeccakGoldilocksConfig; - -/// The `add11_yml` test case from https://github.com/ethereum/tests -#[test] -fn add11_yml() -> anyhow::Result<()> { - init_logger(); - - let all_stark = AllStark::::default(); - let config = StarkConfig::standard_fast_config(); - - let beneficiary = hex!("2adc25665018aa1fe0e6bc666dac8fc2697ff9ba"); - let sender = hex!("a94f5374fce5edbc8e2a8697c15331677e6ebf0b"); - let to = hex!("095e7baea6a6c7c4c2dfeb977efac326af552d87"); - - let beneficiary_state_key = keccak(beneficiary); - let sender_state_key = keccak(sender); - let to_hashed = keccak(to); - - let beneficiary_nibbles = Nibbles::from_bytes_be(beneficiary_state_key.as_bytes()).unwrap(); - let sender_nibbles = Nibbles::from_bytes_be(sender_state_key.as_bytes()).unwrap(); - let to_nibbles = Nibbles::from_bytes_be(to_hashed.as_bytes()).unwrap(); - - let code = [0x60, 0x01, 0x60, 0x01, 0x01, 0x60, 0x00, 0x55, 0x00]; - let code_hash = keccak(code); - - let beneficiary_account_before = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - let sender_account_before = AccountRlp { - balance: 0x0de0b6b3a7640000u64.into(), - ..AccountRlp::default() - }; - let to_account_before = AccountRlp { - balance: 0x0de0b6b3a7640000u64.into(), - code_hash, - ..AccountRlp::default() - }; - - let mut state_trie_before = HashedPartialTrie::from(Node::Empty); - state_trie_before.insert( - beneficiary_nibbles, - rlp::encode(&beneficiary_account_before).to_vec(), - ); - state_trie_before.insert(sender_nibbles, rlp::encode(&sender_account_before).to_vec()); - state_trie_before.insert(to_nibbles, rlp::encode(&to_account_before).to_vec()); - - let tries_before = TrieInputs { - state_trie: state_trie_before, - transactions_trie: Node::Empty.into(), - receipts_trie: Node::Empty.into(), - storage_tries: vec![(to_hashed, Node::Empty.into())], - }; - - let txn = hex!("f863800a83061a8094095e7baea6a6c7c4c2dfeb977efac326af552d87830186a0801ba0ffb600e63115a7362e7811894a91d8ba4330e526f22121c994c4692035dfdfd5a06198379fcac8de3dbfac48b165df4bf88e2088f294b61efb9a65fe2281c76e16"); - - let block_metadata = BlockMetadata { - block_beneficiary: Address::from(beneficiary), - block_timestamp: 0x03e8.into(), - block_number: 1.into(), - block_difficulty: 0x020000.into(), - block_random: H256::from_uint(&0x020000.into()), - block_gaslimit: 0xff112233u32.into(), - block_chain_id: 1.into(), - block_base_fee: 0xa.into(), - block_gas_used: 0xa868u64.into(), - block_bloom: [0.into(); 8], - }; - - let mut contract_code = HashMap::new(); - contract_code.insert(keccak(vec![]), vec![]); - contract_code.insert(code_hash, code.to_vec()); - - let expected_state_trie_after = { - let beneficiary_account_after = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - let sender_account_after = AccountRlp { - balance: 0xde0b6b3a75be550u64.into(), - nonce: 1.into(), - ..AccountRlp::default() - }; - let to_account_after = AccountRlp { - balance: 0xde0b6b3a76586a0u64.into(), - code_hash, - // Storage map: { 0 => 2 } - storage_root: HashedPartialTrie::from(Node::Leaf { - nibbles: Nibbles::from_h256_be(keccak([0u8; 32])), - value: vec![2], - }) - .hash(), - ..AccountRlp::default() - }; - - let mut expected_state_trie_after = HashedPartialTrie::from(Node::Empty); - expected_state_trie_after.insert( - beneficiary_nibbles, - rlp::encode(&beneficiary_account_after).to_vec(), - ); - expected_state_trie_after - .insert(sender_nibbles, rlp::encode(&sender_account_after).to_vec()); - expected_state_trie_after.insert(to_nibbles, rlp::encode(&to_account_after).to_vec()); - expected_state_trie_after - }; - - let receipt_0 = LegacyReceiptRlp { - status: true, - cum_gas_used: 0xa868u64.into(), - bloom: vec![0; 256].into(), - logs: vec![], - }; - let mut receipts_trie = HashedPartialTrie::from(Node::Empty); - receipts_trie.insert( - Nibbles::from_str("0x80").unwrap(), - rlp::encode(&receipt_0).to_vec(), - ); - let transactions_trie: HashedPartialTrie = Node::Leaf { - nibbles: Nibbles::from_str("0x80").unwrap(), - value: txn.to_vec(), - } - .into(); - - let trie_roots_after = TrieRoots { - state_root: expected_state_trie_after.hash(), - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.hash(), - }; - let inputs = GenerationInputs { - signed_txn: Some(txn.to_vec()), - withdrawals: vec![], - tries: tries_before, - trie_roots_after, - contract_code, - block_metadata, - checkpoint_state_trie_root: HashedPartialTrie::from(Node::Empty).hash(), - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: 0xa868u64.into(), - block_hashes: BlockHashes { - prev_hashes: vec![H256::default(); 256], - cur_hash: H256::default(), - }, - }; - - let mut timing = TimingTree::new("prove", log::Level::Debug); - let proof = prove::(&all_stark, &config, inputs, &mut timing, None)?; - timing.filter(Duration::from_millis(100)).print(); - - verify_proof(&all_stark, proof, &config) -} - -fn init_logger() { - let _ = try_init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "info")); -} diff --git a/evm/tests/basic_smart_contract.rs b/evm/tests/basic_smart_contract.rs deleted file mode 100644 index 7d07ca19ac..0000000000 --- a/evm/tests/basic_smart_contract.rs +++ /dev/null @@ -1,216 +0,0 @@ -use std::collections::HashMap; -use std::str::FromStr; -use std::time::Duration; - -use env_logger::{try_init_from_env, Env, DEFAULT_FILTER_ENV}; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{Address, H256, U256}; -use hex_literal::hex; -use keccak_hash::keccak; -use plonky2::field::goldilocks_field::GoldilocksField; -use plonky2::plonk::config::KeccakGoldilocksConfig; -use plonky2::util::timing::TimingTree; -use plonky2_evm::all_stark::AllStark; -use plonky2_evm::config::StarkConfig; -use plonky2_evm::cpu::kernel::opcodes::{get_opcode, get_push_opcode}; -use plonky2_evm::generation::mpt::{AccountRlp, LegacyReceiptRlp}; -use plonky2_evm::generation::{GenerationInputs, TrieInputs}; -use plonky2_evm::proof::{BlockHashes, BlockMetadata, TrieRoots}; -use plonky2_evm::prover::prove; -use plonky2_evm::verifier::verify_proof; -use plonky2_evm::Node; - -type F = GoldilocksField; -const D: usize = 2; -type C = KeccakGoldilocksConfig; - -/// Test a simple token transfer to a new address. -#[test] -#[ignore] // Too slow to run on CI. -fn test_basic_smart_contract() -> anyhow::Result<()> { - init_logger(); - - let all_stark = AllStark::::default(); - let config = StarkConfig::standard_fast_config(); - - let beneficiary = hex!("deadbeefdeadbeefdeadbeefdeadbeefdeadbeef"); - let sender = hex!("2c7536e3605d9c16a7a3d7b1898e529396a65c23"); - let to = hex!("a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0"); - - let beneficiary_state_key = keccak(beneficiary); - let sender_state_key = keccak(sender); - let to_state_key = keccak(to); - - let beneficiary_nibbles = Nibbles::from_bytes_be(beneficiary_state_key.as_bytes()).unwrap(); - let sender_nibbles = Nibbles::from_bytes_be(sender_state_key.as_bytes()).unwrap(); - let to_nibbles = Nibbles::from_bytes_be(to_state_key.as_bytes()).unwrap(); - - let push1 = get_push_opcode(1); - let add = get_opcode("ADD"); - let stop = get_opcode("STOP"); - let code = [push1, 3, push1, 4, add, stop]; - let code_gas = 3 + 3 + 3; - let code_hash = keccak(code); - - let beneficiary_account_before = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - let sender_account_before = AccountRlp { - nonce: 5.into(), - balance: eth_to_wei(100_000.into()), - ..AccountRlp::default() - }; - let to_account_before = AccountRlp { - code_hash, - ..AccountRlp::default() - }; - - let state_trie_before = { - let mut children = core::array::from_fn(|_| Node::Empty.into()); - children[beneficiary_nibbles.get_nibble(0) as usize] = Node::Leaf { - nibbles: beneficiary_nibbles.truncate_n_nibbles_front(1), - value: rlp::encode(&beneficiary_account_before).to_vec(), - } - .into(); - children[sender_nibbles.get_nibble(0) as usize] = Node::Leaf { - nibbles: sender_nibbles.truncate_n_nibbles_front(1), - value: rlp::encode(&sender_account_before).to_vec(), - } - .into(); - children[to_nibbles.get_nibble(0) as usize] = Node::Leaf { - nibbles: to_nibbles.truncate_n_nibbles_front(1), - value: rlp::encode(&to_account_before).to_vec(), - } - .into(); - Node::Branch { - children, - value: vec![], - } - } - .into(); - - let tries_before = TrieInputs { - state_trie: state_trie_before, - transactions_trie: Node::Empty.into(), - receipts_trie: Node::Empty.into(), - storage_tries: vec![], - }; - - let txdata_gas = 2 * 16; - let gas_used = 21_000 + code_gas + txdata_gas; - - // Generated using a little py-evm script. - let txn = hex!("f861050a8255f094a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0648242421ba02c89eb757d9deeb1f5b3859a9d4d679951ef610ac47ad4608dc142beb1b7e313a05af7e9fbab825455d36c36c7f4cfcafbeafa9a77bdff936b52afb36d4fe4bcdd"); - let value = U256::from(100u32); - - let block_metadata = BlockMetadata { - block_beneficiary: Address::from(beneficiary), - block_difficulty: 0x20000.into(), - block_number: 1.into(), - block_chain_id: 1.into(), - block_timestamp: 0x03e8.into(), - block_gaslimit: 0xff112233u32.into(), - block_gas_used: gas_used.into(), - block_bloom: [0.into(); 8], - block_base_fee: 0xa.into(), - block_random: Default::default(), - }; - - let mut contract_code = HashMap::new(); - contract_code.insert(keccak(vec![]), vec![]); - contract_code.insert(code_hash, code.to_vec()); - - let expected_state_trie_after: HashedPartialTrie = { - let beneficiary_account_after = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - let sender_account_after = AccountRlp { - balance: sender_account_before.balance - value - gas_used * 10, - nonce: sender_account_before.nonce + 1, - ..sender_account_before - }; - let to_account_after = AccountRlp { - balance: to_account_before.balance + value, - ..to_account_before - }; - - let mut children = core::array::from_fn(|_| Node::Empty.into()); - children[beneficiary_nibbles.get_nibble(0) as usize] = Node::Leaf { - nibbles: beneficiary_nibbles.truncate_n_nibbles_front(1), - value: rlp::encode(&beneficiary_account_after).to_vec(), - } - .into(); - children[sender_nibbles.get_nibble(0) as usize] = Node::Leaf { - nibbles: sender_nibbles.truncate_n_nibbles_front(1), - value: rlp::encode(&sender_account_after).to_vec(), - } - .into(); - children[to_nibbles.get_nibble(0) as usize] = Node::Leaf { - nibbles: to_nibbles.truncate_n_nibbles_front(1), - value: rlp::encode(&to_account_after).to_vec(), - } - .into(); - Node::Branch { - children, - value: vec![], - } - } - .into(); - - let receipt_0 = LegacyReceiptRlp { - status: true, - cum_gas_used: gas_used.into(), - bloom: vec![0; 256].into(), - logs: vec![], - }; - let mut receipts_trie = HashedPartialTrie::from(Node::Empty); - receipts_trie.insert( - Nibbles::from_str("0x80").unwrap(), - rlp::encode(&receipt_0).to_vec(), - ); - let transactions_trie: HashedPartialTrie = Node::Leaf { - nibbles: Nibbles::from_str("0x80").unwrap(), - value: txn.to_vec(), - } - .into(); - - let trie_roots_after = TrieRoots { - state_root: expected_state_trie_after.hash(), - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.hash(), - }; - let inputs = GenerationInputs { - signed_txn: Some(txn.to_vec()), - withdrawals: vec![], - tries: tries_before, - trie_roots_after, - contract_code, - checkpoint_state_trie_root: HashedPartialTrie::from(Node::Empty).hash(), - block_metadata, - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: gas_used.into(), - block_hashes: BlockHashes { - prev_hashes: vec![H256::default(); 256], - cur_hash: H256::default(), - }, - }; - - let mut timing = TimingTree::new("prove", log::Level::Debug); - let proof = prove::(&all_stark, &config, inputs, &mut timing, None)?; - timing.filter(Duration::from_millis(100)).print(); - - verify_proof(&all_stark, proof, &config) -} - -fn eth_to_wei(eth: U256) -> U256 { - // 1 ether = 10^18 wei. - eth * U256::from(10).pow(18.into()) -} - -fn init_logger() { - let _ = try_init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "info")); -} diff --git a/evm/tests/empty_txn_list.rs b/evm/tests/empty_txn_list.rs deleted file mode 100644 index 15416c8c8d..0000000000 --- a/evm/tests/empty_txn_list.rs +++ /dev/null @@ -1,153 +0,0 @@ -use core::marker::PhantomData; -use std::collections::HashMap; -use std::time::Duration; - -use env_logger::{try_init_from_env, Env, DEFAULT_FILTER_ENV}; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{BigEndianHash, H256}; -use keccak_hash::keccak; -use log::info; -use plonky2::field::goldilocks_field::GoldilocksField; -use plonky2::plonk::config::PoseidonGoldilocksConfig; -use plonky2::util::serialization::{DefaultGateSerializer, DefaultGeneratorSerializer}; -use plonky2::util::timing::TimingTree; -use plonky2_evm::all_stark::AllStark; -use plonky2_evm::config::StarkConfig; -use plonky2_evm::fixed_recursive_verifier::AllRecursiveCircuits; -use plonky2_evm::generation::{GenerationInputs, TrieInputs}; -use plonky2_evm::proof::{BlockHashes, BlockMetadata, PublicValues, TrieRoots}; -use plonky2_evm::Node; - -type F = GoldilocksField; -const D: usize = 2; -type C = PoseidonGoldilocksConfig; - -/// Execute the empty list of transactions, i.e. a no-op. -#[test] -#[ignore] // Too slow to run on CI. -fn test_empty_txn_list() -> anyhow::Result<()> { - init_logger(); - - let all_stark = AllStark::::default(); - let config = StarkConfig::standard_fast_config(); - - let block_metadata = BlockMetadata { - block_number: 1.into(), - ..Default::default() - }; - - let state_trie = HashedPartialTrie::from(Node::Empty); - let transactions_trie = HashedPartialTrie::from(Node::Empty); - let receipts_trie = HashedPartialTrie::from(Node::Empty); - let storage_tries = vec![]; - - let mut contract_code = HashMap::new(); - contract_code.insert(keccak(vec![]), vec![]); - - // No transactions, so no trie roots change. - let trie_roots_after = TrieRoots { - state_root: state_trie.hash(), - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.hash(), - }; - let mut initial_block_hashes = vec![H256::default(); 256]; - initial_block_hashes[255] = H256::from_uint(&0x200.into()); - let inputs = GenerationInputs { - signed_txn: None, - withdrawals: vec![], - tries: TrieInputs { - state_trie, - transactions_trie, - receipts_trie, - storage_tries, - }, - trie_roots_after, - contract_code, - checkpoint_state_trie_root: HashedPartialTrie::from(Node::Empty).hash(), - block_metadata, - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: 0.into(), - block_hashes: BlockHashes { - prev_hashes: initial_block_hashes, - cur_hash: H256::default(), - }, - }; - - // Initialize the preprocessed circuits for the zkEVM. - let all_circuits = AllRecursiveCircuits::::new( - &all_stark, - &[16..17, 9..11, 12..13, 14..15, 9..11, 12..13, 17..18], // Minimal ranges to prove an empty list - &config, - ); - - { - let gate_serializer = DefaultGateSerializer; - let generator_serializer = DefaultGeneratorSerializer:: { - _phantom: PhantomData::, - }; - - let timing = TimingTree::new("serialize AllRecursiveCircuits", log::Level::Info); - let all_circuits_bytes = all_circuits - .to_bytes(false, &gate_serializer, &generator_serializer) - .map_err(|_| anyhow::Error::msg("AllRecursiveCircuits serialization failed."))?; - timing.filter(Duration::from_millis(100)).print(); - info!( - "AllRecursiveCircuits length: {} bytes", - all_circuits_bytes.len() - ); - - let timing = TimingTree::new("deserialize AllRecursiveCircuits", log::Level::Info); - let all_circuits_from_bytes = AllRecursiveCircuits::::from_bytes( - &all_circuits_bytes, - false, - &gate_serializer, - &generator_serializer, - ) - .map_err(|_| anyhow::Error::msg("AllRecursiveCircuits deserialization failed."))?; - timing.filter(Duration::from_millis(100)).print(); - - assert_eq!(all_circuits, all_circuits_from_bytes); - } - - let mut timing = TimingTree::new("prove", log::Level::Info); - let (root_proof, public_values) = - all_circuits.prove_root(&all_stark, &config, inputs, &mut timing, None)?; - timing.filter(Duration::from_millis(100)).print(); - all_circuits.verify_root(root_proof.clone())?; - - // Test retrieved public values from the proof public inputs. - let retrieved_public_values = PublicValues::from_public_inputs(&root_proof.public_inputs); - assert_eq!(retrieved_public_values, public_values); - - // We can duplicate the proofs here because the state hasn't mutated. - let (agg_proof, agg_public_values) = all_circuits.prove_aggregation( - false, - &root_proof, - public_values.clone(), - false, - &root_proof, - public_values, - )?; - all_circuits.verify_aggregation(&agg_proof)?; - - // Test retrieved public values from the proof public inputs. - let retrieved_public_values = PublicValues::from_public_inputs(&agg_proof.public_inputs); - assert_eq!(retrieved_public_values, agg_public_values); - - let (block_proof, block_public_values) = - all_circuits.prove_block(None, &agg_proof, agg_public_values)?; - all_circuits.verify_block(&block_proof)?; - - // Test retrieved public values from the proof public inputs. - let retrieved_public_values = PublicValues::from_public_inputs(&block_proof.public_inputs); - assert_eq!(retrieved_public_values, block_public_values); - - // Get the verifier associated to these preprocessed circuits, and have it verify the block_proof. - let verifier = all_circuits.final_verifier_data(); - verifier.verify(block_proof) -} - -fn init_logger() { - let _ = try_init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "info")); -} diff --git a/evm/tests/erc20.rs b/evm/tests/erc20.rs deleted file mode 100644 index 48d0d75364..0000000000 --- a/evm/tests/erc20.rs +++ /dev/null @@ -1,287 +0,0 @@ -use std::str::FromStr; -use std::time::Duration; - -use env_logger::{try_init_from_env, Env, DEFAULT_FILTER_ENV}; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{Address, BigEndianHash, H160, H256, U256}; -use hex_literal::hex; -use keccak_hash::keccak; -use plonky2::field::goldilocks_field::GoldilocksField; -use plonky2::plonk::config::KeccakGoldilocksConfig; -use plonky2::util::timing::TimingTree; -use plonky2_evm::all_stark::AllStark; -use plonky2_evm::config::StarkConfig; -use plonky2_evm::generation::mpt::{AccountRlp, LegacyReceiptRlp, LogRlp}; -use plonky2_evm::generation::{GenerationInputs, TrieInputs}; -use plonky2_evm::proof::{BlockHashes, BlockMetadata, TrieRoots}; -use plonky2_evm::prover::prove; -use plonky2_evm::verifier::verify_proof; -use plonky2_evm::Node; - -type F = GoldilocksField; -const D: usize = 2; -type C = KeccakGoldilocksConfig; - -/// Test a simple ERC20 transfer. -/// Used the following Solidity code: -/// ```solidity -/// pragma solidity ^0.8.13; -/// import "../lib/openzeppelin-contracts/contracts/token/ERC20/ERC20.sol"; -/// contract Token is ERC20 { -/// constructor() ERC20("Token", "TKN") { -/// _mint(msg.sender, 1_000_000 ether); -/// } -/// } -/// contract Giver { -/// Token public token; -/// constructor(address _token) { -/// token = Token(_token); -/// } -/// function send(uint256 amount) public { -/// token.transfer(0x1f9090aaE28b8a3dCeaDf281B0F12828e676c326, amount); -/// } -/// } -/// ``` -#[test] -fn test_erc20() -> anyhow::Result<()> { - init_logger(); - - let all_stark = AllStark::::default(); - let config = StarkConfig::standard_fast_config(); - - let beneficiary = hex!("deadbeefdeadbeefdeadbeefdeadbeefdeadbeef"); - let sender = hex!("70997970C51812dc3A010C7d01b50e0d17dc79C8"); - let giver = hex!("e7f1725E7734CE288F8367e1Bb143E90bb3F0512"); - let token = hex!("5FbDB2315678afecb367f032d93F642f64180aa3"); - - let sender_state_key = keccak(sender); - let giver_state_key = keccak(giver); - let token_state_key = keccak(token); - - let sender_nibbles = Nibbles::from_bytes_be(sender_state_key.as_bytes()).unwrap(); - let giver_nibbles = Nibbles::from_bytes_be(giver_state_key.as_bytes()).unwrap(); - let token_nibbles = Nibbles::from_bytes_be(token_state_key.as_bytes()).unwrap(); - - let mut state_trie_before = HashedPartialTrie::from(Node::Empty); - state_trie_before.insert(sender_nibbles, rlp::encode(&sender_account()).to_vec()); - state_trie_before.insert(giver_nibbles, rlp::encode(&giver_account()).to_vec()); - state_trie_before.insert(token_nibbles, rlp::encode(&token_account()).to_vec()); - - let storage_tries = vec![ - (giver_state_key, giver_storage()), - (token_state_key, token_storage()), - ]; - - let tries_before = TrieInputs { - state_trie: state_trie_before, - transactions_trie: HashedPartialTrie::from(Node::Empty), - receipts_trie: HashedPartialTrie::from(Node::Empty), - storage_tries, - }; - - let txn = signed_tx(); - - let gas_used = 56_499.into(); - let bloom = bloom(); - let block_metadata = BlockMetadata { - block_beneficiary: Address::from(beneficiary), - block_timestamp: 0x03e8.into(), - block_number: 1.into(), - block_difficulty: 0x020000.into(), - block_random: H256::from_uint(&0x020000.into()), - block_gaslimit: 0xff112233u32.into(), - block_chain_id: 1.into(), - block_base_fee: 0xa.into(), - block_gas_used: gas_used, - block_bloom: bloom, - }; - - let contract_code = [giver_bytecode(), token_bytecode(), vec![]] - .map(|v| (keccak(v.clone()), v)) - .into(); - - let expected_state_trie_after: HashedPartialTrie = { - let mut state_trie_after = HashedPartialTrie::from(Node::Empty); - let sender_account = sender_account(); - let sender_account_after = AccountRlp { - nonce: sender_account.nonce + 1, - balance: sender_account.balance - gas_used * 0xa, - ..sender_account - }; - state_trie_after.insert(sender_nibbles, rlp::encode(&sender_account_after).to_vec()); - state_trie_after.insert(giver_nibbles, rlp::encode(&giver_account()).to_vec()); - let token_account_after = AccountRlp { - storage_root: token_storage_after().hash(), - ..token_account() - }; - state_trie_after.insert(token_nibbles, rlp::encode(&token_account_after).to_vec()); - - state_trie_after - }; - - let receipt_0 = LegacyReceiptRlp { - status: true, - cum_gas_used: gas_used, - bloom: bloom_bytes().to_vec().into(), - logs: vec![LogRlp { - address: H160::from_str("0x5fbdb2315678afecb367f032d93f642f64180aa3").unwrap(), - topics: vec![ - H256::from_str( - "0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef", - ) - .unwrap(), - H256::from_str( - "0x000000000000000000000000e7f1725e7734ce288f8367e1bb143e90bb3f0512", - ) - .unwrap(), - H256::from_str( - "0x0000000000000000000000001f9090aae28b8a3dceadf281b0f12828e676c326", - ) - .unwrap(), - ], - data: hex!("0000000000000000000000000000000000000000000000056bc75e2d63100000") - .to_vec() - .into(), - }], - }; - let mut receipts_trie = HashedPartialTrie::from(Node::Empty); - receipts_trie.insert(Nibbles::from_str("0x80").unwrap(), receipt_0.encode(2)); - let transactions_trie: HashedPartialTrie = Node::Leaf { - nibbles: Nibbles::from_str("0x80").unwrap(), - value: txn.to_vec(), - } - .into(); - - let trie_roots_after = TrieRoots { - state_root: expected_state_trie_after.hash(), - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.hash(), - }; - let inputs = GenerationInputs { - signed_txn: Some(txn.to_vec()), - withdrawals: vec![], - tries: tries_before, - trie_roots_after, - contract_code, - checkpoint_state_trie_root: HashedPartialTrie::from(Node::Empty).hash(), - block_metadata, - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: gas_used, - block_hashes: BlockHashes { - prev_hashes: vec![H256::default(); 256], - cur_hash: H256::default(), - }, - }; - - let mut timing = TimingTree::new("prove", log::Level::Debug); - let proof = prove::(&all_stark, &config, inputs, &mut timing, None)?; - timing.filter(Duration::from_millis(100)).print(); - - verify_proof(&all_stark, proof, &config) -} - -fn init_logger() { - let _ = try_init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "info")); -} - -fn giver_bytecode() -> Vec { - hex!("608060405234801561001057600080fd5b50600436106100365760003560e01c8063a52c101e1461003b578063fc0c546a14610050575b600080fd5b61004e61004936600461010c565b61007f565b005b600054610063906001600160a01b031681565b6040516001600160a01b03909116815260200160405180910390f35b60005460405163a9059cbb60e01b8152731f9090aae28b8a3dceadf281b0f12828e676c3266004820152602481018390526001600160a01b039091169063a9059cbb906044016020604051808303816000875af11580156100e4573d6000803e3d6000fd5b505050506040513d601f19601f820116820180604052508101906101089190610125565b5050565b60006020828403121561011e57600080fd5b5035919050565b60006020828403121561013757600080fd5b8151801515811461014757600080fd5b939250505056fea264697066735822122050741efdbac11eb0bbb776ce3ac6004e596b7d7559658a12506164388c371cfd64736f6c63430008140033").into() -} - -fn token_bytecode() -> Vec { - hex!("608060405234801561001057600080fd5b50600436106100935760003560e01c8063313ce56711610066578063313ce567146100fe57806370a082311461010d57806395d89b4114610136578063a9059cbb1461013e578063dd62ed3e1461015157600080fd5b806306fdde0314610098578063095ea7b3146100b657806318160ddd146100d957806323b872dd146100eb575b600080fd5b6100a061018a565b6040516100ad919061056a565b60405180910390f35b6100c96100c43660046105d4565b61021c565b60405190151581526020016100ad565b6002545b6040519081526020016100ad565b6100c96100f93660046105fe565b610236565b604051601281526020016100ad565b6100dd61011b36600461063a565b6001600160a01b031660009081526020819052604090205490565b6100a061025a565b6100c961014c3660046105d4565b610269565b6100dd61015f36600461065c565b6001600160a01b03918216600090815260016020908152604080832093909416825291909152205490565b6060600380546101999061068f565b80601f01602080910402602001604051908101604052809291908181526020018280546101c59061068f565b80156102125780601f106101e757610100808354040283529160200191610212565b820191906000526020600020905b8154815290600101906020018083116101f557829003601f168201915b5050505050905090565b60003361022a818585610277565b60019150505b92915050565b600033610244858285610289565b61024f85858561030c565b506001949350505050565b6060600480546101999061068f565b60003361022a81858561030c565b610284838383600161036b565b505050565b6001600160a01b03838116600090815260016020908152604080832093861683529290522054600019811461030657818110156102f757604051637dc7a0d960e11b81526001600160a01b038416600482015260248101829052604481018390526064015b60405180910390fd5b6103068484848403600061036b565b50505050565b6001600160a01b03831661033657604051634b637e8f60e11b8152600060048201526024016102ee565b6001600160a01b0382166103605760405163ec442f0560e01b8152600060048201526024016102ee565b610284838383610440565b6001600160a01b0384166103955760405163e602df0560e01b8152600060048201526024016102ee565b6001600160a01b0383166103bf57604051634a1406b160e11b8152600060048201526024016102ee565b6001600160a01b038085166000908152600160209081526040808320938716835292905220829055801561030657826001600160a01b0316846001600160a01b03167f8c5be1e5ebec7d5bd14f71427d1e84f3dd0314c0f7b2291e5b200ac8c7c3b9258460405161043291815260200190565b60405180910390a350505050565b6001600160a01b03831661046b57806002600082825461046091906106c9565b909155506104dd9050565b6001600160a01b038316600090815260208190526040902054818110156104be5760405163391434e360e21b81526001600160a01b038516600482015260248101829052604481018390526064016102ee565b6001600160a01b03841660009081526020819052604090209082900390555b6001600160a01b0382166104f957600280548290039055610518565b6001600160a01b03821660009081526020819052604090208054820190555b816001600160a01b0316836001600160a01b03167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef8360405161055d91815260200190565b60405180910390a3505050565b600060208083528351808285015260005b818110156105975785810183015185820160400152820161057b565b506000604082860101526040601f19601f8301168501019250505092915050565b80356001600160a01b03811681146105cf57600080fd5b919050565b600080604083850312156105e757600080fd5b6105f0836105b8565b946020939093013593505050565b60008060006060848603121561061357600080fd5b61061c846105b8565b925061062a602085016105b8565b9150604084013590509250925092565b60006020828403121561064c57600080fd5b610655826105b8565b9392505050565b6000806040838503121561066f57600080fd5b610678836105b8565b9150610686602084016105b8565b90509250929050565b600181811c908216806106a357607f821691505b6020821081036106c357634e487b7160e01b600052602260045260246000fd5b50919050565b8082018082111561023057634e487b7160e01b600052601160045260246000fdfea2646970667358221220266a323ae4a816f6c6342a5be431fedcc0d45c44b02ea75f5474eb450b5d45b364736f6c63430008140033").into() -} - -fn insert_storage(trie: &mut HashedPartialTrie, slot: U256, value: U256) { - let mut bytes = [0; 32]; - slot.to_big_endian(&mut bytes); - let key = keccak(bytes); - let nibbles = Nibbles::from_bytes_be(key.as_bytes()).unwrap(); - let r = rlp::encode(&value); - let r = r.freeze().to_vec(); - trie.insert(nibbles, r); -} - -fn sd2u(s: &str) -> U256 { - U256::from_dec_str(s).unwrap() -} - -fn giver_storage() -> HashedPartialTrie { - let mut trie = HashedPartialTrie::from(Node::Empty); - insert_storage( - &mut trie, - U256::zero(), - sd2u("546584486846459126461364135121053344201067465379"), - ); - trie -} - -fn token_storage() -> HashedPartialTrie { - let mut trie = HashedPartialTrie::from(Node::Empty); - insert_storage( - &mut trie, - sd2u("82183438603287090451672504949863617512989139203883434767553028632841710582583"), - sd2u("1000000000000000000000"), - ); - trie -} - -fn token_storage_after() -> HashedPartialTrie { - let mut trie = HashedPartialTrie::from(Node::Empty); - insert_storage( - &mut trie, - sd2u("82183438603287090451672504949863617512989139203883434767553028632841710582583"), - sd2u("900000000000000000000"), - ); - insert_storage( - &mut trie, - sd2u("53006154680716014998529145169423020330606407246856709517064848190396281160729"), - sd2u("100000000000000000000"), - ); - trie -} - -fn giver_account() -> AccountRlp { - AccountRlp { - nonce: 1.into(), - balance: 0.into(), - storage_root: giver_storage().hash(), - code_hash: keccak(giver_bytecode()), - } -} - -fn token_account() -> AccountRlp { - AccountRlp { - nonce: 1.into(), - balance: 0.into(), - storage_root: token_storage().hash(), - code_hash: keccak(token_bytecode()), - } -} - -fn sender_account() -> AccountRlp { - AccountRlp { - nonce: 0.into(), - balance: sd2u("10000000000000000000000"), - storage_root: Default::default(), - code_hash: keccak([]), - } -} - -fn signed_tx() -> Vec { - hex!("02f88701800a0a830142c594e7f1725e7734ce288f8367e1bb143e90bb3f051280a4a52c101e0000000000000000000000000000000000000000000000056bc75e2d63100000c001a0303f5591159d7ea303faecb1c8bd8624b55732f769de28b111190dfb9a7c5234a019d5d6d38938dc1c63acbe106cf361672def773ace4ca587860117d057326627").into() -} - -fn bloom_bytes() -> [u8; 256] { - hex!("00000000000000000400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000008000000000000000000000000000000000040000000000000000000000000000000000000000000000014000000000000000000000000000000000000000000000000000000000000000200000000000000000000000000000002000000000000000000000000000000000000000000000042000000000000000000000000000000000000000000020000000000080000000000000000000000000000000000000000000000000000000000000000") -} - -fn bloom() -> [U256; 8] { - let bloom = bloom_bytes() - .chunks_exact(32) - .map(U256::from_big_endian) - .collect::>(); - bloom.try_into().unwrap() -} diff --git a/evm/tests/erc721.rs b/evm/tests/erc721.rs deleted file mode 100644 index 0c6d50d836..0000000000 --- a/evm/tests/erc721.rs +++ /dev/null @@ -1,314 +0,0 @@ -use std::str::FromStr; -use std::time::Duration; - -use env_logger::{try_init_from_env, Env, DEFAULT_FILTER_ENV}; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{Address, BigEndianHash, H160, H256, U256}; -use hex_literal::hex; -use keccak_hash::keccak; -use plonky2::field::goldilocks_field::GoldilocksField; -use plonky2::plonk::config::KeccakGoldilocksConfig; -use plonky2::util::timing::TimingTree; -use plonky2_evm::all_stark::AllStark; -use plonky2_evm::config::StarkConfig; -use plonky2_evm::generation::mpt::{AccountRlp, LegacyReceiptRlp, LogRlp}; -use plonky2_evm::generation::{GenerationInputs, TrieInputs}; -use plonky2_evm::proof::{BlockHashes, BlockMetadata, TrieRoots}; -use plonky2_evm::prover::prove; -use plonky2_evm::verifier::verify_proof; -use plonky2_evm::Node; - -type F = GoldilocksField; -const D: usize = 2; -type C = KeccakGoldilocksConfig; - -/// Test a simple ERC721 token transfer. -/// Used the following Solidity code: -/// ```solidity -/// pragma solidity ^0.8.20; -/// -/// import "@openzeppelin/contracts@5.0.1/token/ERC721/ERC721.sol"; -/// import "@openzeppelin/contracts@5.0.1/access/Ownable.sol"; -/// -/// contract TestToken is ERC721, Ownable { -/// constructor(address initialOwner) -/// ERC721("TestToken", "TEST") -/// Ownable(initialOwner) -/// {} -/// -/// function safeMint(address to, uint256 tokenId) public onlyOwner { -/// _safeMint(to, tokenId); -/// } -/// } -/// ``` -/// -/// The transaction calls the `safeTransferFrom` function to transfer token `1337` from address -/// `0x5B38Da6a701c568545dCfcB03FcB875f56beddC4` to address `0xAb8483F64d9C6d1EcF9b849Ae677dD3315835cb2`. -#[test] -fn test_erc721() -> anyhow::Result<()> { - init_logger(); - - let all_stark = AllStark::::default(); - let config = StarkConfig::standard_fast_config(); - - let beneficiary = hex!("deadbeefdeadbeefdeadbeefdeadbeefdeadbeef"); - let owner = hex!("5B38Da6a701c568545dCfcB03FcB875f56beddC4"); - let contract = hex!("f2B1114C644cBb3fF63Bf1dD284c8Cd716e95BE9"); - - let owner_state_key = keccak(owner); - let contract_state_key = keccak(contract); - - let owner_nibbles = Nibbles::from_bytes_be(owner_state_key.as_bytes()).unwrap(); - let contract_nibbles = Nibbles::from_bytes_be(contract_state_key.as_bytes()).unwrap(); - - let mut state_trie_before = HashedPartialTrie::from(Node::Empty); - state_trie_before.insert(owner_nibbles, rlp::encode(&owner_account()).to_vec()); - state_trie_before.insert(contract_nibbles, rlp::encode(&contract_account()).to_vec()); - - let storage_tries = vec![(contract_state_key, contract_storage())]; - - let tries_before = TrieInputs { - state_trie: state_trie_before, - transactions_trie: HashedPartialTrie::from(Node::Empty), - receipts_trie: HashedPartialTrie::from(Node::Empty), - storage_tries, - }; - - let txn = signed_tx(); - - let gas_used = 58_418.into(); - - let contract_code = [contract_bytecode(), vec![]] - .map(|v| (keccak(v.clone()), v)) - .into(); - - let expected_state_trie_after: HashedPartialTrie = { - let mut state_trie_after = HashedPartialTrie::from(Node::Empty); - let owner_account = owner_account(); - let owner_account_after = AccountRlp { - nonce: owner_account.nonce + 1, - balance: owner_account.balance - gas_used * 0xa, - ..owner_account - }; - state_trie_after.insert(owner_nibbles, rlp::encode(&owner_account_after).to_vec()); - let contract_account_after = AccountRlp { - storage_root: contract_storage_after().hash(), - ..contract_account() - }; - state_trie_after.insert( - contract_nibbles, - rlp::encode(&contract_account_after).to_vec(), - ); - - state_trie_after - }; - - let logs = vec![LogRlp { - address: H160::from_str("0xf2B1114C644cBb3fF63Bf1dD284c8Cd716e95BE9").unwrap(), - topics: vec![ - H256::from_str("0xddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef") - .unwrap(), - H256::from_str("0x0000000000000000000000005b38da6a701c568545dcfcb03fcb875f56beddc4") - .unwrap(), - H256::from_str("0x000000000000000000000000ab8483f64d9c6d1ecf9b849ae677dd3315835cb2") - .unwrap(), - H256::from_str("0x0000000000000000000000000000000000000000000000000000000000000539") - .unwrap(), - ], - data: vec![].into(), - }]; - - let mut bloom_bytes = [0u8; 256]; - add_logs_to_bloom(&mut bloom_bytes, &logs); - - let receipt_0 = LegacyReceiptRlp { - status: true, - cum_gas_used: gas_used, - bloom: bloom_bytes.to_vec().into(), - logs, - }; - let mut receipts_trie = HashedPartialTrie::from(Node::Empty); - receipts_trie.insert(Nibbles::from_str("0x80").unwrap(), receipt_0.encode(0)); - let transactions_trie: HashedPartialTrie = Node::Leaf { - nibbles: Nibbles::from_str("0x80").unwrap(), - value: txn.to_vec(), - } - .into(); - - let trie_roots_after = TrieRoots { - state_root: expected_state_trie_after.hash(), - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.hash(), - }; - - let bloom = bloom_bytes - .chunks_exact(32) - .map(U256::from_big_endian) - .collect::>(); - - let block_metadata = BlockMetadata { - block_beneficiary: Address::from(beneficiary), - block_timestamp: 0x03e8.into(), - block_number: 1.into(), - block_difficulty: 0x020000.into(), - block_random: H256::from_uint(&0x020000.into()), - block_gaslimit: 0xff112233u32.into(), - block_chain_id: 1.into(), - block_base_fee: 0xa.into(), - block_gas_used: gas_used, - block_bloom: bloom.try_into().unwrap(), - }; - - let inputs = GenerationInputs { - signed_txn: Some(txn.to_vec()), - withdrawals: vec![], - tries: tries_before, - trie_roots_after, - contract_code, - checkpoint_state_trie_root: HashedPartialTrie::from(Node::Empty).hash(), - block_metadata, - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: gas_used, - block_hashes: BlockHashes { - prev_hashes: vec![H256::default(); 256], - cur_hash: H256::default(), - }, - }; - - let mut timing = TimingTree::new("prove", log::Level::Debug); - let proof = prove::(&all_stark, &config, inputs, &mut timing, None)?; - timing.filter(Duration::from_millis(100)).print(); - - verify_proof(&all_stark, proof, &config) -} - -fn init_logger() { - let _ = try_init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "info")); -} - -fn contract_bytecode() -> Vec { - hex!("608060405234801561000f575f80fd5b5060043610610109575f3560e01c8063715018a6116100a0578063a22cb4651161006f578063a22cb465146102a1578063b88d4fde146102bd578063c87b56dd146102d9578063e985e9c514610309578063f2fde38b1461033957610109565b8063715018a61461023f5780638da5cb5b1461024957806395d89b4114610267578063a14481941461028557610109565b806323b872dd116100dc57806323b872dd146101a757806342842e0e146101c35780636352211e146101df57806370a082311461020f57610109565b806301ffc9a71461010d57806306fdde031461013d578063081812fc1461015b578063095ea7b31461018b575b5f80fd5b61012760048036038101906101229190611855565b610355565b604051610134919061189a565b60405180910390f35b610145610436565b604051610152919061193d565b60405180910390f35b61017560048036038101906101709190611990565b6104c5565b60405161018291906119fa565b60405180910390f35b6101a560048036038101906101a09190611a3d565b6104e0565b005b6101c160048036038101906101bc9190611a7b565b6104f6565b005b6101dd60048036038101906101d89190611a7b565b6105f5565b005b6101f960048036038101906101f49190611990565b610614565b60405161020691906119fa565b60405180910390f35b61022960048036038101906102249190611acb565b610625565b6040516102369190611b05565b60405180910390f35b6102476106db565b005b6102516106ee565b60405161025e91906119fa565b60405180910390f35b61026f610716565b60405161027c919061193d565b60405180910390f35b61029f600480360381019061029a9190611a3d565b6107a6565b005b6102bb60048036038101906102b69190611b48565b6107bc565b005b6102d760048036038101906102d29190611cb2565b6107d2565b005b6102f360048036038101906102ee9190611990565b6107ef565b604051610300919061193d565b60405180910390f35b610323600480360381019061031e9190611d32565b610855565b604051610330919061189a565b60405180910390f35b610353600480360381019061034e9190611acb565b6108e3565b005b5f7f80ac58cd000000000000000000000000000000000000000000000000000000007bffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916827bffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916148061041f57507f5b5e139f000000000000000000000000000000000000000000000000000000007bffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916827bffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916145b8061042f575061042e82610967565b5b9050919050565b60605f805461044490611d9d565b80601f016020809104026020016040519081016040528092919081815260200182805461047090611d9d565b80156104bb5780601f10610492576101008083540402835291602001916104bb565b820191905f5260205f20905b81548152906001019060200180831161049e57829003601f168201915b5050505050905090565b5f6104cf826109d0565b506104d982610a56565b9050919050565b6104f282826104ed610a8f565b610a96565b5050565b5f73ffffffffffffffffffffffffffffffffffffffff168273ffffffffffffffffffffffffffffffffffffffff1603610566575f6040517f64a0ae9200000000000000000000000000000000000000000000000000000000815260040161055d91906119fa565b60405180910390fd5b5f6105798383610574610a8f565b610aa8565b90508373ffffffffffffffffffffffffffffffffffffffff168173ffffffffffffffffffffffffffffffffffffffff16146105ef578382826040517f64283d7b0000000000000000000000000000000000000000000000000000000081526004016105e693929190611dcd565b60405180910390fd5b50505050565b61060f83838360405180602001604052805f8152506107d2565b505050565b5f61061e826109d0565b9050919050565b5f8073ffffffffffffffffffffffffffffffffffffffff168273ffffffffffffffffffffffffffffffffffffffff1603610696575f6040517f89c62b6400000000000000000000000000000000000000000000000000000000815260040161068d91906119fa565b60405180910390fd5b60035f8373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020015f20549050919050565b6106e3610cb3565b6106ec5f610d3a565b565b5f60065f9054906101000a900473ffffffffffffffffffffffffffffffffffffffff16905090565b60606001805461072590611d9d565b80601f016020809104026020016040519081016040528092919081815260200182805461075190611d9d565b801561079c5780601f106107735761010080835404028352916020019161079c565b820191905f5260205f20905b81548152906001019060200180831161077f57829003601f168201915b5050505050905090565b6107ae610cb3565b6107b88282610dfd565b5050565b6107ce6107c7610a8f565b8383610e1a565b5050565b6107dd8484846104f6565b6107e984848484610f83565b50505050565b60606107fa826109d0565b505f610804611135565b90505f8151116108225760405180602001604052805f81525061084d565b8061082c8461114b565b60405160200161083d929190611e3c565b6040516020818303038152906040525b915050919050565b5f60055f8473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020015f205f8373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020015f205f9054906101000a900460ff16905092915050565b6108eb610cb3565b5f73ffffffffffffffffffffffffffffffffffffffff168173ffffffffffffffffffffffffffffffffffffffff160361095b575f6040517f1e4fbdf700000000000000000000000000000000000000000000000000000000815260040161095291906119fa565b60405180910390fd5b61096481610d3a565b50565b5f7f01ffc9a7000000000000000000000000000000000000000000000000000000007bffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916827bffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916149050919050565b5f806109db83611215565b90505f73ffffffffffffffffffffffffffffffffffffffff168173ffffffffffffffffffffffffffffffffffffffff1603610a4d57826040517f7e273289000000000000000000000000000000000000000000000000000000008152600401610a449190611b05565b60405180910390fd5b80915050919050565b5f60045f8381526020019081526020015f205f9054906101000a900473ffffffffffffffffffffffffffffffffffffffff169050919050565b5f33905090565b610aa3838383600161124e565b505050565b5f80610ab384611215565b90505f73ffffffffffffffffffffffffffffffffffffffff168373ffffffffffffffffffffffffffffffffffffffff1614610af457610af381848661140d565b5b5f73ffffffffffffffffffffffffffffffffffffffff168173ffffffffffffffffffffffffffffffffffffffff1614610b7f57610b335f855f8061124e565b600160035f8373ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020015f205f82825403925050819055505b5f73ffffffffffffffffffffffffffffffffffffffff168573ffffffffffffffffffffffffffffffffffffffff1614610bfe57600160035f8773ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020015f205f82825401925050819055505b8460025f8681526020019081526020015f205f6101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff160217905550838573ffffffffffffffffffffffffffffffffffffffff168273ffffffffffffffffffffffffffffffffffffffff167fddf252ad1be2c89b69c2b068fc378daa952ba7f163c4a11628f55a4df523b3ef60405160405180910390a4809150509392505050565b610cbb610a8f565b73ffffffffffffffffffffffffffffffffffffffff16610cd96106ee565b73ffffffffffffffffffffffffffffffffffffffff1614610d3857610cfc610a8f565b6040517f118cdaa7000000000000000000000000000000000000000000000000000000008152600401610d2f91906119fa565b60405180910390fd5b565b5f60065f9054906101000a900473ffffffffffffffffffffffffffffffffffffffff1690508160065f6101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff1602179055508173ffffffffffffffffffffffffffffffffffffffff168173ffffffffffffffffffffffffffffffffffffffff167f8be0079c531659141344cd1fd0a4f28419497f9722a3daafe3b4186f6b6457e060405160405180910390a35050565b610e16828260405180602001604052805f8152506114d0565b5050565b5f73ffffffffffffffffffffffffffffffffffffffff168273ffffffffffffffffffffffffffffffffffffffff1603610e8a57816040517f5b08ba18000000000000000000000000000000000000000000000000000000008152600401610e8191906119fa565b60405180910390fd5b8060055f8573ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020015f205f8473ffffffffffffffffffffffffffffffffffffffff1673ffffffffffffffffffffffffffffffffffffffff1681526020019081526020015f205f6101000a81548160ff0219169083151502179055508173ffffffffffffffffffffffffffffffffffffffff168373ffffffffffffffffffffffffffffffffffffffff167f17307eab39ab6107e8899845ad3d59bd9653f200f220920489ca2b5937696c3183604051610f76919061189a565b60405180910390a3505050565b5f8373ffffffffffffffffffffffffffffffffffffffff163b111561112f578273ffffffffffffffffffffffffffffffffffffffff1663150b7a02610fc6610a8f565b8685856040518563ffffffff1660e01b8152600401610fe89493929190611eb1565b6020604051808303815f875af192505050801561102357506040513d601f19601f820116820180604052508101906110209190611f0f565b60015b6110a4573d805f8114611051576040519150601f19603f3d011682016040523d82523d5f602084013e611056565b606091505b505f81510361109c57836040517f64a0ae9200000000000000000000000000000000000000000000000000000000815260040161109391906119fa565b60405180910390fd5b805181602001fd5b63150b7a0260e01b7bffffffffffffffffffffffffffffffffffffffffffffffffffffffff1916817bffffffffffffffffffffffffffffffffffffffffffffffffffffffff19161461112d57836040517f64a0ae9200000000000000000000000000000000000000000000000000000000815260040161112491906119fa565b60405180910390fd5b505b50505050565b606060405180602001604052805f815250905090565b60605f6001611159846114eb565b0190505f8167ffffffffffffffff81111561117757611176611b8e565b5b6040519080825280601f01601f1916602001820160405280156111a95781602001600182028036833780820191505090505b5090505f82602001820190505b60011561120a578080600190039150507f3031323334353637383961626364656600000000000000000000000000000000600a86061a8153600a85816111ff576111fe611f3a565b5b0494505f85036111b6575b819350505050919050565b5f60025f8381526020019081526020015f205f9054906101000a900473ffffffffffffffffffffffffffffffffffffffff169050919050565b808061128657505f73ffffffffffffffffffffffffffffffffffffffff168273ffffffffffffffffffffffffffffffffffffffff1614155b156113b8575f611295846109d0565b90505f73ffffffffffffffffffffffffffffffffffffffff168373ffffffffffffffffffffffffffffffffffffffff16141580156112ff57508273ffffffffffffffffffffffffffffffffffffffff168173ffffffffffffffffffffffffffffffffffffffff1614155b801561131257506113108184610855565b155b1561135457826040517fa9fbf51f00000000000000000000000000000000000000000000000000000000815260040161134b91906119fa565b60405180910390fd5b81156113b657838573ffffffffffffffffffffffffffffffffffffffff168273ffffffffffffffffffffffffffffffffffffffff167f8c5be1e5ebec7d5bd14f71427d1e84f3dd0314c0f7b2291e5b200ac8c7c3b92560405160405180910390a45b505b8360045f8581526020019081526020015f205f6101000a81548173ffffffffffffffffffffffffffffffffffffffff021916908373ffffffffffffffffffffffffffffffffffffffff16021790555050505050565b61141883838361163c565b6114cb575f73ffffffffffffffffffffffffffffffffffffffff168373ffffffffffffffffffffffffffffffffffffffff160361148c57806040517f7e2732890000000000000000000000000000000000000000000000000000000081526004016114839190611b05565b60405180910390fd5b81816040517f177e802f0000000000000000000000000000000000000000000000000000000081526004016114c2929190611f67565b60405180910390fd5b505050565b6114da83836116fc565b6114e65f848484610f83565b505050565b5f805f90507a184f03e93ff9f4daa797ed6e38ed64bf6a1f0100000000000000008310611547577a184f03e93ff9f4daa797ed6e38ed64bf6a1f010000000000000000838161153d5761153c611f3a565b5b0492506040810190505b6d04ee2d6d415b85acef81000000008310611584576d04ee2d6d415b85acef8100000000838161157a57611579611f3a565b5b0492506020810190505b662386f26fc1000083106115b357662386f26fc1000083816115a9576115a8611f3a565b5b0492506010810190505b6305f5e10083106115dc576305f5e10083816115d2576115d1611f3a565b5b0492506008810190505b61271083106116015761271083816115f7576115f6611f3a565b5b0492506004810190505b60648310611624576064838161161a57611619611f3a565b5b0492506002810190505b600a8310611633576001810190505b80915050919050565b5f8073ffffffffffffffffffffffffffffffffffffffff168373ffffffffffffffffffffffffffffffffffffffff16141580156116f357508273ffffffffffffffffffffffffffffffffffffffff168473ffffffffffffffffffffffffffffffffffffffff1614806116b457506116b38484610855565b5b806116f257508273ffffffffffffffffffffffffffffffffffffffff166116da83610a56565b73ffffffffffffffffffffffffffffffffffffffff16145b5b90509392505050565b5f73ffffffffffffffffffffffffffffffffffffffff168273ffffffffffffffffffffffffffffffffffffffff160361176c575f6040517f64a0ae9200000000000000000000000000000000000000000000000000000000815260040161176391906119fa565b60405180910390fd5b5f61177883835f610aa8565b90505f73ffffffffffffffffffffffffffffffffffffffff168173ffffffffffffffffffffffffffffffffffffffff16146117ea575f6040517f73c6ac6e0000000000000000000000000000000000000000000000000000000081526004016117e191906119fa565b60405180910390fd5b505050565b5f604051905090565b5f80fd5b5f80fd5b5f7fffffffff0000000000000000000000000000000000000000000000000000000082169050919050565b61183481611800565b811461183e575f80fd5b50565b5f8135905061184f8161182b565b92915050565b5f6020828403121561186a576118696117f8565b5b5f61187784828501611841565b91505092915050565b5f8115159050919050565b61189481611880565b82525050565b5f6020820190506118ad5f83018461188b565b92915050565b5f81519050919050565b5f82825260208201905092915050565b5f5b838110156118ea5780820151818401526020810190506118cf565b5f8484015250505050565b5f601f19601f8301169050919050565b5f61190f826118b3565b61191981856118bd565b93506119298185602086016118cd565b611932816118f5565b840191505092915050565b5f6020820190508181035f8301526119558184611905565b905092915050565b5f819050919050565b61196f8161195d565b8114611979575f80fd5b50565b5f8135905061198a81611966565b92915050565b5f602082840312156119a5576119a46117f8565b5b5f6119b28482850161197c565b91505092915050565b5f73ffffffffffffffffffffffffffffffffffffffff82169050919050565b5f6119e4826119bb565b9050919050565b6119f4816119da565b82525050565b5f602082019050611a0d5f8301846119eb565b92915050565b611a1c816119da565b8114611a26575f80fd5b50565b5f81359050611a3781611a13565b92915050565b5f8060408385031215611a5357611a526117f8565b5b5f611a6085828601611a29565b9250506020611a718582860161197c565b9150509250929050565b5f805f60608486031215611a9257611a916117f8565b5b5f611a9f86828701611a29565b9350506020611ab086828701611a29565b9250506040611ac18682870161197c565b9150509250925092565b5f60208284031215611ae057611adf6117f8565b5b5f611aed84828501611a29565b91505092915050565b611aff8161195d565b82525050565b5f602082019050611b185f830184611af6565b92915050565b611b2781611880565b8114611b31575f80fd5b50565b5f81359050611b4281611b1e565b92915050565b5f8060408385031215611b5e57611b5d6117f8565b5b5f611b6b85828601611a29565b9250506020611b7c85828601611b34565b9150509250929050565b5f80fd5b5f80fd5b7f4e487b71000000000000000000000000000000000000000000000000000000005f52604160045260245ffd5b611bc4826118f5565b810181811067ffffffffffffffff82111715611be357611be2611b8e565b5b80604052505050565b5f611bf56117ef565b9050611c018282611bbb565b919050565b5f67ffffffffffffffff821115611c2057611c1f611b8e565b5b611c29826118f5565b9050602081019050919050565b828183375f83830152505050565b5f611c56611c5184611c06565b611bec565b905082815260208101848484011115611c7257611c71611b8a565b5b611c7d848285611c36565b509392505050565b5f82601f830112611c9957611c98611b86565b5b8135611ca9848260208601611c44565b91505092915050565b5f805f8060808587031215611cca57611cc96117f8565b5b5f611cd787828801611a29565b9450506020611ce887828801611a29565b9350506040611cf98782880161197c565b925050606085013567ffffffffffffffff811115611d1a57611d196117fc565b5b611d2687828801611c85565b91505092959194509250565b5f8060408385031215611d4857611d476117f8565b5b5f611d5585828601611a29565b9250506020611d6685828601611a29565b9150509250929050565b7f4e487b71000000000000000000000000000000000000000000000000000000005f52602260045260245ffd5b5f6002820490506001821680611db457607f821691505b602082108103611dc757611dc6611d70565b5b50919050565b5f606082019050611de05f8301866119eb565b611ded6020830185611af6565b611dfa60408301846119eb565b949350505050565b5f81905092915050565b5f611e16826118b3565b611e208185611e02565b9350611e308185602086016118cd565b80840191505092915050565b5f611e478285611e0c565b9150611e538284611e0c565b91508190509392505050565b5f81519050919050565b5f82825260208201905092915050565b5f611e8382611e5f565b611e8d8185611e69565b9350611e9d8185602086016118cd565b611ea6816118f5565b840191505092915050565b5f608082019050611ec45f8301876119eb565b611ed160208301866119eb565b611ede6040830185611af6565b8181036060830152611ef08184611e79565b905095945050505050565b5f81519050611f098161182b565b92915050565b5f60208284031215611f2457611f236117f8565b5b5f611f3184828501611efb565b91505092915050565b7f4e487b71000000000000000000000000000000000000000000000000000000005f52601260045260245ffd5b5f604082019050611f7a5f8301856119eb565b611f876020830184611af6565b939250505056fea2646970667358221220432b30673e00c0eb009e1718c271f4cfdfbeded17345829703b06d322360990164736f6c63430008160033").into() -} - -fn insert_storage(trie: &mut HashedPartialTrie, slot: U256, value: U256) { - let mut bytes = [0; 32]; - slot.to_big_endian(&mut bytes); - let key = keccak(bytes); - let nibbles = Nibbles::from_bytes_be(key.as_bytes()).unwrap(); - let r = rlp::encode(&value); - let r = r.freeze().to_vec(); - trie.insert(nibbles, r); -} - -fn sd2u(s: &str) -> U256 { - U256::from_dec_str(s).unwrap() -} - -fn sh2u(s: &str) -> U256 { - U256::from_str_radix(s, 16).unwrap() -} - -fn contract_storage() -> HashedPartialTrie { - let mut trie = HashedPartialTrie::from(Node::Empty); - insert_storage( - &mut trie, - U256::zero(), - sh2u("0x54657374546f6b656e0000000000000000000000000000000000000000000012"), - ); - insert_storage( - &mut trie, - U256::one(), - sh2u("0x5445535400000000000000000000000000000000000000000000000000000008"), - ); - insert_storage( - &mut trie, - sd2u("6"), - sh2u("0x5b38da6a701c568545dcfcb03fcb875f56beddc4"), - ); - insert_storage( - &mut trie, - sh2u("0x343ff8127bd64f680be4e996254dc3528603c6ecd54364b4cf956ebdd28f0028"), - sh2u("0x5b38da6a701c568545dcfcb03fcb875f56beddc4"), - ); - insert_storage( - &mut trie, - sh2u("0x118c1ea466562cb796e30ef705e4db752f5c39d773d22c5efd8d46f67194e78a"), - sd2u("1"), - ); - trie -} - -fn contract_storage_after() -> HashedPartialTrie { - let mut trie = HashedPartialTrie::from(Node::Empty); - insert_storage( - &mut trie, - U256::zero(), - sh2u("0x54657374546f6b656e0000000000000000000000000000000000000000000012"), - ); - insert_storage( - &mut trie, - U256::one(), - sh2u("0x5445535400000000000000000000000000000000000000000000000000000008"), - ); - insert_storage( - &mut trie, - sd2u("6"), - sh2u("0x5b38da6a701c568545dcfcb03fcb875f56beddc4"), - ); - insert_storage( - &mut trie, - sh2u("0x343ff8127bd64f680be4e996254dc3528603c6ecd54364b4cf956ebdd28f0028"), - sh2u("0xab8483f64d9c6d1ecf9b849ae677dd3315835cb2"), - ); - insert_storage( - &mut trie, - sh2u("0xf3aa6a8a9f7e3707e36cc99c499a27514922afe861ec3d80a1a314409cba92f9"), - sd2u("1"), - ); - trie -} - -fn owner_account() -> AccountRlp { - AccountRlp { - nonce: 2.into(), - balance: 0x1000000.into(), - storage_root: HashedPartialTrie::from(Node::Empty).hash(), - code_hash: keccak([]), - } -} - -fn contract_account() -> AccountRlp { - AccountRlp { - nonce: 0.into(), - balance: 0.into(), - storage_root: contract_storage().hash(), - code_hash: keccak(contract_bytecode()), - } -} - -fn signed_tx() -> Vec { - hex!("f8c5020a8307a12094f2b1114c644cbb3ff63bf1dd284c8cd716e95be980b86442842e0e0000000000000000000000005b38da6a701c568545dcfcb03fcb875f56beddc4000000000000000000000000ab8483f64d9c6d1ecf9b849ae677dd3315835cb2000000000000000000000000000000000000000000000000000000000000053925a0414867f13ac63d663e84099d52c8215615666ea37c969c69aa58a0fad26a3f6ea01a7160c6274969083b2316eb8ca6011b4bf6b00972159a78bf64d06fa40c1402").into() -} - -fn add_logs_to_bloom(bloom: &mut [u8; 256], logs: &Vec) { - for log in logs { - add_to_bloom(bloom, log.address.as_bytes()); - for topic in &log.topics { - add_to_bloom(bloom, topic.as_bytes()); - } - } -} - -fn add_to_bloom(bloom: &mut [u8; 256], bloom_entry: &[u8]) { - let bloom_hash = keccak(bloom_entry).to_fixed_bytes(); - - for idx in 0..3 { - let bit_pair = u16::from_be_bytes(bloom_hash[2 * idx..2 * (idx + 1)].try_into().unwrap()); - let bit_to_set = 0x07FF - (bit_pair & 0x07FF); - let byte_index = bit_to_set / 8; - let bit_value = 1 << (7 - bit_to_set % 8); - bloom[byte_index as usize] |= bit_value; - } -} diff --git a/evm/tests/log_opcode.rs b/evm/tests/log_opcode.rs deleted file mode 100644 index 37d874cdac..0000000000 --- a/evm/tests/log_opcode.rs +++ /dev/null @@ -1,774 +0,0 @@ -use std::collections::HashMap; -use std::str::FromStr; -use std::time::Duration; - -use bytes::Bytes; -use env_logger::{try_init_from_env, Env, DEFAULT_FILTER_ENV}; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{Address, BigEndianHash, H256, U256}; -use hex_literal::hex; -use keccak_hash::keccak; -use plonky2::field::goldilocks_field::GoldilocksField; -use plonky2::plonk::config::PoseidonGoldilocksConfig; -use plonky2::util::timing::TimingTree; -use plonky2_evm::all_stark::AllStark; -use plonky2_evm::config::StarkConfig; -use plonky2_evm::fixed_recursive_verifier::AllRecursiveCircuits; -use plonky2_evm::generation::mpt::transaction_testing::{AddressOption, LegacyTransactionRlp}; -use plonky2_evm::generation::mpt::{AccountRlp, LegacyReceiptRlp, LogRlp}; -use plonky2_evm::generation::{GenerationInputs, TrieInputs}; -use plonky2_evm::proof::{BlockHashes, BlockMetadata, TrieRoots}; -use plonky2_evm::prover::prove; -use plonky2_evm::verifier::verify_proof; -use plonky2_evm::Node; - -type F = GoldilocksField; -const D: usize = 2; -type C = PoseidonGoldilocksConfig; - -/// Variation of `add11_yml` testing LOG opcodes. -#[test] -#[ignore] // Too slow to run on CI. -fn test_log_opcodes() -> anyhow::Result<()> { - init_logger(); - - let all_stark = AllStark::::default(); - let config = StarkConfig::standard_fast_config(); - - let beneficiary = hex!("2adc25665018aa1fe0e6bc666dac8fc2697ff9ba"); - let sender = hex!("af1276cbb260bb13deddb4209ae99ae6e497f446"); - // Private key: DCDFF53B4F013DBCDC717F89FE3BF4D8B10512AAE282B48E01D7530470382701 - let to = hex!("095e7baea6a6c7c4c2dfeb977efac326af552d87"); - - let beneficiary_state_key = keccak(beneficiary); - let sender_state_key = keccak(sender); - let to_hashed = keccak(to); - - let beneficiary_nibbles = Nibbles::from_bytes_be(beneficiary_state_key.as_bytes()).unwrap(); - let sender_nibbles = Nibbles::from_bytes_be(sender_state_key.as_bytes()).unwrap(); - let to_nibbles = Nibbles::from_bytes_be(to_hashed.as_bytes()).unwrap(); - - // For the first code transaction code, we consider two LOG opcodes. The first deals with 0 topics and empty data. The second deals with two topics, and data of length 5, stored in memory. - let code = [ - 0x64, 0xA1, 0xB2, 0xC3, 0xD4, 0xE5, 0x60, 0x0, 0x52, // MSTORE(0x0, 0xA1B2C3D4E5) - 0x60, 0x0, 0x60, 0x0, 0xA0, // LOG0(0x0, 0x0) - 0x60, 99, 0x60, 98, 0x60, 5, 0x60, 27, 0xA2, // LOG2(27, 5, 98, 99) - 0x00, - ]; - println!("contract: {:02x?}", code); - let code_gas = 3 + 3 + 3 // PUSHs and MSTORE - + 3 + 3 + 375 // PUSHs and LOG0 - + 3 + 3 + 3 + 3 + 375 + 375*2 + 8*5 + 3// PUSHs, LOG2 and memory expansion - ; - let gas_used = 21_000 + code_gas; - - let code_hash = keccak(code); - - // Set accounts before the transaction. - let beneficiary_account_before = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - - let sender_balance_before = 5000000000000000u64; - let sender_account_before = AccountRlp { - balance: sender_balance_before.into(), - ..AccountRlp::default() - }; - let to_account_before = AccountRlp { - balance: 9000000000u64.into(), - code_hash, - ..AccountRlp::default() - }; - - // Initialize the state trie with three accounts. - let mut state_trie_before = HashedPartialTrie::from(Node::Empty); - state_trie_before.insert( - beneficiary_nibbles, - rlp::encode(&beneficiary_account_before).to_vec(), - ); - state_trie_before.insert(sender_nibbles, rlp::encode(&sender_account_before).to_vec()); - state_trie_before.insert(to_nibbles, rlp::encode(&to_account_before).to_vec()); - - // We now add two receipts with logs and data. This updates the receipt trie as well. - let log_0 = LogRlp { - address: hex!("7ef66b77759e12Caf3dDB3E4AFF524E577C59D8D").into(), - topics: vec![ - hex!("8a22ee899102a366ac8ad0495127319cb1ff2403cfae855f83a89cda1266674d").into(), - hex!("000000000000000000000000000000000000000000000000000000000000002a").into(), - hex!("0000000000000000000000000000000000000000000000000000000000bd9fe6").into(), - ], - data: hex!("f7af1cc94b1aef2e0fa15f1b4baefa86eb60e78fa4bd082372a0a446d197fb58") - .to_vec() - .into(), - }; - - let receipt_0 = LegacyReceiptRlp { - status: true, - cum_gas_used: 0x016e5bu64.into(), - bloom: hex!("00000000000000000000000000000000000000000000000000800000000000000040000000005000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000000000000000000080008000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000020000000000008000000000000000000000000").to_vec().into(), - logs: vec![log_0], - }; - - // Insert the first receipt into the initial receipt trie. The initial receipts trie has an initial node with a random nibble. - let mut receipts_trie = HashedPartialTrie::from(Node::Empty); - receipts_trie.insert( - Nibbles::from_str("0x1337").unwrap(), - rlp::encode(&receipt_0).to_vec(), - ); - - let tries_before = TrieInputs { - state_trie: state_trie_before, - transactions_trie: Node::Empty.into(), - receipts_trie: receipts_trie.clone(), - storage_tries: vec![(to_hashed, Node::Empty.into())], - }; - - // Prove a transaction which carries out two LOG opcodes. - let txn_gas_price = 10; - let txn = hex!("f860800a830186a094095e7baea6a6c7c4c2dfeb977efac326af552d87808026a0c3040cb042c541f9440771879b6bbf3f91464b265431de87eea1ec3206350eb8a046f5f3d06b8816f19f24ee919fd84bfb736db71df10a72fba4495f479e96f678"); - - let block_metadata = BlockMetadata { - block_beneficiary: Address::from(beneficiary), - block_timestamp: 0x03e8.into(), - block_number: 1.into(), - block_difficulty: 0x020000.into(), - block_random: H256::from_uint(&0x020000.into()), - block_gaslimit: 0xffffffffu32.into(), - block_chain_id: 1.into(), - block_base_fee: 0xa.into(), - block_gas_used: 0.into(), - block_bloom: [0.into(); 8], - }; - - let mut contract_code = HashMap::new(); - contract_code.insert(keccak(vec![]), vec![]); - contract_code.insert(code_hash, code.to_vec()); - - // Update the state and receipt tries after the transaction, so that we have the correct expected tries: - // Update accounts - let beneficiary_account_after = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - - let sender_balance_after = sender_balance_before - gas_used * txn_gas_price; - let sender_account_after = AccountRlp { - balance: sender_balance_after.into(), - nonce: 1.into(), - ..AccountRlp::default() - }; - let to_account_after = AccountRlp { - balance: 9000000000u64.into(), - code_hash, - ..AccountRlp::default() - }; - - // Update the receipt trie. - let first_log = LogRlp { - address: to.into(), - topics: vec![], - data: Bytes::new(), - }; - - let second_log = LogRlp { - address: to.into(), - topics: vec![ - hex!("0000000000000000000000000000000000000000000000000000000000000062").into(), // dec: 98 - hex!("0000000000000000000000000000000000000000000000000000000000000063").into(), // dec: 99 - ], - data: hex!("a1b2c3d4e5").to_vec().into(), - }; - - let receipt = LegacyReceiptRlp { - status: true, - cum_gas_used: gas_used.into(), - bloom: hex!("00000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000000000000004000000000000000000000000000000800000000000000000000000000000000000000000000000000000000000000000000000000400000000000040000000000000000000000000002000000000000000000000000000").to_vec().into(), - logs: vec![first_log, second_log], - }; - - let receipt_nibbles = Nibbles::from_str("0x80").unwrap(); // RLP(0) = 0x80 - - receipts_trie.insert(receipt_nibbles, rlp::encode(&receipt).to_vec()); - - // Update the state trie. - let mut expected_state_trie_after = HashedPartialTrie::from(Node::Empty); - expected_state_trie_after.insert( - beneficiary_nibbles, - rlp::encode(&beneficiary_account_after).to_vec(), - ); - expected_state_trie_after.insert(sender_nibbles, rlp::encode(&sender_account_after).to_vec()); - expected_state_trie_after.insert(to_nibbles, rlp::encode(&to_account_after).to_vec()); - - let transactions_trie: HashedPartialTrie = Node::Leaf { - nibbles: Nibbles::from_str("0x80").unwrap(), - value: txn.to_vec(), - } - .into(); - - let trie_roots_after = TrieRoots { - state_root: expected_state_trie_after.hash(), - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.hash(), - }; - - let inputs = GenerationInputs { - signed_txn: Some(txn.to_vec()), - withdrawals: vec![], - tries: tries_before, - trie_roots_after, - contract_code, - checkpoint_state_trie_root: HashedPartialTrie::from(Node::Empty).hash(), - block_metadata, - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: gas_used.into(), - - block_hashes: BlockHashes { - prev_hashes: vec![H256::default(); 256], - cur_hash: H256::default(), - }, - }; - - let mut timing = TimingTree::new("prove", log::Level::Debug); - let proof = prove::(&all_stark, &config, inputs, &mut timing, None)?; - timing.filter(Duration::from_millis(100)).print(); - - // Assert that the proof leads to the correct state and receipt roots. - assert_eq!( - proof.public_values.trie_roots_after.state_root, - expected_state_trie_after.hash() - ); - - assert_eq!( - proof.public_values.trie_roots_after.receipts_root, - receipts_trie.hash() - ); - - verify_proof(&all_stark, proof, &config) -} - -// Tests proving two transactions, one of which with logs, and aggregating them. -#[test] -#[ignore] // Too slow to run on CI. -fn test_log_with_aggreg() -> anyhow::Result<()> { - init_logger(); - - let code = [ - 0x64, 0xA1, 0xB2, 0xC3, 0xD4, 0xE5, 0x60, 0x0, 0x52, // MSTORE(0x0, 0xA1B2C3D4E5) - 0x60, 0x0, 0x60, 0x0, 0xA0, // LOG0(0x0, 0x0) - 0x60, 99, 0x60, 98, 0x60, 5, 0x60, 27, 0xA2, // LOG2(27, 5, 98, 99) - 0x00, - ]; - - let code_gas = 3 + 3 + 3 // PUSHs and MSTORE - + 3 + 3 + 375 // PUSHs and LOG0 - + 3 + 3 + 3 + 3 + 375 + 375*2 + 8*5 // PUSHs and LOG2 - + 3 // Memory expansion - ; - - let gas_used = 21_000 + code_gas; - - let code_hash = keccak(code); - - // First transaction. - let all_stark = AllStark::::default(); - let config = StarkConfig::standard_fast_config(); - - let beneficiary = hex!("2adc25665018aa1fe0e6bc666dac8fc2697ff9ba"); - let sender_first = hex!("af1276cbb260bb13deddb4209ae99ae6e497f446"); - let to_first = hex!("095e7baea6a6c7c4c2dfeb977efac326af552d87"); - let to = hex!("095e7baea6a6c7c4c2dfeb977efac326af552e89"); - - let beneficiary_state_key = keccak(beneficiary); - let sender_state_key = keccak(sender_first); - let to_hashed = keccak(to_first); - let to_hashed_2 = keccak(to); - - let beneficiary_nibbles = Nibbles::from_bytes_be(beneficiary_state_key.as_bytes()).unwrap(); - let sender_nibbles = Nibbles::from_bytes_be(sender_state_key.as_bytes()).unwrap(); - let to_nibbles = Nibbles::from_bytes_be(to_hashed.as_bytes()).unwrap(); - let to_second_nibbles = Nibbles::from_bytes_be(to_hashed_2.as_bytes()).unwrap(); - - let beneficiary_account_before = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - let sender_balance_before = 1000000000000000000u64.into(); - let sender_account_before = AccountRlp { - balance: sender_balance_before, - ..AccountRlp::default() - }; - let to_account_before = AccountRlp { - ..AccountRlp::default() - }; - let to_account_second_before = AccountRlp { - code_hash, - ..AccountRlp::default() - }; - - // In the first transaction, the sender account sends `txn_value` to `to_account`. - let gas_price = 10; - let txn_value = 0xau64; - let mut state_trie_before = HashedPartialTrie::from(Node::Empty); - state_trie_before.insert( - beneficiary_nibbles, - rlp::encode(&beneficiary_account_before).to_vec(), - ); - state_trie_before.insert(sender_nibbles, rlp::encode(&sender_account_before).to_vec()); - state_trie_before.insert(to_nibbles, rlp::encode(&to_account_before).to_vec()); - state_trie_before.insert( - to_second_nibbles, - rlp::encode(&to_account_second_before).to_vec(), - ); - let checkpoint_state_trie_root = state_trie_before.hash(); - - let tries_before = TrieInputs { - state_trie: state_trie_before, - transactions_trie: Node::Empty.into(), - receipts_trie: Node::Empty.into(), - storage_tries: vec![], - }; - - let txn = hex!("f85f800a82520894095e7baea6a6c7c4c2dfeb977efac326af552d870a8026a0122f370ed4023a6c253350c6bfb87d7d7eb2cd86447befee99e0a26b70baec20a07100ab1b3977f2b4571202b9f4b68850858caf5469222794600b5ce1cfb348ad"); - - let block_1_metadata = BlockMetadata { - block_beneficiary: Address::from(beneficiary), - block_timestamp: 0x03e8.into(), - block_number: 1.into(), - block_difficulty: 0x020000.into(), - block_gaslimit: 0x445566u32.into(), - block_chain_id: 1.into(), - block_base_fee: 0xa.into(), - block_gas_used: (22570 + 21000).into(), - block_bloom: [ - 0.into(), - 0.into(), - U256::from_dec_str( - "55213970774324510299479508399853534522527075462195808724319849722937344", - ) - .unwrap(), - U256::from_dec_str("1361129467683753853853498429727072845824").unwrap(), - 33554432.into(), - U256::from_dec_str("9223372036854775808").unwrap(), - U256::from_dec_str( - "3618502788666131106986593281521497120414687020801267626233049500247285563392", - ) - .unwrap(), - U256::from_dec_str("2722259584404615024560450425766186844160").unwrap(), - ], - block_random: Default::default(), - }; - - let beneficiary_account_after = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - - let sender_balance_after = sender_balance_before - gas_price * 21000 - txn_value; - let sender_account_after = AccountRlp { - balance: sender_balance_after, - nonce: 1.into(), - ..AccountRlp::default() - }; - let to_account_after = AccountRlp { - balance: txn_value.into(), - ..AccountRlp::default() - }; - - let mut contract_code = HashMap::new(); - contract_code.insert(keccak(vec![]), vec![]); - contract_code.insert(code_hash, code.to_vec()); - - let mut expected_state_trie_after = HashedPartialTrie::from(Node::Empty); - expected_state_trie_after.insert( - beneficiary_nibbles, - rlp::encode(&beneficiary_account_after).to_vec(), - ); - expected_state_trie_after.insert(sender_nibbles, rlp::encode(&sender_account_after).to_vec()); - expected_state_trie_after.insert(to_nibbles, rlp::encode(&to_account_after).to_vec()); - expected_state_trie_after.insert( - to_second_nibbles, - rlp::encode(&to_account_second_before).to_vec(), - ); - - // Compute new receipt trie. - let mut receipts_trie = HashedPartialTrie::from(Node::Empty); - let receipt_0 = LegacyReceiptRlp { - status: true, - cum_gas_used: 21000u64.into(), - bloom: [0x00; 256].to_vec().into(), - logs: vec![], - }; - receipts_trie.insert( - Nibbles::from_str("0x80").unwrap(), - rlp::encode(&receipt_0).to_vec(), - ); - - let mut transactions_trie: HashedPartialTrie = Node::Leaf { - nibbles: Nibbles::from_str("0x80").unwrap(), - value: txn.to_vec(), - } - .into(); - - let tries_after = TrieRoots { - state_root: expected_state_trie_after.hash(), - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.clone().hash(), - }; - - let block_1_hash = - H256::from_str("0x0101010101010101010101010101010101010101010101010101010101010101")?; - let mut block_hashes = vec![H256::default(); 256]; - - let inputs_first = GenerationInputs { - signed_txn: Some(txn.to_vec()), - withdrawals: vec![], - tries: tries_before, - trie_roots_after: tries_after, - contract_code, - checkpoint_state_trie_root, - block_metadata: block_1_metadata.clone(), - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: 21000u64.into(), - block_hashes: BlockHashes { - prev_hashes: block_hashes.clone(), - cur_hash: block_1_hash, - }, - }; - - // Preprocess all circuits. - let all_circuits = AllRecursiveCircuits::::new( - &all_stark, - &[16..17, 12..15, 14..18, 14..15, 9..10, 12..13, 17..20], - &config, - ); - - let mut timing = TimingTree::new("prove root first", log::Level::Info); - let (root_proof_first, public_values_first) = - all_circuits.prove_root(&all_stark, &config, inputs_first, &mut timing, None)?; - - timing.filter(Duration::from_millis(100)).print(); - all_circuits.verify_root(root_proof_first.clone())?; - - // The gas used and transaction number are fed to the next transaction, so the two proofs can be correctly aggregated. - let gas_used_second = public_values_first.extra_block_data.gas_used_after; - - // Prove second transaction. In this second transaction, the code with logs is executed. - - let state_trie_before = expected_state_trie_after; - - let tries_before = TrieInputs { - state_trie: state_trie_before, - transactions_trie: transactions_trie.clone(), - receipts_trie: receipts_trie.clone(), - storage_tries: vec![], - }; - - // Prove a transaction which carries out two LOG opcodes. - let txn_gas_price = 10; - let txn_2 = hex!("f860010a830186a094095e7baea6a6c7c4c2dfeb977efac326af552e89808025a04a223955b0bd3827e3740a9a427d0ea43beb5bafa44a0204bf0a3306c8219f7ba0502c32d78f233e9e7ce9f5df3b576556d5d49731e0678fd5a068cdf359557b5b"); - - let mut contract_code = HashMap::new(); - contract_code.insert(keccak(vec![]), vec![]); - contract_code.insert(code_hash, code.to_vec()); - - // Update the state and receipt tries after the transaction, so that we have the correct expected tries: - // Update accounts. - let beneficiary_account_after = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - - let sender_balance_after = sender_balance_after - gas_used * txn_gas_price; - let sender_account_after = AccountRlp { - balance: sender_balance_after, - nonce: 2.into(), - ..AccountRlp::default() - }; - let balance_after = to_account_after.balance; - let to_account_after = AccountRlp { - balance: balance_after, - ..AccountRlp::default() - }; - let to_account_second_after = AccountRlp { - balance: to_account_second_before.balance, - code_hash, - ..AccountRlp::default() - }; - - // Update the receipt trie. - let first_log = LogRlp { - address: to.into(), - topics: vec![], - data: Bytes::new(), - }; - - let second_log = LogRlp { - address: to.into(), - topics: vec![ - hex!("0000000000000000000000000000000000000000000000000000000000000062").into(), // dec: 98 - hex!("0000000000000000000000000000000000000000000000000000000000000063").into(), // dec: 99 - ], - data: hex!("a1b2c3d4e5").to_vec().into(), - }; - - let receipt = LegacyReceiptRlp { - status: true, - cum_gas_used: (22570 + 21000).into(), - bloom: hex!("00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000008000000000000000001000000000000000000000000000000000000000000000000000000000000000000000004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000800000000000000008000000000000000000000000000000000000000000000000000000000400000000000000000000000000000000000800002000000000000000000000000000").to_vec().into(), - logs: vec![first_log, second_log], - }; - - let receipt_nibbles = Nibbles::from_str("0x01").unwrap(); // RLP(1) = 0x1 - - receipts_trie.insert(receipt_nibbles, rlp::encode(&receipt).to_vec()); - - // Update the state trie. - let mut expected_state_trie_after = HashedPartialTrie::from(Node::Empty); - expected_state_trie_after.insert( - beneficiary_nibbles, - rlp::encode(&beneficiary_account_after).to_vec(), - ); - expected_state_trie_after.insert(sender_nibbles, rlp::encode(&sender_account_after).to_vec()); - expected_state_trie_after.insert(to_nibbles, rlp::encode(&to_account_after).to_vec()); - expected_state_trie_after.insert( - to_second_nibbles, - rlp::encode(&to_account_second_after).to_vec(), - ); - - transactions_trie.insert(Nibbles::from_str("0x01").unwrap(), txn_2.to_vec()); - - let block_1_state_root = expected_state_trie_after.hash(); - - let trie_roots_after = TrieRoots { - state_root: block_1_state_root, - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.hash(), - }; - - let inputs = GenerationInputs { - signed_txn: Some(txn_2.to_vec()), - withdrawals: vec![], - tries: tries_before, - trie_roots_after: trie_roots_after.clone(), - contract_code, - checkpoint_state_trie_root, - block_metadata: block_1_metadata, - txn_number_before: 1.into(), - gas_used_before: gas_used_second, - gas_used_after: receipt.cum_gas_used, - block_hashes: BlockHashes { - prev_hashes: block_hashes.clone(), - cur_hash: block_1_hash, - }, - }; - - let mut timing = TimingTree::new("prove root second", log::Level::Info); - let (root_proof_second, public_values_second) = - all_circuits.prove_root(&all_stark, &config, inputs, &mut timing, None.clone())?; - timing.filter(Duration::from_millis(100)).print(); - - all_circuits.verify_root(root_proof_second.clone())?; - - let (agg_proof, updated_agg_public_values) = all_circuits.prove_aggregation( - false, - &root_proof_first, - public_values_first, - false, - &root_proof_second, - public_values_second, - )?; - all_circuits.verify_aggregation(&agg_proof)?; - let (first_block_proof, _block_public_values) = - all_circuits.prove_block(None, &agg_proof, updated_agg_public_values)?; - all_circuits.verify_block(&first_block_proof)?; - - // Prove the next, empty block. - - let block_2_hash = - H256::from_str("0x0123456789101112131415161718192021222324252627282930313233343536")?; - block_hashes[255] = block_1_hash; - - let block_2_metadata = BlockMetadata { - block_beneficiary: Address::from(beneficiary), - block_timestamp: 0x03e8.into(), - block_number: 2.into(), - block_difficulty: 0x020000.into(), - block_gaslimit: 0x445566u32.into(), - block_chain_id: 1.into(), - block_base_fee: 0xa.into(), - ..Default::default() - }; - - let mut contract_code = HashMap::new(); - contract_code.insert(keccak(vec![]), vec![]); - - let inputs = GenerationInputs { - signed_txn: None, - withdrawals: vec![], - tries: TrieInputs { - state_trie: expected_state_trie_after, - transactions_trie: Node::Empty.into(), - receipts_trie: Node::Empty.into(), - storage_tries: vec![], - }, - trie_roots_after: TrieRoots { - state_root: trie_roots_after.state_root, - transactions_root: HashedPartialTrie::from(Node::Empty).hash(), - receipts_root: HashedPartialTrie::from(Node::Empty).hash(), - }, - contract_code, - checkpoint_state_trie_root: block_1_state_root, // We use block 1 as new checkpoint. - block_metadata: block_2_metadata, - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: 0.into(), - block_hashes: BlockHashes { - prev_hashes: block_hashes, - cur_hash: block_2_hash, - }, - }; - - let (root_proof, public_values) = - all_circuits.prove_root(&all_stark, &config, inputs, &mut timing, None)?; - all_circuits.verify_root(root_proof.clone())?; - - // We can just duplicate the initial proof as the state didn't change. - let (agg_proof, updated_agg_public_values) = all_circuits.prove_aggregation( - false, - &root_proof, - public_values.clone(), - false, - &root_proof, - public_values, - )?; - all_circuits.verify_aggregation(&agg_proof)?; - - let (second_block_proof, _block_public_values) = all_circuits.prove_block( - None, // We don't specify a previous proof, considering block 1 as the new checkpoint. - &agg_proof, - updated_agg_public_values, - )?; - all_circuits.verify_block(&second_block_proof) -} - -/// Values taken from the block 1000000 of Goerli: https://goerli.etherscan.io/txs?block=1000000 -#[test] -fn test_txn_and_receipt_trie_hash() -> anyhow::Result<()> { - // This test checks that inserting into the transaction and receipt `HashedPartialTrie`s works as expected. - let mut example_txn_trie = HashedPartialTrie::from(Node::Empty); - - // We consider two transactions, with one log each. - let transaction_0 = LegacyTransactionRlp { - nonce: 157823u64.into(), - gas_price: 1000000000u64.into(), - gas: 250000u64.into(), - to: AddressOption(Some(hex!("7ef66b77759e12Caf3dDB3E4AFF524E577C59D8D").into())), - value: 0u64.into(), - data: hex!("e9c6c176000000000000000000000000000000000000000000000000000000000000002a0000000000000000000000000000000000000000000000000000000000bd9fe6f7af1cc94b1aef2e0fa15f1b4baefa86eb60e78fa4bd082372a0a446d197fb58") - .to_vec() - .into(), - v: 0x1c.into(), - r: hex!("d0eeac4841caf7a894dd79e6e633efc2380553cdf8b786d1aa0b8a8dee0266f4").into(), - s: hex!("740710eed9696c663510b7fb71a553112551121595a54ec6d2ec0afcec72a973").into(), - }; - - // Insert the first transaction into the transaction trie. - example_txn_trie.insert( - Nibbles::from_str("0x80").unwrap(), // RLP(0) = 0x80 - rlp::encode(&transaction_0).to_vec(), - ); - - let transaction_1 = LegacyTransactionRlp { - nonce: 157824u64.into(), - gas_price: 1000000000u64.into(), - gas: 250000u64.into(), - to: AddressOption(Some(hex!("7ef66b77759e12Caf3dDB3E4AFF524E577C59D8D").into())), - value: 0u64.into(), - data: hex!("e9c6c176000000000000000000000000000000000000000000000000000000000000000400000000000000000000000000000000000000000000000000000000004920eaa814f7df6a2203dc0e472e8828be95957c6b329fee8e2b1bb6f044c1eb4fc243") - .to_vec() - .into(), - v: 0x1b.into(), - r: hex!("a3ff39967683fc684dc7b857d6f62723e78804a14b091a058ad95cc1b8a0281f").into(), - s: hex!("51b156e05f21f499fa1ae47ebf536b15a237208f1d4a62e33956b6b03cf47742").into(), - }; - - // Insert the second transaction into the transaction trie. - example_txn_trie.insert( - Nibbles::from_str("0x01").unwrap(), - rlp::encode(&transaction_1).to_vec(), - ); - - // Receipts: - let mut example_receipt_trie = HashedPartialTrie::from(Node::Empty); - - let log_0 = LogRlp { - address: hex!("7ef66b77759e12Caf3dDB3E4AFF524E577C59D8D").into(), - topics: vec![ - hex!("8a22ee899102a366ac8ad0495127319cb1ff2403cfae855f83a89cda1266674d").into(), - hex!("000000000000000000000000000000000000000000000000000000000000002a").into(), - hex!("0000000000000000000000000000000000000000000000000000000000bd9fe6").into(), - ], - data: hex!("f7af1cc94b1aef2e0fa15f1b4baefa86eb60e78fa4bd082372a0a446d197fb58") - .to_vec() - .into(), - }; - - let receipt_0 = LegacyReceiptRlp { - status: true, - cum_gas_used: 0x016e5bu64.into(), - bloom: hex!("00000000000000000000000000000000000000000000000000800000000000000040000000005000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000000000000000000000000000000000000000000000000000000080008000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000020000000000008000000000000000000000000").to_vec().into(), - logs: vec![log_0], - }; - - // Insert the first receipt into the receipt trie. - example_receipt_trie.insert( - Nibbles::from_str("0x80").unwrap(), // RLP(0) is 0x80 - rlp::encode(&receipt_0).to_vec(), - ); - - let log_1 = LogRlp { - address: hex!("7ef66b77759e12Caf3dDB3E4AFF524E577C59D8D").into(), - topics: vec![ - hex!("8a22ee899102a366ac8ad0495127319cb1ff2403cfae855f83a89cda1266674d").into(), - hex!("0000000000000000000000000000000000000000000000000000000000000004").into(), - hex!("00000000000000000000000000000000000000000000000000000000004920ea").into(), - ], - data: hex!("a814f7df6a2203dc0e472e8828be95957c6b329fee8e2b1bb6f044c1eb4fc243") - .to_vec() - .into(), - }; - - let receipt_1 = LegacyReceiptRlp { - status: true, - cum_gas_used: 0x02dcb6u64.into(), - bloom: hex!("00000000000000000000000000000000000000000000000000800000000000000040000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000000000000000000000000008000000000000000000000000000000000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000400000000000000000000000000000002000040000000000000000000000000000000000000000000000008000000000000000000000000000000000000000000000000000000000000008000000000000000000000000").to_vec().into(), - logs: vec![log_1], - }; - - // Insert the second receipt into the receipt trie. - example_receipt_trie.insert( - Nibbles::from_str("0x01").unwrap(), - rlp::encode(&receipt_1).to_vec(), - ); - - // Check that the trie hashes are correct. - assert_eq!( - example_txn_trie.hash(), - hex!("3ab7120d12e1fc07303508542602beb7eecfe8f262b83fd71eefe7d6205242ce").into() - ); - - assert_eq!( - example_receipt_trie.hash(), - hex!("da46cdd329bfedace32da95f2b344d314bc6f55f027d65f9f4ac04ee425e1f98").into() - ); - - Ok(()) -} - -fn init_logger() { - let _ = try_init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "info")); -} diff --git a/evm/tests/self_balance_gas_cost.rs b/evm/tests/self_balance_gas_cost.rs deleted file mode 100644 index 538f2aa798..0000000000 --- a/evm/tests/self_balance_gas_cost.rs +++ /dev/null @@ -1,198 +0,0 @@ -use std::collections::HashMap; -use std::str::FromStr; -use std::time::Duration; - -use env_logger::{try_init_from_env, Env, DEFAULT_FILTER_ENV}; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{Address, H256, U256}; -use hex_literal::hex; -use keccak_hash::keccak; -use plonky2::field::goldilocks_field::GoldilocksField; -use plonky2::plonk::config::KeccakGoldilocksConfig; -use plonky2::util::timing::TimingTree; -use plonky2_evm::all_stark::AllStark; -use plonky2_evm::config::StarkConfig; -use plonky2_evm::generation::mpt::{AccountRlp, LegacyReceiptRlp}; -use plonky2_evm::generation::{GenerationInputs, TrieInputs}; -use plonky2_evm::proof::{BlockHashes, BlockMetadata, TrieRoots}; -use plonky2_evm::prover::prove; -use plonky2_evm::verifier::verify_proof; -use plonky2_evm::Node; - -type F = GoldilocksField; -const D: usize = 2; -type C = KeccakGoldilocksConfig; - -/// The `selfBalanceGasCost` test case from https://github.com/ethereum/tests -#[test] -#[ignore] // Too slow to run on CI. -fn self_balance_gas_cost() -> anyhow::Result<()> { - init_logger(); - - let all_stark = AllStark::::default(); - let config = StarkConfig::standard_fast_config(); - - let beneficiary = hex!("2adc25665018aa1fe0e6bc666dac8fc2697ff9ba"); - let sender = hex!("a94f5374fce5edbc8e2a8697c15331677e6ebf0b"); - let to = hex!("1000000000000000000000000000000000000000"); - - let beneficiary_state_key = keccak(beneficiary); - let sender_state_key = keccak(sender); - let to_hashed = keccak(to); - - let beneficiary_nibbles = Nibbles::from_bytes_be(beneficiary_state_key.as_bytes()).unwrap(); - let sender_nibbles = Nibbles::from_bytes_be(sender_state_key.as_bytes()).unwrap(); - let to_nibbles = Nibbles::from_bytes_be(to_hashed.as_bytes()).unwrap(); - - let code = [ - 0x5a, 0x47, 0x5a, 0x90, 0x50, 0x90, 0x03, 0x60, 0x02, 0x90, 0x03, 0x60, 0x01, 0x55, 0x00, - ]; - let code_gas = 2 // GAS - + 5 // SELFBALANCE - + 2 // GAS - + 3 // SWAP1 - + 2 // POP - + 3 // SWAP1 - + 3 // SUB - + 3 // PUSH1 - + 3 // SWAP1 - + 3 // SUB - + 3 // PUSH1 - + 22100; // SSTORE - let code_hash = keccak(code); - - let beneficiary_account_before = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - let sender_account_before = AccountRlp { - balance: 0x3635c9adc5dea00000u128.into(), - ..AccountRlp::default() - }; - let to_account_before = AccountRlp { - code_hash, - ..AccountRlp::default() - }; - - let mut state_trie_before = HashedPartialTrie::from(Node::Empty); - state_trie_before.insert( - beneficiary_nibbles, - rlp::encode(&beneficiary_account_before).to_vec(), - ); - state_trie_before.insert(sender_nibbles, rlp::encode(&sender_account_before).to_vec()); - state_trie_before.insert(to_nibbles, rlp::encode(&to_account_before).to_vec()); - - let tries_before = TrieInputs { - state_trie: state_trie_before, - transactions_trie: Node::Empty.into(), - receipts_trie: Node::Empty.into(), - storage_tries: vec![(to_hashed, Node::Empty.into())], - }; - - let txn = hex!("f861800a8405f5e10094100000000000000000000000000000000000000080801ba07e09e26678ed4fac08a249ebe8ed680bf9051a5e14ad223e4b2b9d26e0208f37a05f6e3f188e3e6eab7d7d3b6568f5eac7d687b08d307d3154ccd8c87b4630509b"); - - let gas_used = 21_000 + code_gas; - - let block_metadata = BlockMetadata { - block_beneficiary: Address::from(beneficiary), - block_difficulty: 0x20000.into(), - block_number: 1.into(), - block_chain_id: 1.into(), - block_timestamp: 0x03e8.into(), - block_gaslimit: 0xff112233u32.into(), - block_gas_used: gas_used.into(), - block_bloom: [0.into(); 8], - block_base_fee: 0xa.into(), - block_random: Default::default(), - }; - - let mut contract_code = HashMap::new(); - contract_code.insert(keccak(vec![]), vec![]); - contract_code.insert(code_hash, code.to_vec()); - - let expected_state_trie_after = { - let beneficiary_account_after = AccountRlp { - nonce: 1.into(), - ..AccountRlp::default() - }; - let sender_account_after = AccountRlp { - balance: sender_account_before.balance - U256::from(gas_used) * U256::from(10), - nonce: 1.into(), - ..AccountRlp::default() - }; - let to_account_after = AccountRlp { - code_hash, - // Storage map: { 1 => 5 } - storage_root: HashedPartialTrie::from(Node::Leaf { - // TODO: Could do keccak(pad32(1)) - nibbles: Nibbles::from_str( - "0xb10e2d527612073b26eecdfd717e6a320cf44b4afac2b0732d9fcbe2b7fa0cf6", - ) - .unwrap(), - value: vec![5], - }) - .hash(), - ..AccountRlp::default() - }; - - let mut expected_state_trie_after = HashedPartialTrie::from(Node::Empty); - expected_state_trie_after.insert( - beneficiary_nibbles, - rlp::encode(&beneficiary_account_after).to_vec(), - ); - expected_state_trie_after - .insert(sender_nibbles, rlp::encode(&sender_account_after).to_vec()); - expected_state_trie_after.insert(to_nibbles, rlp::encode(&to_account_after).to_vec()); - expected_state_trie_after - }; - - let receipt_0 = LegacyReceiptRlp { - status: true, - cum_gas_used: gas_used.into(), - bloom: vec![0; 256].into(), - logs: vec![], - }; - let mut receipts_trie = HashedPartialTrie::from(Node::Empty); - receipts_trie.insert( - Nibbles::from_str("0x80").unwrap(), - rlp::encode(&receipt_0).to_vec(), - ); - let transactions_trie: HashedPartialTrie = Node::Leaf { - nibbles: Nibbles::from_str("0x80").unwrap(), - value: txn.to_vec(), - } - .into(); - - let trie_roots_after = TrieRoots { - state_root: expected_state_trie_after.hash(), - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.hash(), - }; - let inputs = GenerationInputs { - signed_txn: Some(txn.to_vec()), - withdrawals: vec![], - tries: tries_before, - trie_roots_after, - contract_code, - checkpoint_state_trie_root: HashedPartialTrie::from(Node::Empty).hash(), - block_metadata, - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: gas_used.into(), - block_hashes: BlockHashes { - prev_hashes: vec![H256::default(); 256], - cur_hash: H256::default(), - }, - }; - - let mut timing = TimingTree::new("prove", log::Level::Debug); - let proof = prove::(&all_stark, &config, inputs, &mut timing, None)?; - timing.filter(Duration::from_millis(100)).print(); - - verify_proof(&all_stark, proof, &config) -} - -fn init_logger() { - let _ = try_init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "info")); -} diff --git a/evm/tests/selfdestruct.rs b/evm/tests/selfdestruct.rs deleted file mode 100644 index 829e0b21b0..0000000000 --- a/evm/tests/selfdestruct.rs +++ /dev/null @@ -1,155 +0,0 @@ -use std::str::FromStr; -use std::time::Duration; - -use env_logger::{try_init_from_env, Env, DEFAULT_FILTER_ENV}; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{Address, BigEndianHash, H256, U256}; -use hex_literal::hex; -use keccak_hash::keccak; -use plonky2::field::goldilocks_field::GoldilocksField; -use plonky2::plonk::config::KeccakGoldilocksConfig; -use plonky2::util::timing::TimingTree; -use plonky2_evm::all_stark::AllStark; -use plonky2_evm::config::StarkConfig; -use plonky2_evm::generation::mpt::{AccountRlp, LegacyReceiptRlp}; -use plonky2_evm::generation::{GenerationInputs, TrieInputs}; -use plonky2_evm::proof::{BlockHashes, BlockMetadata, TrieRoots}; -use plonky2_evm::prover::prove; -use plonky2_evm::verifier::verify_proof; -use plonky2_evm::Node; - -type F = GoldilocksField; -const D: usize = 2; -type C = KeccakGoldilocksConfig; - -/// Test a simple selfdestruct. -#[test] -fn test_selfdestruct() -> anyhow::Result<()> { - init_logger(); - - let all_stark = AllStark::::default(); - let config = StarkConfig::standard_fast_config(); - - let beneficiary = hex!("deadbeefdeadbeefdeadbeefdeadbeefdeadbeef"); - let sender = hex!("5eb96AA102a29fAB267E12A40a5bc6E9aC088759"); - let to = hex!("a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0"); - - let sender_state_key = keccak(sender); - let to_state_key = keccak(to); - - let sender_nibbles = Nibbles::from_bytes_be(sender_state_key.as_bytes()).unwrap(); - let to_nibbles = Nibbles::from_bytes_be(to_state_key.as_bytes()).unwrap(); - - let sender_account_before = AccountRlp { - nonce: 5.into(), - balance: eth_to_wei(100_000.into()), - storage_root: HashedPartialTrie::from(Node::Empty).hash(), - code_hash: keccak([]), - }; - let code = vec![ - 0x32, // ORIGIN - 0xFF, // SELFDESTRUCT - ]; - let to_account_before = AccountRlp { - nonce: 12.into(), - balance: eth_to_wei(10_000.into()), - storage_root: HashedPartialTrie::from(Node::Empty).hash(), - code_hash: keccak(&code), - }; - - let mut state_trie_before = HashedPartialTrie::from(Node::Empty); - state_trie_before.insert(sender_nibbles, rlp::encode(&sender_account_before).to_vec()); - state_trie_before.insert(to_nibbles, rlp::encode(&to_account_before).to_vec()); - - let tries_before = TrieInputs { - state_trie: state_trie_before, - transactions_trie: HashedPartialTrie::from(Node::Empty), - receipts_trie: HashedPartialTrie::from(Node::Empty), - storage_tries: vec![], - }; - - // Generated using a little py-evm script. - let txn = hex!("f868050a831e848094a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0880de0b6b3a76400008025a09bab8db7d72e4b42cba8b117883e16872966bae8e4570582de6ed0065e8c36a1a01256d44d982c75e0ab7a19f61ab78afa9e089d51c8686fdfbee085a5ed5d8ff8"); - - let block_metadata = BlockMetadata { - block_beneficiary: Address::from(beneficiary), - block_timestamp: 0x03e8.into(), - block_number: 1.into(), - block_difficulty: 0x020000.into(), - block_random: H256::from_uint(&0x020000.into()), - block_gaslimit: 0xff112233u32.into(), - block_chain_id: 1.into(), - block_base_fee: 0xa.into(), - block_gas_used: 26002.into(), - block_bloom: [0.into(); 8], - }; - - let contract_code = [(keccak(&code), code), (keccak([]), vec![])].into(); - - let expected_state_trie_after: HashedPartialTrie = { - let mut state_trie_after = HashedPartialTrie::from(Node::Empty); - let sender_account_after = AccountRlp { - nonce: 6.into(), - balance: eth_to_wei(110_000.into()) - 26_002 * 0xa, - storage_root: HashedPartialTrie::from(Node::Empty).hash(), - code_hash: keccak([]), - }; - state_trie_after.insert(sender_nibbles, rlp::encode(&sender_account_after).to_vec()); - state_trie_after - }; - - let receipt_0 = LegacyReceiptRlp { - status: true, - cum_gas_used: 26002.into(), - bloom: vec![0; 256].into(), - logs: vec![], - }; - let mut receipts_trie = HashedPartialTrie::from(Node::Empty); - receipts_trie.insert( - Nibbles::from_str("0x80").unwrap(), - rlp::encode(&receipt_0).to_vec(), - ); - let transactions_trie: HashedPartialTrie = Node::Leaf { - nibbles: Nibbles::from_str("0x80").unwrap(), - value: txn.to_vec(), - } - .into(); - - let trie_roots_after = TrieRoots { - state_root: expected_state_trie_after.hash(), - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.hash(), - }; - let inputs = GenerationInputs { - signed_txn: Some(txn.to_vec()), - withdrawals: vec![], - tries: tries_before, - trie_roots_after, - contract_code, - checkpoint_state_trie_root: HashedPartialTrie::from(Node::Empty).hash(), - block_metadata, - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: 26002.into(), - block_hashes: BlockHashes { - prev_hashes: vec![H256::default(); 256], - cur_hash: H256::default(), - }, - }; - - let mut timing = TimingTree::new("prove", log::Level::Debug); - let proof = prove::(&all_stark, &config, inputs, &mut timing, None)?; - timing.filter(Duration::from_millis(100)).print(); - - verify_proof(&all_stark, proof, &config) -} - -fn eth_to_wei(eth: U256) -> U256 { - // 1 ether = 10^18 wei. - eth * U256::from(10).pow(18.into()) -} - -fn init_logger() { - let _ = try_init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "info")); -} diff --git a/evm/tests/simple_transfer.rs b/evm/tests/simple_transfer.rs deleted file mode 100644 index 5fd252df45..0000000000 --- a/evm/tests/simple_transfer.rs +++ /dev/null @@ -1,171 +0,0 @@ -use std::collections::HashMap; -use std::str::FromStr; -use std::time::Duration; - -use env_logger::{try_init_from_env, Env, DEFAULT_FILTER_ENV}; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{Address, BigEndianHash, H256, U256}; -use hex_literal::hex; -use keccak_hash::keccak; -use plonky2::field::goldilocks_field::GoldilocksField; -use plonky2::plonk::config::KeccakGoldilocksConfig; -use plonky2::util::timing::TimingTree; -use plonky2_evm::all_stark::AllStark; -use plonky2_evm::config::StarkConfig; -use plonky2_evm::generation::mpt::{AccountRlp, LegacyReceiptRlp}; -use plonky2_evm::generation::{GenerationInputs, TrieInputs}; -use plonky2_evm::proof::{BlockHashes, BlockMetadata, TrieRoots}; -use plonky2_evm::prover::prove; -use plonky2_evm::verifier::verify_proof; -use plonky2_evm::Node; - -type F = GoldilocksField; -const D: usize = 2; -type C = KeccakGoldilocksConfig; - -/// Test a simple token transfer to a new address. -#[test] -fn test_simple_transfer() -> anyhow::Result<()> { - init_logger(); - - let all_stark = AllStark::::default(); - let config = StarkConfig::standard_fast_config(); - - let beneficiary = hex!("deadbeefdeadbeefdeadbeefdeadbeefdeadbeef"); - let sender = hex!("2c7536e3605d9c16a7a3d7b1898e529396a65c23"); - let to = hex!("a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0"); - - let sender_state_key = keccak(sender); - let to_state_key = keccak(to); - - let sender_nibbles = Nibbles::from_bytes_be(sender_state_key.as_bytes()).unwrap(); - let to_nibbles = Nibbles::from_bytes_be(to_state_key.as_bytes()).unwrap(); - - let sender_account_before = AccountRlp { - nonce: 5.into(), - balance: eth_to_wei(100_000.into()), - storage_root: HashedPartialTrie::from(Node::Empty).hash(), - code_hash: keccak([]), - }; - let to_account_before = AccountRlp::default(); - - let state_trie_before = Node::Leaf { - nibbles: sender_nibbles, - value: rlp::encode(&sender_account_before).to_vec(), - } - .into(); - - let tries_before = TrieInputs { - state_trie: state_trie_before, - transactions_trie: HashedPartialTrie::from(Node::Empty), - receipts_trie: HashedPartialTrie::from(Node::Empty), - storage_tries: vec![], - }; - - // Generated using a little py-evm script. - let txn = hex!("f861050a8255f094a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0648242421ba02c89eb757d9deeb1f5b3859a9d4d679951ef610ac47ad4608dc142beb1b7e313a05af7e9fbab825455d36c36c7f4cfcafbeafa9a77bdff936b52afb36d4fe4bcdd"); - let value = U256::from(100u32); - - let block_metadata = BlockMetadata { - block_beneficiary: Address::from(beneficiary), - block_timestamp: 0x03e8.into(), - block_number: 1.into(), - block_difficulty: 0x020000.into(), - block_random: H256::from_uint(&0x020000.into()), - block_gaslimit: 0xff112233u32.into(), - block_chain_id: 1.into(), - block_base_fee: 0xa.into(), - block_gas_used: 21032.into(), - block_bloom: [0.into(); 8], - }; - - let mut contract_code = HashMap::new(); - contract_code.insert(keccak(vec![]), vec![]); - - let expected_state_trie_after: HashedPartialTrie = { - let txdata_gas = 2 * 16; - let gas_used = 21_000 + txdata_gas; - - let sender_account_after = AccountRlp { - balance: sender_account_before.balance - value - gas_used * 10, - nonce: sender_account_before.nonce + 1, - ..sender_account_before - }; - let to_account_after = AccountRlp { - balance: value, - ..to_account_before - }; - - let mut children = core::array::from_fn(|_| Node::Empty.into()); - children[sender_nibbles.get_nibble(0) as usize] = Node::Leaf { - nibbles: sender_nibbles.truncate_n_nibbles_front(1), - value: rlp::encode(&sender_account_after).to_vec(), - } - .into(); - children[to_nibbles.get_nibble(0) as usize] = Node::Leaf { - nibbles: to_nibbles.truncate_n_nibbles_front(1), - value: rlp::encode(&to_account_after).to_vec(), - } - .into(); - Node::Branch { - children, - value: vec![], - } - .into() - }; - - let receipt_0 = LegacyReceiptRlp { - status: true, - cum_gas_used: 21032.into(), - bloom: vec![0; 256].into(), - logs: vec![], - }; - let mut receipts_trie = HashedPartialTrie::from(Node::Empty); - receipts_trie.insert( - Nibbles::from_str("0x80").unwrap(), - rlp::encode(&receipt_0).to_vec(), - ); - let transactions_trie: HashedPartialTrie = Node::Leaf { - nibbles: Nibbles::from_str("0x80").unwrap(), - value: txn.to_vec(), - } - .into(); - - let trie_roots_after = TrieRoots { - state_root: expected_state_trie_after.hash(), - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.hash(), - }; - let inputs = GenerationInputs { - signed_txn: Some(txn.to_vec()), - withdrawals: vec![], - tries: tries_before, - trie_roots_after, - contract_code, - checkpoint_state_trie_root: HashedPartialTrie::from(Node::Empty).hash(), - block_metadata, - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: 21032.into(), - block_hashes: BlockHashes { - prev_hashes: vec![H256::default(); 256], - cur_hash: H256::default(), - }, - }; - - let mut timing = TimingTree::new("prove", log::Level::Debug); - let proof = prove::(&all_stark, &config, inputs, &mut timing, None)?; - timing.filter(Duration::from_millis(100)).print(); - - verify_proof(&all_stark, proof, &config) -} - -fn eth_to_wei(eth: U256) -> U256 { - // 1 ether = 10^18 wei. - eth * U256::from(10).pow(18.into()) -} - -fn init_logger() { - let _ = try_init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "info")); -} diff --git a/evm/tests/withdrawals.rs b/evm/tests/withdrawals.rs deleted file mode 100644 index ef2d19b02a..0000000000 --- a/evm/tests/withdrawals.rs +++ /dev/null @@ -1,96 +0,0 @@ -use std::collections::HashMap; -use std::time::Duration; - -use env_logger::{try_init_from_env, Env, DEFAULT_FILTER_ENV}; -use eth_trie_utils::nibbles::Nibbles; -use eth_trie_utils::partial_trie::{HashedPartialTrie, PartialTrie}; -use ethereum_types::{H160, H256, U256}; -use keccak_hash::keccak; -use plonky2::field::goldilocks_field::GoldilocksField; -use plonky2::plonk::config::PoseidonGoldilocksConfig; -use plonky2::util::timing::TimingTree; -use plonky2_evm::all_stark::AllStark; -use plonky2_evm::config::StarkConfig; -use plonky2_evm::generation::mpt::AccountRlp; -use plonky2_evm::generation::{GenerationInputs, TrieInputs}; -use plonky2_evm::proof::{BlockHashes, BlockMetadata, TrieRoots}; -use plonky2_evm::prover::prove; -use plonky2_evm::verifier::verify_proof; -use plonky2_evm::Node; -use rand::random; - -type F = GoldilocksField; -const D: usize = 2; -type C = PoseidonGoldilocksConfig; - -/// Execute 0 txns and 1 withdrawal. -#[test] -fn test_withdrawals() -> anyhow::Result<()> { - init_logger(); - - let all_stark = AllStark::::default(); - let config = StarkConfig::standard_fast_config(); - - let block_metadata = BlockMetadata::default(); - - let state_trie_before = HashedPartialTrie::from(Node::Empty); - let transactions_trie = HashedPartialTrie::from(Node::Empty); - let receipts_trie = HashedPartialTrie::from(Node::Empty); - let storage_tries = vec![]; - - let mut contract_code = HashMap::new(); - contract_code.insert(keccak(vec![]), vec![]); - - // Just one withdrawal. - let withdrawals = vec![(H160(random()), U256(random()))]; - - let state_trie_after = { - let mut trie = HashedPartialTrie::from(Node::Empty); - let addr_state_key = keccak(withdrawals[0].0); - let addr_nibbles = Nibbles::from_bytes_be(addr_state_key.as_bytes()).unwrap(); - let account = AccountRlp { - balance: withdrawals[0].1, - ..AccountRlp::default() - }; - trie.insert(addr_nibbles, rlp::encode(&account).to_vec()); - trie - }; - - let trie_roots_after = TrieRoots { - state_root: state_trie_after.hash(), - transactions_root: transactions_trie.hash(), - receipts_root: receipts_trie.hash(), - }; - - let inputs = GenerationInputs { - signed_txn: None, - withdrawals, - tries: TrieInputs { - state_trie: state_trie_before, - transactions_trie, - receipts_trie, - storage_tries, - }, - trie_roots_after, - contract_code, - checkpoint_state_trie_root: HashedPartialTrie::from(Node::Empty).hash(), - block_metadata, - txn_number_before: 0.into(), - gas_used_before: 0.into(), - gas_used_after: 0.into(), - block_hashes: BlockHashes { - prev_hashes: vec![H256::default(); 256], - cur_hash: H256::default(), - }, - }; - - let mut timing = TimingTree::new("prove", log::Level::Debug); - let proof = prove::(&all_stark, &config, inputs, &mut timing, None)?; - timing.filter(Duration::from_millis(100)).print(); - - verify_proof(&all_stark, proof, &config) -} - -fn init_logger() { - let _ = try_init_from_env(Env::default().filter_or(DEFAULT_FILTER_ENV, "info")); -} diff --git a/field/Cargo.toml b/field/Cargo.toml index 94620106f4..01e08a6538 100644 --- a/field/Cargo.toml +++ b/field/Cargo.toml @@ -1,32 +1,36 @@ [package] name = "plonky2_field" description = "Finite field arithmetic" -version = "0.1.1" -license = "MIT OR Apache-2.0" +version = "0.2.0" authors = ["Daniel Lubarov ", "William Borgeaud ", "Jacqueline Nabaglo ", "Hamish Ivey-Law "] -edition = "2021" +edition.workspace = true +license.workspace = true +homepage.workspace = true +repository.workspace = true +keywords.workspace = true +categories.workspace = true [[example]] name = "fft" [dependencies] -anyhow = { version = "1.0.40", default-features = false } -itertools = { version = "0.11.0", default-features = false, features = ["use_alloc"] } -num = { version = "0.4", default-features = false, features = ["alloc", "rand"] } -plonky2_util = { path = "../util", default-features = false } -rand = { version = "0.8.5", default-features = false, features = ["getrandom"] } -serde = { version = "1.0", default-features = false, features = ["alloc", "derive"] } -static_assertions = { version = "1.1.0", default-features = false } -unroll = { version = "0.1.5", default-features = false } +anyhow = { workspace = true } +plonky2_util = { version = "0.2.0", path = "../util", default-features = false } lazy_static = "1.4.0" +itertools = { workspace = true, features = ["use_alloc"] } +num = { workspace = true, features = ["alloc"] } +rand = { workspace = true, features = ["getrandom"] } +serde = { workspace = true, features = ["alloc"] } +static_assertions = { workspace = true } +unroll = { workspace = true } cryptography_cuda ={path="../depends/cryptography_cuda", optional=true} [dev-dependencies] -rand = "*" +rand = { version = "0.8.5", default-features = false, features = ["getrandom"] } [build-dependencies] -plonky2_util = { path = "../util" } -anyhow = { version = "1.0.40", default-features = false } +plonky2_util = { version = "0.2.0", path = "../util", default-features = false } +anyhow = { workspace = true } syn = { version = "1", features = ["full"] } proc-macro2 = "1" quote = "1" @@ -37,6 +41,8 @@ cuda = ["cryptography_cuda/cuda"] precompile = [] no_cuda = ["cryptography_cuda/no_cuda"] + + # Display math equations properly in documentation [package.metadata.docs.rs] rustdoc-args = ["--html-in-header", ".cargo/katex-header.html"] diff --git a/field/src/extension/mod.rs b/field/src/extension/mod.rs index 3586055e3f..bcf8537ec5 100644 --- a/field/src/extension/mod.rs +++ b/field/src/extension/mod.rs @@ -125,9 +125,9 @@ impl FieldExtension<1> for F { } /// Flatten the slice by sending every extension field element to its D-sized canonical representation. -pub fn flatten(l: &[F::Extension]) -> Vec +pub fn flatten(l: &[F::Extension]) -> Vec where - F: Extendable, + F: Field + Extendable, { l.iter() .flat_map(|x| x.to_basefield_array().to_vec()) @@ -135,9 +135,9 @@ where } /// Batch every D-sized chunks into extension field elements. -pub fn unflatten(l: &[F]) -> Vec +pub fn unflatten(l: &[F]) -> Vec where - F: Extendable, + F: Field + Extendable, { debug_assert_eq!(l.len() % D, 0); l.chunks_exact(D) diff --git a/field/src/lib.rs b/field/src/lib.rs index fdb058cc9d..cb543974b1 100644 --- a/field/src/lib.rs +++ b/field/src/lib.rs @@ -1,12 +1,11 @@ #![allow(incomplete_features)] -#![allow(clippy::too_many_arguments)] -#![allow(clippy::type_complexity)] #![allow(clippy::len_without_is_empty)] #![allow(clippy::needless_range_loop)] -#![feature(stdsimd)] +#![deny(rustdoc::broken_intra_doc_links)] +#![deny(missing_debug_implementations)] #![feature(specialization)] -// #![cfg_attr(not(test), no_std)] - +#![cfg_attr(not(test), no_std)] +#![cfg(not(test))] extern crate alloc; pub(crate) mod arch; diff --git a/field/src/polynomial/mod.rs b/field/src/polynomial/mod.rs index 838b4d9528..125c834d98 100644 --- a/field/src/polynomial/mod.rs +++ b/field/src/polynomial/mod.rs @@ -88,9 +88,7 @@ impl PolynomialValues { } pub fn degree(&self) -> usize { - self.degree_plus_one() - .checked_sub(1) - .expect("deg(0) is undefined") + self.degree_plus_one().saturating_sub(1) } pub fn degree_plus_one(&self) -> usize { diff --git a/field/src/types.rs b/field/src/types.rs index 26383c0392..7882f3f278 100644 --- a/field/src/types.rs +++ b/field/src/types.rs @@ -576,7 +576,7 @@ pub trait PrimeField64: PrimeField + Field64 { } /// An iterator over the powers of a certain base element `b`: `b^0, b^1, b^2, ...`. -#[derive(Clone)] +#[derive(Clone, Debug)] pub struct Powers { base: F, current: F, diff --git a/field/src/zero_poly_coset.rs b/field/src/zero_poly_coset.rs index 53b66a75d4..9773552852 100644 --- a/field/src/zero_poly_coset.rs +++ b/field/src/zero_poly_coset.rs @@ -4,6 +4,7 @@ use crate::packed::PackedField; use crate::types::Field; /// Precomputations of the evaluation of `Z_H(X) = X^n - 1` on a coset `gK` with `H <= K`. +#[derive(Debug)] pub struct ZeroPolyOnCoset { /// `n = |H|`. n: F, diff --git a/maybe_rayon/Cargo.toml b/maybe_rayon/Cargo.toml index e436563215..ec1987ed4b 100644 --- a/maybe_rayon/Cargo.toml +++ b/maybe_rayon/Cargo.toml @@ -1,9 +1,13 @@ [package] name = "plonky2_maybe_rayon" description = "Feature-gated wrapper around rayon" -license = "MIT OR Apache-2.0" -version = "0.1.1" -edition = "2021" +version = "0.2.0" +edition.workspace = true +license.workspace = true +homepage.workspace = true +repository.workspace = true +keywords.workspace = true +categories.workspace = true [features] parallel = ["rayon"] diff --git a/maybe_rayon/LICENSE-APACHE b/maybe_rayon/LICENSE-APACHE deleted file mode 100644 index 1e5006dc14..0000000000 --- a/maybe_rayon/LICENSE-APACHE +++ /dev/null @@ -1,202 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - -TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - -1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - -2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - -3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - -4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - -5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - -6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - -7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - -8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - -9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - -END OF TERMS AND CONDITIONS - -APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - -Copyright [yyyy] [name of copyright owner] - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - diff --git a/maybe_rayon/LICENSE-MIT b/maybe_rayon/LICENSE-MIT deleted file mode 100644 index 86d690b220..0000000000 --- a/maybe_rayon/LICENSE-MIT +++ /dev/null @@ -1,21 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2022 The Plonky2 Authors - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. diff --git a/maybe_rayon/src/lib.rs b/maybe_rayon/src/lib.rs index c4bfb2e93b..942898492f 100644 --- a/maybe_rayon/src/lib.rs +++ b/maybe_rayon/src/lib.rs @@ -1,8 +1,7 @@ +#![cfg_attr(not(std), no_std)] + #[cfg(not(feature = "parallel"))] -use core::{ - iter::{FlatMap, IntoIterator, Iterator}, - slice::{Chunks, ChunksExact, ChunksExactMut, ChunksMut}, -}; +extern crate alloc; #[cfg(feature = "parallel")] pub use rayon::{ @@ -17,7 +16,15 @@ use rayon::{ prelude::*, slice::{ Chunks as ParChunks, ChunksExact as ParChunksExact, ChunksExactMut as ParChunksExactMut, - ChunksMut as ParChunksMut, ParallelSlice, ParallelSliceMut, + ChunksMut as ParChunksMut, + }, +}; +#[cfg(not(feature = "parallel"))] +use { + alloc::vec::Vec, + core::{ + iter::{FlatMap, IntoIterator, Iterator}, + slice::{self, Chunks, ChunksExact, ChunksExactMut, ChunksMut}, }, }; @@ -53,7 +60,7 @@ where #[cfg(not(feature = "parallel"))] impl<'data, T: 'data> MaybeParIter<'data> for Vec { type Item = &'data T; - type Iter = std::slice::Iter<'data, T>; + type Iter = slice::Iter<'data, T>; fn par_iter(&'data self) -> Self::Iter { self.iter() @@ -63,7 +70,7 @@ impl<'data, T: 'data> MaybeParIter<'data> for Vec { #[cfg(not(feature = "parallel"))] impl<'data, T: 'data> MaybeParIter<'data> for [T] { type Item = &'data T; - type Iter = std::slice::Iter<'data, T>; + type Iter = slice::Iter<'data, T>; fn par_iter(&'data self) -> Self::Iter { self.iter() @@ -102,7 +109,7 @@ where #[cfg(not(feature = "parallel"))] impl<'data, T: 'data> MaybeParIterMut<'data> for Vec { type Item = &'data mut T; - type Iter = std::slice::IterMut<'data, T>; + type Iter = slice::IterMut<'data, T>; fn par_iter_mut(&'data mut self) -> Self::Iter { self.iter_mut() @@ -112,7 +119,7 @@ impl<'data, T: 'data> MaybeParIterMut<'data> for Vec { #[cfg(not(feature = "parallel"))] impl<'data, T: 'data> MaybeParIterMut<'data> for [T] { type Item = &'data mut T; - type Iter = std::slice::IterMut<'data, T>; + type Iter = slice::IterMut<'data, T>; fn par_iter_mut(&'data mut self) -> Self::Iter { self.iter_mut() diff --git a/plonky2/Cargo.toml b/plonky2/Cargo.toml index d91335ef9e..727082e2d9 100644 --- a/plonky2/Cargo.toml +++ b/plonky2/Cargo.toml @@ -1,45 +1,47 @@ [package] name = "plonky2" description = "Recursive SNARKs based on PLONK and FRI" -version = "0.1.4" -license = "MIT OR Apache-2.0" +version = "0.2.0" authors = ["Daniel Lubarov ", "William Borgeaud ", "Nicholas Ward "] readme = "README.md" -repository = "https://github.com/0xPolygonZero/plonky2" -keywords = ["cryptography", "SNARK", "PLONK", "FRI"] -categories = ["cryptography"] -edition = "2021" +edition.workspace = true +license.workspace = true +homepage.workspace = true +repository.workspace = true +keywords.workspace = true +categories.workspace = true [features] default = ["gate_testing", "parallel", "rand_chacha", "std", "timing", "cryptography_cuda/no_cuda"] gate_testing = [] parallel = ["hashbrown/rayon", "plonky2_maybe_rayon/parallel"] std = ["anyhow/std", "rand/std", "itertools/use_std"] -timing = ["std", "web-time"] +timing = ["std", "dep:web-time"] cuda =["cryptography_cuda/cuda"] no_cuda = ["cryptography_cuda/no_cuda"] batch =[] [dependencies] -ahash = { version = "0.8.3", default-features = false, features = ["compile-time-rng"] } # NOTE: Be sure to keep this version the same as the dependency in `hashbrown`. -anyhow = { version = "1.0.40", default-features = false } -hashbrown = { version = "0.14.0", default-features = false, features = ["ahash", "serde"] } # NOTE: When upgrading, see `ahash` dependency. -itertools = { version = "0.11.0", default-features = false } +ahash = { workspace = true } +anyhow = { workspace = true } +hashbrown = { workspace = true } +itertools = { workspace = true } keccak-hash = { version = "0.8.0", default-features = false } -log = { version = "0.4.14", default-features = false } -plonky2_maybe_rayon = { path = "../maybe_rayon", default-features = false } -num = { version = "0.4", default-features = false, features = ["rand"] } -plonky2_field = { path = "../field", default-features = false } -plonky2_util = { path = "../util", default-features = false } -rand = { version = "0.8.4", default-features = false } +log = { workspace = true } +num = { workspace = true } +rand = { workspace = true } rand_chacha = { version = "0.3.1", optional = true, default-features = false } -serde = { version = "1.0", default-features = false, features = ["derive", "rc"] } -serde_json = "1.0" -static_assertions = { version = "1.1.0", default-features = false } -unroll = { version = "0.1.5", default-features = false } -cryptography_cuda ={path="../depends/cryptography_cuda", optional=true} +serde = { workspace = true, features = ["rc"] } +static_assertions = { workspace = true } +unroll = { workspace = true } web-time = { version = "1.0.0", optional = true } +# Local dependencies +plonky2_field = { version = "0.2.0", path = "../field", default-features = false } +plonky2_maybe_rayon = { version = "0.2.0", path = "../maybe_rayon", default-features = false } +plonky2_util = { version = "0.2.0", path = "../util", default-features = false } +cryptography_cuda ={path="../depends/cryptography_cuda", optional=true} + [target.'cfg(all(target_arch = "wasm32", target_os = "unknown"))'.dependencies] getrandom = { version = "0.2", default-features = false, features = ["js"] } @@ -47,9 +49,10 @@ getrandom = { version = "0.2", default-features = false, features = ["js"] } criterion = { version = "0.5.1", default-features = false } env_logger = { version = "0.9.0", default-features = false } num_cpus = { version = "1.14.0", default-features = false } -rand = { version = "0.8.4", default-features = false, features = ["getrandom"] } +rand = { workspace = true, features = ["getrandom"] } rand_chacha = { version = "0.3.1", default-features = false } serde_cbor = { version = "0.11.2" } +serde_json = { version = "1.0" } structopt = { version = "0.3.26", default-features = false } tynm = { version = "0.1.6", default-features = false } diff --git a/plonky2/LICENSE-APACHE b/plonky2/LICENSE-APACHE deleted file mode 100644 index 1e5006dc14..0000000000 --- a/plonky2/LICENSE-APACHE +++ /dev/null @@ -1,202 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - -TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - -1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - -2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - -3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - -4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - -5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - -6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - -7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - -8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - -9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - -END OF TERMS AND CONDITIONS - -APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - -Copyright [yyyy] [name of copyright owner] - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - diff --git a/plonky2/LICENSE-MIT b/plonky2/LICENSE-MIT deleted file mode 100644 index 86d690b220..0000000000 --- a/plonky2/LICENSE-MIT +++ /dev/null @@ -1,21 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2022 The Plonky2 Authors - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. diff --git a/plonky2/examples/bench_recursion.rs b/plonky2/examples/bench_recursion.rs index 0d6e6afb9c..7bf457d5c3 100644 --- a/plonky2/examples/bench_recursion.rs +++ b/plonky2/examples/bench_recursion.rs @@ -3,9 +3,16 @@ // put it in `src/bin/`, but then we wouldn't have access to // `[dev-dependencies]`. +#[cfg(not(feature = "std"))] +extern crate alloc; + +#[cfg(not(feature = "std"))] +use alloc::sync::Arc; use core::num::ParseIntError; use core::ops::RangeInclusive; use core::str::FromStr; +#[cfg(feature = "std")] +use std::sync::Arc; use anyhow::{anyhow, Context as _, Result}; use log::{info, Level, LevelFilter}; diff --git a/plonky2/examples/range_check.rs b/plonky2/examples/range_check.rs index 20b551b7f4..d9351e1b1c 100644 --- a/plonky2/examples/range_check.rs +++ b/plonky2/examples/range_check.rs @@ -16,6 +16,8 @@ fn main() -> Result<()> { // The secret value. let value = builder.add_virtual_target(); + + // Registered as a public input (even though it's secret) so we can print out the value later. builder.register_public_input(value); let log_max = 6; diff --git a/plonky2/examples/square_root.rs b/plonky2/examples/square_root.rs index 91b7b79053..fb970a67c5 100644 --- a/plonky2/examples/square_root.rs +++ b/plonky2/examples/square_root.rs @@ -66,6 +66,7 @@ impl, const D: usize> SimpleGenerator } } +#[derive(Default)] pub struct CustomGeneratorSerializer, const D: usize> { pub _phantom: PhantomData, } @@ -131,9 +132,7 @@ fn main() -> Result<()> { // Test serialization { let gate_serializer = DefaultGateSerializer; - let generator_serializer = CustomGeneratorSerializer { - _phantom: PhantomData::, - }; + let generator_serializer = CustomGeneratorSerializer::::default(); let data_bytes = data .to_bytes(&gate_serializer, &generator_serializer) diff --git a/plonky2/src/fri/mod.rs b/plonky2/src/fri/mod.rs index 207a2ea82c..3445ada8f4 100644 --- a/plonky2/src/fri/mod.rs +++ b/plonky2/src/fri/mod.rs @@ -3,6 +3,7 @@ //! It provides both a native implementation and an in-circuit version //! of the FRI verifier for recursive proof composition. +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use serde::Serialize; diff --git a/plonky2/src/fri/oracle.rs b/plonky2/src/fri/oracle.rs index 1bc5c8b124..23d48993c3 100644 --- a/plonky2/src/fri/oracle.rs +++ b/plonky2/src/fri/oracle.rs @@ -1,5 +1,5 @@ -use alloc::format; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{format, vec::Vec}; #[cfg(feature = "cuda")] use cryptography_cuda::{ diff --git a/plonky2/src/fri/proof.rs b/plonky2/src/fri/proof.rs index 71b62c7142..6c8145eca0 100644 --- a/plonky2/src/fri/proof.rs +++ b/plonky2/src/fri/proof.rs @@ -1,5 +1,5 @@ -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use hashbrown::HashMap; use itertools::izip; @@ -360,6 +360,7 @@ impl, H: Hasher, const D: usize> CompressedFriPr } } +#[derive(Debug)] pub struct FriChallenges, const D: usize> { // Scaling factor to combine polynomials. pub fri_alpha: F::Extension, @@ -373,6 +374,7 @@ pub struct FriChallenges, const D: usize> { pub fri_query_indices: Vec, } +#[derive(Debug)] pub struct FriChallengesTarget { pub fri_alpha: ExtensionTarget, pub fri_betas: Vec>, diff --git a/plonky2/src/fri/prover.rs b/plonky2/src/fri/prover.rs index 378f1daebb..4fb15614eb 100644 --- a/plonky2/src/fri/prover.rs +++ b/plonky2/src/fri/prover.rs @@ -1,3 +1,4 @@ +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use plonky2_maybe_rayon::*; diff --git a/plonky2/src/fri/recursive_verifier.rs b/plonky2/src/fri/recursive_verifier.rs index ed1d7311d6..7b8356184c 100644 --- a/plonky2/src/fri/recursive_verifier.rs +++ b/plonky2/src/fri/recursive_verifier.rs @@ -1,5 +1,5 @@ -use alloc::format; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{format, vec::Vec}; use itertools::Itertools; diff --git a/plonky2/src/fri/reduction_strategies.rs b/plonky2/src/fri/reduction_strategies.rs index 6e5752296e..e7f5d799ff 100644 --- a/plonky2/src/fri/reduction_strategies.rs +++ b/plonky2/src/fri/reduction_strategies.rs @@ -1,5 +1,5 @@ -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use log::debug; use serde::Serialize; diff --git a/plonky2/src/fri/structure.rs b/plonky2/src/fri/structure.rs index 7d7436d5e5..7a580e50c6 100644 --- a/plonky2/src/fri/structure.rs +++ b/plonky2/src/fri/structure.rs @@ -1,6 +1,7 @@ //! Information about the structure of a FRI instance, in terms of the oracles and polynomials //! involved, and the points they are opened at. +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use core::ops::Range; @@ -9,6 +10,7 @@ use crate::hash::hash_types::RichField; use crate::iop::ext_target::ExtensionTarget; /// Describes an instance of a FRI-based batch opening. +#[derive(Debug)] pub struct FriInstanceInfo, const D: usize> { /// The oracles involved, not counting oracles created during the commit phase. pub oracles: Vec, @@ -17,6 +19,7 @@ pub struct FriInstanceInfo, const D: usize> { } /// Describes an instance of a FRI-based batch opening. +#[derive(Debug)] pub struct FriInstanceInfoTarget { /// The oracles involved, not counting oracles created during the commit phase. pub oracles: Vec, @@ -24,19 +27,21 @@ pub struct FriInstanceInfoTarget { pub batches: Vec>, } -#[derive(Copy, Clone)] +#[derive(Copy, Clone, Debug)] pub struct FriOracleInfo { pub num_polys: usize, pub blinding: bool, } /// A batch of openings at a particular point. +#[derive(Debug)] pub struct FriBatchInfo, const D: usize> { pub point: F::Extension, pub polynomials: Vec, } /// A batch of openings at a particular point. +#[derive(Debug)] pub struct FriBatchInfoTarget { pub point: ExtensionTarget, pub polynomials: Vec, @@ -65,21 +70,25 @@ impl FriPolynomialInfo { } /// Opened values of each polynomial. +#[derive(Debug)] pub struct FriOpenings, const D: usize> { pub batches: Vec>, } /// Opened values of each polynomial that's opened at a particular point. +#[derive(Debug)] pub struct FriOpeningBatch, const D: usize> { pub values: Vec, } /// Opened values of each polynomial. +#[derive(Debug)] pub struct FriOpeningsTarget { pub batches: Vec>, } /// Opened values of each polynomial that's opened at a particular point. +#[derive(Debug)] pub struct FriOpeningBatchTarget { pub values: Vec>, } diff --git a/plonky2/src/fri/verifier.rs b/plonky2/src/fri/verifier.rs index e061c4a2ff..79ea94b79a 100644 --- a/plonky2/src/fri/verifier.rs +++ b/plonky2/src/fri/verifier.rs @@ -1,3 +1,4 @@ +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use anyhow::{ensure, Result}; diff --git a/plonky2/src/gadgets/arithmetic.rs b/plonky2/src/gadgets/arithmetic.rs index 9982628e02..e162f1116f 100644 --- a/plonky2/src/gadgets/arithmetic.rs +++ b/plonky2/src/gadgets/arithmetic.rs @@ -1,6 +1,9 @@ -use alloc::string::{String, ToString}; -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{ + string::{String, ToString}, + vec, + vec::Vec, +}; use core::borrow::Borrow; use crate::field::extension::Extendable; @@ -421,7 +424,7 @@ impl, const D: usize> SimpleGenerator for Equ } /// Represents a base arithmetic operation in the circuit. Used to memoize results. -#[derive(Copy, Clone, Eq, PartialEq, Hash)] +#[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)] pub(crate) struct BaseArithmeticOperation { const_0: F, const_1: F, diff --git a/plonky2/src/gadgets/arithmetic_extension.rs b/plonky2/src/gadgets/arithmetic_extension.rs index 3c1deac381..afea71df39 100644 --- a/plonky2/src/gadgets/arithmetic_extension.rs +++ b/plonky2/src/gadgets/arithmetic_extension.rs @@ -1,6 +1,9 @@ -use alloc::string::{String, ToString}; -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{ + string::{String, ToString}, + vec, + vec::Vec, +}; use core::borrow::Borrow; use crate::field::extension::{Extendable, FieldExtension, OEF}; @@ -542,7 +545,7 @@ impl, const D: usize> SimpleGenerator } /// An iterator over the powers of a certain base element `b`: `b^0, b^1, b^2, ...`. -#[derive(Clone)] +#[derive(Clone, Debug)] pub struct PowersTarget { base: ExtensionTarget, current: ExtensionTarget, @@ -581,7 +584,7 @@ impl, const D: usize> CircuitBuilder { } /// Represents an extension arithmetic operation in the circuit. Used to memoize results. -#[derive(Copy, Clone, Eq, PartialEq, Hash)] +#[derive(Copy, Clone, Debug, Eq, PartialEq, Hash)] pub(crate) struct ExtensionArithmeticOperation, const D: usize> { const_0: F, const_1: F, diff --git a/plonky2/src/gadgets/interpolation.rs b/plonky2/src/gadgets/interpolation.rs index d2d42170bc..9a1f2801e7 100644 --- a/plonky2/src/gadgets/interpolation.rs +++ b/plonky2/src/gadgets/interpolation.rs @@ -1,3 +1,4 @@ +#[cfg(not(feature = "std"))] use alloc::vec; use plonky2_field::extension::Extendable; @@ -63,6 +64,9 @@ impl, const D: usize> CircuitBuilder { #[cfg(test)] mod tests { + #[cfg(not(feature = "std"))] + use alloc::vec::Vec; + use anyhow::Result; use crate::field::extension::FieldExtension; diff --git a/plonky2/src/gadgets/lookup.rs b/plonky2/src/gadgets/lookup.rs index 4ab765ba03..0d9963a84f 100644 --- a/plonky2/src/gadgets/lookup.rs +++ b/plonky2/src/gadgets/lookup.rs @@ -1,5 +1,5 @@ -use alloc::borrow::ToOwned; -use alloc::vec; +#[cfg(not(feature = "std"))] +use alloc::{borrow::ToOwned, vec}; use crate::field::extension::Extendable; use crate::gates::lookup::LookupGate; diff --git a/plonky2/src/gadgets/polynomial.rs b/plonky2/src/gadgets/polynomial.rs index d43d99c2ea..f10f25312a 100644 --- a/plonky2/src/gadgets/polynomial.rs +++ b/plonky2/src/gadgets/polynomial.rs @@ -1,3 +1,4 @@ +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use crate::field::extension::Extendable; @@ -39,6 +40,7 @@ impl PolynomialCoeffsExtTarget { } } +#[derive(Debug)] pub struct PolynomialCoeffsExtAlgebraTarget(pub Vec>); impl PolynomialCoeffsExtAlgebraTarget { diff --git a/plonky2/src/gadgets/random_access.rs b/plonky2/src/gadgets/random_access.rs index 85d2c7141c..0d99a3e918 100644 --- a/plonky2/src/gadgets/random_access.rs +++ b/plonky2/src/gadgets/random_access.rs @@ -1,3 +1,4 @@ +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use crate::field::extension::Extendable; diff --git a/plonky2/src/gadgets/range_check.rs b/plonky2/src/gadgets/range_check.rs index 41af064aa6..9a66a6a6c6 100644 --- a/plonky2/src/gadgets/range_check.rs +++ b/plonky2/src/gadgets/range_check.rs @@ -1,6 +1,9 @@ -use alloc::string::{String, ToString}; -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{ + string::{String, ToString}, + vec, + vec::Vec, +}; use crate::field::extension::Extendable; use crate::hash::hash_types::RichField; diff --git a/plonky2/src/gadgets/split_base.rs b/plonky2/src/gadgets/split_base.rs index a2c98ac707..1cdec86203 100644 --- a/plonky2/src/gadgets/split_base.rs +++ b/plonky2/src/gadgets/split_base.rs @@ -1,6 +1,5 @@ -use alloc::string::String; -use alloc::vec::Vec; -use alloc::{format, vec}; +#[cfg(not(feature = "std"))] +use alloc::{format, string::String, vec, vec::Vec}; use core::borrow::Borrow; use itertools::Itertools; diff --git a/plonky2/src/gadgets/split_join.rs b/plonky2/src/gadgets/split_join.rs index 6901c8caf2..2f35b94c77 100644 --- a/plonky2/src/gadgets/split_join.rs +++ b/plonky2/src/gadgets/split_join.rs @@ -1,6 +1,9 @@ -use alloc::string::{String, ToString}; -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{ + string::{String, ToString}, + vec, + vec::Vec, +}; use crate::field::extension::Extendable; use crate::gates::base_sum::BaseSumGate; diff --git a/plonky2/src/gates/arithmetic_base.rs b/plonky2/src/gates/arithmetic_base.rs index 064b2d0cf5..29d854b9ae 100644 --- a/plonky2/src/gates/arithmetic_base.rs +++ b/plonky2/src/gates/arithmetic_base.rs @@ -1,6 +1,9 @@ -use alloc::format; -use alloc::string::{String, ToString}; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{ + format, + string::{String, ToString}, + vec::Vec, +}; use crate::field::extension::Extendable; use crate::field::packed::PackedField; @@ -41,16 +44,16 @@ impl ArithmeticGate { config.num_routed_wires / wires_per_op } - pub const fn wire_ith_multiplicand_0(i: usize) -> usize { + pub(crate) const fn wire_ith_multiplicand_0(i: usize) -> usize { 4 * i } - pub const fn wire_ith_multiplicand_1(i: usize) -> usize { + pub(crate) const fn wire_ith_multiplicand_1(i: usize) -> usize { 4 * i + 1 } - pub const fn wire_ith_addend(i: usize) -> usize { + pub(crate) const fn wire_ith_addend(i: usize) -> usize { 4 * i + 2 } - pub const fn wire_ith_output(i: usize) -> usize { + pub(crate) const fn wire_ith_output(i: usize) -> usize { 4 * i + 3 } } diff --git a/plonky2/src/gates/arithmetic_extension.rs b/plonky2/src/gates/arithmetic_extension.rs index 0b193f0d6a..9e1c6819f9 100644 --- a/plonky2/src/gates/arithmetic_extension.rs +++ b/plonky2/src/gates/arithmetic_extension.rs @@ -1,6 +1,9 @@ -use alloc::format; -use alloc::string::{String, ToString}; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{ + format, + string::{String, ToString}, + vec::Vec, +}; use core::ops::Range; use crate::field::extension::{Extendable, FieldExtension}; @@ -37,16 +40,16 @@ impl ArithmeticExtensionGate { config.num_routed_wires / wires_per_op } - pub const fn wires_ith_multiplicand_0(i: usize) -> Range { + pub(crate) const fn wires_ith_multiplicand_0(i: usize) -> Range { 4 * D * i..4 * D * i + D } - pub const fn wires_ith_multiplicand_1(i: usize) -> Range { + pub(crate) const fn wires_ith_multiplicand_1(i: usize) -> Range { 4 * D * i + D..4 * D * i + 2 * D } - pub const fn wires_ith_addend(i: usize) -> Range { + pub(crate) const fn wires_ith_addend(i: usize) -> Range { 4 * D * i + 2 * D..4 * D * i + 3 * D } - pub const fn wires_ith_output(i: usize) -> Range { + pub(crate) const fn wires_ith_output(i: usize) -> Range { 4 * D * i + 3 * D..4 * D * i + 4 * D } } diff --git a/plonky2/src/gates/base_sum.rs b/plonky2/src/gates/base_sum.rs index 4bb254f9f3..fbd40a997b 100644 --- a/plonky2/src/gates/base_sum.rs +++ b/plonky2/src/gates/base_sum.rs @@ -1,6 +1,5 @@ -use alloc::string::String; -use alloc::vec::Vec; -use alloc::{format, vec}; +#[cfg(not(feature = "std"))] +use alloc::{format, string::String, vec, vec::Vec}; use core::ops::Range; use crate::field::extension::Extendable; @@ -41,11 +40,11 @@ impl BaseSumGate { Self::new(num_limbs) } - pub const WIRE_SUM: usize = 0; - pub const START_LIMBS: usize = 1; + pub(crate) const WIRE_SUM: usize = 0; + pub(crate) const START_LIMBS: usize = 1; /// Returns the index of the `i`th limb wire. - pub const fn limbs(&self) -> Range { + pub(crate) const fn limbs(&self) -> Range { Self::START_LIMBS..Self::START_LIMBS + self.num_limbs } } diff --git a/plonky2/src/gates/constant.rs b/plonky2/src/gates/constant.rs index 7a7027393a..b9f7598f00 100644 --- a/plonky2/src/gates/constant.rs +++ b/plonky2/src/gates/constant.rs @@ -1,6 +1,5 @@ -use alloc::string::String; -use alloc::vec::Vec; -use alloc::{format, vec}; +#[cfg(not(feature = "std"))] +use alloc::{format, string::String, vec, vec::Vec}; use serde::{Deserialize, Serialize}; @@ -31,12 +30,12 @@ impl ConstantGate { Self { num_consts } } - pub fn const_input(&self, i: usize) -> usize { + const fn const_input(&self, i: usize) -> usize { debug_assert!(i < self.num_consts); i } - pub fn wire_output(&self, i: usize) -> usize { + const fn wire_output(&self, i: usize) -> usize { debug_assert!(i < self.num_consts); i } diff --git a/plonky2/src/gates/coset_interpolation.rs b/plonky2/src/gates/coset_interpolation.rs index 7789a7ce53..3886342490 100644 --- a/plonky2/src/gates/coset_interpolation.rs +++ b/plonky2/src/gates/coset_interpolation.rs @@ -1,6 +1,10 @@ -use alloc::string::{String, ToString}; -use alloc::vec::Vec; -use alloc::{format, vec}; +#[cfg(not(feature = "std"))] +use alloc::{ + format, + string::{String, ToString}, + vec, + vec::Vec, +}; use core::marker::PhantomData; use core::ops::Range; @@ -137,31 +141,31 @@ impl, const D: usize> CosetInterpolationGate self.start_intermediates() } - fn num_intermediates(&self) -> usize { - (self.num_points() - 2) / (self.degree() - 1) + const fn num_intermediates(&self) -> usize { + (self.num_points() - 2) / (self.degree - 1) } /// The wires corresponding to the i'th intermediate evaluation. - fn wires_intermediate_eval(&self, i: usize) -> Range { + const fn wires_intermediate_eval(&self, i: usize) -> Range { debug_assert!(i < self.num_intermediates()); let start = self.start_intermediates() + D * i; start..start + D } /// The wires corresponding to the i'th intermediate product. - fn wires_intermediate_prod(&self, i: usize) -> Range { + const fn wires_intermediate_prod(&self, i: usize) -> Range { debug_assert!(i < self.num_intermediates()); let start = self.start_intermediates() + D * (self.num_intermediates() + i); start..start + D } /// End of wire indices, exclusive. - fn end(&self) -> usize { + const fn end(&self) -> usize { self.start_intermediates() + D * (2 * self.num_intermediates() + 1) } /// Wire indices of the shifted point to evaluate the interpolant at. - fn wires_shifted_evaluation_point(&self) -> Range { + const fn wires_shifted_evaluation_point(&self) -> Range { let start = self.start_intermediates() + D * 2 * self.num_intermediates(); start..start + D } @@ -646,7 +650,7 @@ mod tests { use super::*; use crate::field::goldilocks_field::GoldilocksField; - use crate::field::types::{Field, Sample}; + use crate::field::types::Sample; use crate::gates::gate_testing::{test_eval_fns, test_low_degree}; use crate::hash::hash_types::HashOut; use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; diff --git a/plonky2/src/gates/exponentiation.rs b/plonky2/src/gates/exponentiation.rs index 90d3ad21dd..44e319391b 100644 --- a/plonky2/src/gates/exponentiation.rs +++ b/plonky2/src/gates/exponentiation.rs @@ -1,6 +1,10 @@ -use alloc::string::{String, ToString}; -use alloc::vec::Vec; -use alloc::{format, vec}; +#[cfg(not(feature = "std"))] +use alloc::{ + format, + string::{String, ToString}, + vec, + vec::Vec, +}; use core::marker::PhantomData; use crate::field::extension::Extendable; @@ -51,12 +55,12 @@ impl, const D: usize> ExponentiationGate { max_for_routed_wires.min(max_for_wires) } - pub const fn wire_base(&self) -> usize { + pub(crate) const fn wire_base(&self) -> usize { 0 } /// The `i`th bit of the exponent, in little-endian order. - pub fn wire_power_bit(&self, i: usize) -> usize { + pub(crate) const fn wire_power_bit(&self, i: usize) -> usize { debug_assert!(i < self.num_power_bits); 1 + i } @@ -65,7 +69,7 @@ impl, const D: usize> ExponentiationGate { 1 + self.num_power_bits } - pub fn wire_intermediate_value(&self, i: usize) -> usize { + pub(crate) const fn wire_intermediate_value(&self, i: usize) -> usize { debug_assert!(i < self.num_power_bits); 2 + self.num_power_bits + i } diff --git a/plonky2/src/gates/gate.rs b/plonky2/src/gates/gate.rs index d763a59766..468384068f 100644 --- a/plonky2/src/gates/gate.rs +++ b/plonky2/src/gates/gate.rs @@ -1,11 +1,11 @@ -use alloc::string::String; -use alloc::sync::Arc; -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{string::String, sync::Arc, vec, vec::Vec}; use core::any::Any; use core::fmt::{Debug, Error, Formatter}; use core::hash::{Hash, Hasher}; use core::ops::Range; +#[cfg(feature = "std")] +use std::sync::Arc; use hashbrown::HashMap; use serde::{Serialize, Serializer}; @@ -308,7 +308,7 @@ pub struct CurrentSlot, const D: usize> { } /// A gate along with any constants used to configure it. -#[derive(Clone)] +#[derive(Clone, Debug)] pub struct GateInstance, const D: usize> { pub gate_ref: GateRef, pub constants: Vec, diff --git a/plonky2/src/gates/gate_testing.rs b/plonky2/src/gates/gate_testing.rs index 9a1f0f4949..c71e96dff7 100644 --- a/plonky2/src/gates/gate_testing.rs +++ b/plonky2/src/gates/gate_testing.rs @@ -1,5 +1,5 @@ -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use anyhow::{ensure, Result}; diff --git a/plonky2/src/gates/lookup.rs b/plonky2/src/gates/lookup.rs index 24fa92031a..7e3ceea757 100644 --- a/plonky2/src/gates/lookup.rs +++ b/plonky2/src/gates/lookup.rs @@ -1,6 +1,10 @@ -use alloc::string::{String, ToString}; -use alloc::vec::Vec; -use alloc::{format, vec}; +#[cfg(not(feature = "std"))] +use alloc::{ + format, + string::{String, ToString}, + vec, + vec::Vec, +}; use core::usize; use itertools::Itertools; diff --git a/plonky2/src/gates/lookup_table.rs b/plonky2/src/gates/lookup_table.rs index 07e9ef4b01..48929e5bdf 100644 --- a/plonky2/src/gates/lookup_table.rs +++ b/plonky2/src/gates/lookup_table.rs @@ -1,8 +1,14 @@ -use alloc::string::{String, ToString}; -use alloc::sync::Arc; -use alloc::vec::Vec; -use alloc::{format, vec}; +#[cfg(not(feature = "std"))] +use alloc::{ + format, + string::{String, ToString}, + sync::Arc, + vec, + vec::Vec, +}; use core::usize; +#[cfg(feature = "std")] +use std::sync::Arc; use itertools::Itertools; use keccak_hash::keccak; diff --git a/plonky2/src/gates/multiplication_extension.rs b/plonky2/src/gates/multiplication_extension.rs index 0ba2b38367..9cc171c016 100644 --- a/plonky2/src/gates/multiplication_extension.rs +++ b/plonky2/src/gates/multiplication_extension.rs @@ -1,6 +1,9 @@ -use alloc::format; -use alloc::string::{String, ToString}; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{ + format, + string::{String, ToString}, + vec::Vec, +}; use core::ops::Range; use crate::field::extension::{Extendable, FieldExtension}; @@ -37,13 +40,13 @@ impl MulExtensionGate { config.num_routed_wires / wires_per_op } - pub const fn wires_ith_multiplicand_0(i: usize) -> Range { + pub(crate) const fn wires_ith_multiplicand_0(i: usize) -> Range { 3 * D * i..3 * D * i + D } - pub const fn wires_ith_multiplicand_1(i: usize) -> Range { + pub(crate) const fn wires_ith_multiplicand_1(i: usize) -> Range { 3 * D * i + D..3 * D * i + 2 * D } - pub const fn wires_ith_output(i: usize) -> Range { + pub(crate) const fn wires_ith_output(i: usize) -> Range { 3 * D * i + 2 * D..3 * D * i + 3 * D } } diff --git a/plonky2/src/gates/noop.rs b/plonky2/src/gates/noop.rs index f212369c30..fb07c11952 100644 --- a/plonky2/src/gates/noop.rs +++ b/plonky2/src/gates/noop.rs @@ -1,5 +1,5 @@ -use alloc::string::String; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{string::String, vec::Vec}; use crate::field::extension::Extendable; use crate::gates::gate::Gate; @@ -12,6 +12,7 @@ use crate::plonk::vars::{EvaluationTargets, EvaluationVars, EvaluationVarsBaseBa use crate::util::serialization::{Buffer, IoResult}; /// A gate which does nothing. +#[derive(Debug)] pub struct NoopGate; impl, const D: usize> Gate for NoopGate { diff --git a/plonky2/src/gates/packed_util.rs b/plonky2/src/gates/packed_util.rs index 361eb3a24b..32f1c37a7f 100644 --- a/plonky2/src/gates/packed_util.rs +++ b/plonky2/src/gates/packed_util.rs @@ -1,5 +1,5 @@ -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use crate::field::extension::Extendable; use crate::field::packable::Packable; diff --git a/plonky2/src/gates/poseidon.rs b/plonky2/src/gates/poseidon.rs index 266d082ed9..67f5646bb6 100644 --- a/plonky2/src/gates/poseidon.rs +++ b/plonky2/src/gates/poseidon.rs @@ -1,6 +1,10 @@ -use alloc::string::{String, ToString}; -use alloc::vec::Vec; -use alloc::{format, vec}; +#[cfg(not(feature = "std"))] +use alloc::{ + format, + string::{String, ToString}, + vec, + vec::Vec, +}; use core::marker::PhantomData; use crate::field::extension::Extendable; @@ -35,23 +39,23 @@ impl, const D: usize> PoseidonGate { } /// The wire index for the `i`th input to the permutation. - pub const fn wire_input(i: usize) -> usize { + pub(crate) const fn wire_input(i: usize) -> usize { i } /// The wire index for the `i`th output to the permutation. - pub const fn wire_output(i: usize) -> usize { + pub(crate) const fn wire_output(i: usize) -> usize { SPONGE_WIDTH + i } /// If this is set to 1, the first four inputs will be swapped with the next four inputs. This /// is useful for ordering hashes in Merkle proofs. Otherwise, this should be set to 0. - pub const WIRE_SWAP: usize = 2 * SPONGE_WIDTH; + pub(crate) const WIRE_SWAP: usize = 2 * SPONGE_WIDTH; const START_DELTA: usize = 2 * SPONGE_WIDTH + 1; /// A wire which stores `swap * (input[i + 4] - input[i])`; used to compute the swapped inputs. - fn wire_delta(i: usize) -> usize { + const fn wire_delta(i: usize) -> usize { assert!(i < 4); Self::START_DELTA + i } @@ -60,7 +64,7 @@ impl, const D: usize> PoseidonGate { /// A wire which stores the input of the `i`-th S-box of the `round`-th round of the first set /// of full rounds. - fn wire_full_sbox_0(round: usize, i: usize) -> usize { + const fn wire_full_sbox_0(round: usize, i: usize) -> usize { debug_assert!( round != 0, "First round S-box inputs are not stored as wires" @@ -74,7 +78,7 @@ impl, const D: usize> PoseidonGate { Self::START_FULL_0 + SPONGE_WIDTH * (poseidon::HALF_N_FULL_ROUNDS - 1); /// A wire which stores the input of the S-box of the `round`-th round of the partial rounds. - fn wire_partial_sbox(round: usize) -> usize { + const fn wire_partial_sbox(round: usize) -> usize { debug_assert!(round < poseidon::N_PARTIAL_ROUNDS); Self::START_PARTIAL + round } @@ -83,7 +87,7 @@ impl, const D: usize> PoseidonGate { /// A wire which stores the input of the `i`-th S-box of the `round`-th round of the second set /// of full rounds. - fn wire_full_sbox_1(round: usize, i: usize) -> usize { + const fn wire_full_sbox_1(round: usize, i: usize) -> usize { debug_assert!(round < poseidon::HALF_N_FULL_ROUNDS); debug_assert!(i < SPONGE_WIDTH); Self::START_FULL_1 + SPONGE_WIDTH * round + i @@ -832,16 +836,12 @@ impl + Poseidon, const D: usize> SimpleGenerator + Poseidon, const D: usize> PoseidonMdsGate Range { + pub(crate) const fn wires_input(i: usize) -> Range { assert!(i < SPONGE_WIDTH); i * D..(i + 1) * D } - pub fn wires_output(i: usize) -> Range { + pub(crate) const fn wires_output(i: usize) -> Range { assert!(i < SPONGE_WIDTH); (SPONGE_WIDTH + i) * D..(SPONGE_WIDTH + i + 1) * D } diff --git a/plonky2/src/gates/public_input.rs b/plonky2/src/gates/public_input.rs index 5bad2b82dd..d8cf45882d 100644 --- a/plonky2/src/gates/public_input.rs +++ b/plonky2/src/gates/public_input.rs @@ -1,5 +1,5 @@ -use alloc::string::String; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{string::String, vec::Vec}; use core::ops::Range; use crate::field::extension::Extendable; @@ -19,10 +19,11 @@ use crate::plonk::vars::{ use crate::util::serialization::{Buffer, IoResult}; /// A gate whose first four wires will be equal to a hash of public inputs. +#[derive(Debug)] pub struct PublicInputGate; impl PublicInputGate { - pub const fn wires_public_inputs_hash() -> Range { + pub(crate) const fn wires_public_inputs_hash() -> Range { 0..4 } } diff --git a/plonky2/src/gates/random_access.rs b/plonky2/src/gates/random_access.rs index 41675b4c91..b05ca41c6c 100644 --- a/plonky2/src/gates/random_access.rs +++ b/plonky2/src/gates/random_access.rs @@ -1,6 +1,10 @@ -use alloc::string::{String, ToString}; -use alloc::vec::Vec; -use alloc::{format, vec}; +#[cfg(not(feature = "std"))] +use alloc::{ + format, + string::{String, ToString}, + vec, + vec::Vec, +}; use core::marker::PhantomData; use itertools::Itertools; @@ -76,19 +80,19 @@ impl, const D: usize> RandomAccessGate { } /// For each copy, a wire containing the claimed index of the element. - pub fn wire_access_index(&self, copy: usize) -> usize { + pub(crate) const fn wire_access_index(&self, copy: usize) -> usize { debug_assert!(copy < self.num_copies); (2 + self.vec_size()) * copy } /// For each copy, a wire containing the element claimed to be at the index. - pub fn wire_claimed_element(&self, copy: usize) -> usize { + pub(crate) const fn wire_claimed_element(&self, copy: usize) -> usize { debug_assert!(copy < self.num_copies); (2 + self.vec_size()) * copy + 1 } /// For each copy, wires containing the entire list. - pub fn wire_list_item(&self, i: usize, copy: usize) -> usize { + pub(crate) const fn wire_list_item(&self, i: usize, copy: usize) -> usize { debug_assert!(i < self.vec_size()); debug_assert!(copy < self.num_copies); (2 + self.vec_size()) * copy + 2 + i @@ -98,7 +102,7 @@ impl, const D: usize> RandomAccessGate { (2 + self.vec_size()) * self.num_copies } - fn wire_extra_constant(&self, i: usize) -> usize { + const fn wire_extra_constant(&self, i: usize) -> usize { debug_assert!(i < self.num_extra_constants); self.start_extra_constants() + i } @@ -110,7 +114,7 @@ impl, const D: usize> RandomAccessGate { /// An intermediate wire where the prover gives the (purported) binary decomposition of the /// index. - pub fn wire_bit(&self, i: usize, copy: usize) -> usize { + pub(crate) const fn wire_bit(&self, i: usize, copy: usize) -> usize { debug_assert!(i < self.bits); debug_assert!(copy < self.num_copies); self.num_routed_wires() + copy * self.bits + i diff --git a/plonky2/src/gates/reducing.rs b/plonky2/src/gates/reducing.rs index dfbd1f54ea..0f45e47892 100644 --- a/plonky2/src/gates/reducing.rs +++ b/plonky2/src/gates/reducing.rs @@ -1,6 +1,10 @@ -use alloc::string::{String, ToString}; -use alloc::vec::Vec; -use alloc::{format, vec}; +#[cfg(not(feature = "std"))] +use alloc::{ + format, + string::{String, ToString}, + vec, + vec::Vec, +}; use core::ops::Range; use crate::field::extension::{Extendable, FieldExtension}; @@ -31,17 +35,17 @@ impl ReducingGate { (num_routed_wires - 3 * D).min((num_wires - 2 * D) / (D + 1)) } - pub const fn wires_output() -> Range { + pub(crate) const fn wires_output() -> Range { 0..D } - pub const fn wires_alpha() -> Range { + pub(crate) const fn wires_alpha() -> Range { D..2 * D } - pub const fn wires_old_acc() -> Range { + pub(crate) const fn wires_old_acc() -> Range { 2 * D..3 * D } const START_COEFFS: usize = 3 * D; - pub const fn wires_coeffs(&self) -> Range { + pub(crate) const fn wires_coeffs(&self) -> Range { Self::START_COEFFS..Self::START_COEFFS + self.num_coeffs } const fn start_accs(&self) -> usize { diff --git a/plonky2/src/gates/reducing_extension.rs b/plonky2/src/gates/reducing_extension.rs index a9e3c8e78c..f5de67d0db 100644 --- a/plonky2/src/gates/reducing_extension.rs +++ b/plonky2/src/gates/reducing_extension.rs @@ -1,6 +1,10 @@ -use alloc::string::{String, ToString}; -use alloc::vec::Vec; -use alloc::{format, vec}; +#[cfg(not(feature = "std"))] +use alloc::{ + format, + string::{String, ToString}, + vec, + vec::Vec, +}; use core::ops::Range; use crate::field::extension::{Extendable, FieldExtension}; @@ -33,23 +37,23 @@ impl ReducingExtensionGate { ((num_routed_wires - 3 * D) / D).min((num_wires - 2 * D) / (D * 2)) } - pub const fn wires_output() -> Range { + pub(crate) const fn wires_output() -> Range { 0..D } - pub const fn wires_alpha() -> Range { + pub(crate) const fn wires_alpha() -> Range { D..2 * D } - pub const fn wires_old_acc() -> Range { + pub(crate) const fn wires_old_acc() -> Range { 2 * D..3 * D } const START_COEFFS: usize = 3 * D; - pub const fn wires_coeff(i: usize) -> Range { + pub(crate) const fn wires_coeff(i: usize) -> Range { Self::START_COEFFS + i * D..Self::START_COEFFS + (i + 1) * D } const fn start_accs(&self) -> usize { Self::START_COEFFS + self.num_coeffs * D } - fn wires_accs(&self, i: usize) -> Range { + const fn wires_accs(&self, i: usize) -> Range { debug_assert!(i < self.num_coeffs); if i == self.num_coeffs - 1 { // The last accumulator is the output. diff --git a/plonky2/src/gates/selectors.rs b/plonky2/src/gates/selectors.rs index cbb612b6ca..8fbc54a792 100644 --- a/plonky2/src/gates/selectors.rs +++ b/plonky2/src/gates/selectors.rs @@ -1,5 +1,5 @@ -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use core::ops::Range; use serde::Serialize; diff --git a/plonky2/src/gates/util.rs b/plonky2/src/gates/util.rs index 88d77471ee..bd5c0fee9c 100644 --- a/plonky2/src/gates/util.rs +++ b/plonky2/src/gates/util.rs @@ -6,6 +6,7 @@ use crate::field::packed::PackedField; /// Permits us to abstract the underlying memory layout. In particular, we can make a matrix of /// constraints where every column is an evaluation point and every row is a constraint index, with /// the matrix stored in row-contiguous form. +#[derive(Debug)] pub struct StridedConstraintConsumer<'a, P: PackedField> { // This is a particularly neat way of doing this, more so than a slice. We increase start by // stride at every step and terminate when it equals end. diff --git a/plonky2/src/hash/hash_types.rs b/plonky2/src/hash/hash_types.rs index edd473c507..992f36197e 100644 --- a/plonky2/src/hash/hash_types.rs +++ b/plonky2/src/hash/hash_types.rs @@ -1,3 +1,4 @@ +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use anyhow::ensure; diff --git a/plonky2/src/hash/hashing.rs b/plonky2/src/hash/hashing.rs index be4e487c64..c80bb625f8 100644 --- a/plonky2/src/hash/hashing.rs +++ b/plonky2/src/hash/hashing.rs @@ -1,7 +1,8 @@ //! Concrete instantiation of a hash function. - +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use core::fmt::Debug; +use std::iter::repeat; use crate::field::extension::Extendable; use crate::field::types::Field; @@ -9,7 +10,6 @@ use crate::hash::hash_types::{HashOut, HashOutTarget, RichField, NUM_HASH_OUT_EL use crate::iop::target::Target; use crate::plonk::circuit_builder::CircuitBuilder; use crate::plonk::config::AlgebraicHasher; -use std::iter::repeat; pub(crate) const SPONGE_RATE: usize = 8; pub(crate) const SPONGE_CAPACITY: usize = 4; diff --git a/plonky2/src/hash/keccak.rs b/plonky2/src/hash/keccak.rs index d67fb4bc76..63bdc7e0e4 100644 --- a/plonky2/src/hash/keccak.rs +++ b/plonky2/src/hash/keccak.rs @@ -1,5 +1,5 @@ -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use core::mem::size_of; use itertools::Itertools; diff --git a/plonky2/src/hash/merkle_proofs.rs b/plonky2/src/hash/merkle_proofs.rs index c848f66ed0..d773b11aaa 100644 --- a/plonky2/src/hash/merkle_proofs.rs +++ b/plonky2/src/hash/merkle_proofs.rs @@ -1,5 +1,5 @@ -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use anyhow::{ensure, Result}; use itertools::Itertools; @@ -171,7 +171,6 @@ impl, const D: usize> CircuitBuilder { #[cfg(test)] mod tests { - use anyhow::Result; use rand::rngs::OsRng; use rand::Rng; @@ -179,7 +178,6 @@ mod tests { use crate::field::types::Field; use crate::hash::merkle_tree::MerkleTree; use crate::iop::witness::{PartialWitness, WitnessWrite}; - use crate::plonk::circuit_builder::CircuitBuilder; use crate::plonk::circuit_data::CircuitConfig; use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; use crate::plonk::verifier::verify; diff --git a/plonky2/src/hash/merkle_tree.rs b/plonky2/src/hash/merkle_tree.rs index ab7e39589f..10962727c6 100644 --- a/plonky2/src/hash/merkle_tree.rs +++ b/plonky2/src/hash/merkle_tree.rs @@ -1,3 +1,4 @@ +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use core::mem::MaybeUninit; use core::slice; diff --git a/plonky2/src/hash/path_compression.rs b/plonky2/src/hash/path_compression.rs index d4f7d5eb39..517576bf04 100644 --- a/plonky2/src/hash/path_compression.rs +++ b/plonky2/src/hash/path_compression.rs @@ -1,5 +1,5 @@ -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use hashbrown::HashMap; use num::Integer; @@ -148,12 +148,15 @@ mod tests { assert_eq!(proofs, decompressed_proofs); - let compressed_proof_bytes = serde_cbor::to_vec(&compressed_proofs).unwrap(); - println!( - "Compressed proof length: {} bytes", - compressed_proof_bytes.len() - ); - let proof_bytes = serde_cbor::to_vec(&proofs).unwrap(); - println!("Proof length: {} bytes", proof_bytes.len()); + #[cfg(feature = "std")] + { + let compressed_proof_bytes = serde_cbor::to_vec(&compressed_proofs).unwrap(); + println!( + "Compressed proof length: {} bytes", + compressed_proof_bytes.len() + ); + let proof_bytes = serde_cbor::to_vec(&proofs).unwrap(); + println!("Proof length: {} bytes", proof_bytes.len()); + } } } diff --git a/plonky2/src/hash/poseidon.rs b/plonky2/src/hash/poseidon.rs index 92977856d4..8bd47b9bd0 100644 --- a/plonky2/src/hash/poseidon.rs +++ b/plonky2/src/hash/poseidon.rs @@ -1,10 +1,11 @@ //! Implementation of the Poseidon hash function, as described in //! -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use core::fmt::Debug; +use plonky2_field::packed::PackedField; use unroll::unroll_for_loops; use crate::field::extension::{Extendable, FieldExtension}; @@ -162,8 +163,9 @@ pub trait Poseidon: PrimeField64 { // times number of rounds. const N_ROUND_CONSTANTS: usize = SPONGE_WIDTH * N_ROUNDS; - // The MDS matrix we use is C + D, where C is the circulant matrix whose first row is given by - // `MDS_MATRIX_CIRC`, and D is the diagonal matrix whose diagonal is given by `MDS_MATRIX_DIAG`. + // The MDS matrix we use is C + D, where C is the circulant matrix whose first + // row is given by `MDS_MATRIX_CIRC`, and D is the diagonal matrix whose + // diagonal is given by `MDS_MATRIX_DIAG`. const MDS_MATRIX_CIRC: [u64; SPONGE_WIDTH]; const MDS_MATRIX_DIAG: [u64; SPONGE_WIDTH]; @@ -215,6 +217,33 @@ pub trait Poseidon: PrimeField64 { res } + /// Same as `mds_row_shf` for `PackedField`. + fn mds_row_shf_packed_field< + F: RichField + Extendable, + const D: usize, + FE, + P, + const D2: usize, + >( + r: usize, + v: &[P; SPONGE_WIDTH], + ) -> P + where + FE: FieldExtension, + P: PackedField, + { + debug_assert!(r < SPONGE_WIDTH); + let mut res = P::ZEROS; + + for i in 0..SPONGE_WIDTH { + res += + v[(i + r) % SPONGE_WIDTH] * P::Scalar::from_canonical_u64(Self::MDS_MATRIX_CIRC[i]); + } + res += v[r] * P::Scalar::from_canonical_u64(Self::MDS_MATRIX_DIAG[r]); + + res + } + /// Recursive version of `mds_row_shf`. fn mds_row_shf_circuit( builder: &mut CircuitBuilder, @@ -275,6 +304,29 @@ pub trait Poseidon: PrimeField64 { result } + /// Same as `mds_layer` for `PackedField`. + fn mds_layer_packed_field< + F: RichField + Extendable, + const D: usize, + FE, + P, + const D2: usize, + >( + state: &[P; SPONGE_WIDTH], + ) -> [P; SPONGE_WIDTH] + where + FE: FieldExtension, + P: PackedField, + { + let mut result = [P::ZEROS; SPONGE_WIDTH]; + + for r in 0..SPONGE_WIDTH { + result[r] = Self::mds_row_shf_packed_field(r, state); + } + + result + } + /// Recursive version of `mds_layer`. fn mds_layer_circuit( builder: &mut CircuitBuilder, @@ -322,6 +374,29 @@ pub trait Poseidon: PrimeField64 { } } + /// Same as `partial_first_constant_layer` for `PackedField`. + #[inline(always)] + #[unroll_for_loops] + fn partial_first_constant_layer_packed_field< + F: RichField + Extendable, + const D: usize, + FE, + P, + const D2: usize, + >( + state: &mut [P; SPONGE_WIDTH], + ) where + FE: FieldExtension, + P: PackedField, + { + for i in 0..12 { + if i < SPONGE_WIDTH { + state[i] += + P::Scalar::from_canonical_u64(Self::FAST_PARTIAL_FIRST_ROUND_CONSTANT[i]); + } + } + } + /// Recursive version of `partial_first_constant_layer`. fn partial_first_constant_layer_circuit( builder: &mut CircuitBuilder, @@ -367,6 +442,46 @@ pub trait Poseidon: PrimeField64 { result } + /// Same as `mds_partial_layer_init` for `PackedField`. + #[inline(always)] + #[unroll_for_loops] + fn mds_partial_layer_init_packed_field< + F: RichField + Extendable, + const D: usize, + FE, + P, + const D2: usize, + >( + state: &[P; SPONGE_WIDTH], + ) -> [P; SPONGE_WIDTH] + where + FE: FieldExtension, + P: PackedField, + { + let mut result = [P::ZEROS; SPONGE_WIDTH]; + + // Initial matrix has first row/column = [1, 0, ..., 0]; + + // c = 0 + result[0] = state[0]; + + for r in 1..12 { + if r < SPONGE_WIDTH { + for c in 1..12 { + if c < SPONGE_WIDTH { + // NB: FAST_PARTIAL_ROUND_INITIAL_MATRIX is stored in + // row-major order so that this dot product is cache + // friendly. + let t = P::Scalar::from_canonical_u64( + Self::FAST_PARTIAL_ROUND_INITIAL_MATRIX[r - 1][c - 1], + ); + result[c] += state[r] * t; + } + } + } + } + result + } /// Recursive version of `mds_partial_layer_init`. fn mds_partial_layer_init_circuit( builder: &mut CircuitBuilder, @@ -451,6 +566,39 @@ pub trait Poseidon: PrimeField64 { result } + /// Same as `mds_partial_layer_fast` for `PackedField. + fn mds_partial_layer_fast_packed_field< + F: RichField + Extendable, + const D: usize, + FE, + P, + const D2: usize, + >( + state: &[P; SPONGE_WIDTH], + r: usize, + ) -> [P; SPONGE_WIDTH] + where + FE: FieldExtension, + P: PackedField, + { + let s0 = state[0]; + let mds0to0 = Self::MDS_MATRIX_CIRC[0] + Self::MDS_MATRIX_DIAG[0]; + let mut d = s0 * P::Scalar::from_canonical_u64(mds0to0); + for i in 1..SPONGE_WIDTH { + let t = P::Scalar::from_canonical_u64(Self::FAST_PARTIAL_ROUND_W_HATS[r][i - 1]); + d += state[i] * t; + } + + // result = [d] concat [state[0] * v + state[shift up by 1]] + let mut result = [P::ZEROS; SPONGE_WIDTH]; + result[0] = d; + for i in 1..SPONGE_WIDTH { + let t = P::Scalar::from_canonical_u64(Self::FAST_PARTIAL_ROUND_VS[r][i - 1]); + result[i] = state[0] * t + state[i]; + } + result + } + /// Recursive version of `mds_partial_layer_fast`. fn mds_partial_layer_fast_circuit( builder: &mut CircuitBuilder, @@ -504,6 +652,26 @@ pub trait Poseidon: PrimeField64 { } } + /// Same as `constant_layer` for PackedFields. + fn constant_layer_packed_field< + F: RichField + Extendable, + const D: usize, + FE, + P, + const D2: usize, + >( + state: &mut [P; SPONGE_WIDTH], + round_ctr: usize, + ) where + FE: FieldExtension, + P: PackedField, + { + for i in 0..SPONGE_WIDTH { + state[i] += + P::Scalar::from_canonical_u64(ALL_ROUND_CONSTANTS[i + SPONGE_WIDTH * round_ctr]); + } + } + /// Recursive version of `constant_layer`. fn constant_layer_circuit( builder: &mut CircuitBuilder, @@ -769,10 +937,9 @@ impl AlgebraicHasher for PoseidonHash { #[cfg(test)] pub(crate) mod test_helpers { - use crate::field::types::Field; - use crate::hash::poseidon::{Poseidon, SPONGE_WIDTH}; + use super::*; - pub(crate) fn check_test_vectors( + pub(crate) fn check_test_vectors( test_vectors: Vec<([u64; SPONGE_WIDTH], [u64; SPONGE_WIDTH])>, ) where F: Poseidon, @@ -790,7 +957,7 @@ pub(crate) mod test_helpers { } } - pub(crate) fn check_consistency() + pub(crate) fn check_consistency() where F: Poseidon, { diff --git a/plonky2/src/hash/poseidon_goldilocks.rs b/plonky2/src/hash/poseidon_goldilocks.rs index 1fd5af1354..12d061265e 100644 --- a/plonky2/src/hash/poseidon_goldilocks.rs +++ b/plonky2/src/hash/poseidon_goldilocks.rs @@ -444,6 +444,9 @@ mod poseidon12_mds { #[cfg(test)] mod tests { + #[cfg(not(feature = "std"))] + use alloc::{vec, vec::Vec}; + use crate::field::goldilocks_field::GoldilocksField as F; use crate::field::types::{Field, PrimeField64}; use crate::hash::poseidon::test_helpers::{check_consistency, check_test_vectors}; diff --git a/plonky2/src/iop/challenger.rs b/plonky2/src/iop/challenger.rs index d5de2831a3..57660fd487 100644 --- a/plonky2/src/iop/challenger.rs +++ b/plonky2/src/iop/challenger.rs @@ -1,5 +1,5 @@ -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use core::marker::PhantomData; use crate::field::extension::{Extendable, FieldExtension}; @@ -12,7 +12,7 @@ use crate::plonk::circuit_builder::CircuitBuilder; use crate::plonk::config::{AlgebraicHasher, GenericHashOut, Hasher}; /// Observes prover messages, and generates challenges by hashing the transcript, a la Fiat-Shamir. -#[derive(Clone)] +#[derive(Clone, Debug)] pub struct Challenger> { pub(crate) sponge_state: H::Permutation, pub(crate) input_buffer: Vec, @@ -161,6 +161,7 @@ impl> Default for Challenger { /// A recursive version of `Challenger`. The main difference is that `RecursiveChallenger`'s input /// buffer can grow beyond `H::Permutation::RATE`. This is so that `observe_element` etc do not need access /// to the `CircuitBuilder`. +#[derive(Debug)] pub struct RecursiveChallenger, H: AlgebraicHasher, const D: usize> { sponge_state: H::AlgebraicPermutation, @@ -293,6 +294,9 @@ impl, H: AlgebraicHasher, const D: usize> #[cfg(test)] mod tests { + #[cfg(not(feature = "std"))] + use alloc::vec::Vec; + use crate::field::types::Sample; use crate::iop::challenger::{Challenger, RecursiveChallenger}; use crate::iop::generator::generate_partial_witness; diff --git a/plonky2/src/iop/ext_target.rs b/plonky2/src/iop/ext_target.rs index c64d96e872..cc90355732 100644 --- a/plonky2/src/iop/ext_target.rs +++ b/plonky2/src/iop/ext_target.rs @@ -1,3 +1,4 @@ +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use core::ops::Range; diff --git a/plonky2/src/iop/generator.rs b/plonky2/src/iop/generator.rs index 1704b34795..6cdd75dcf6 100644 --- a/plonky2/src/iop/generator.rs +++ b/plonky2/src/iop/generator.rs @@ -1,7 +1,10 @@ -use alloc::boxed::Box; -use alloc::string::{String, ToString}; -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{ + boxed::Box, + string::{String, ToString}, + vec, + vec::Vec, +}; use core::fmt::Debug; use core::marker::PhantomData; diff --git a/plonky2/src/iop/target.rs b/plonky2/src/iop/target.rs index 705941e023..f70d4c3dc2 100644 --- a/plonky2/src/iop/target.rs +++ b/plonky2/src/iop/target.rs @@ -1,3 +1,4 @@ +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use core::ops::Range; diff --git a/plonky2/src/iop/wire.rs b/plonky2/src/iop/wire.rs index 435479ce7b..cfa69755d5 100644 --- a/plonky2/src/iop/wire.rs +++ b/plonky2/src/iop/wire.rs @@ -1,3 +1,4 @@ +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use core::ops::Range; diff --git a/plonky2/src/iop/witness.rs b/plonky2/src/iop/witness.rs index cf74be512c..85af6ca41b 100644 --- a/plonky2/src/iop/witness.rs +++ b/plonky2/src/iop/witness.rs @@ -1,5 +1,5 @@ -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use hashbrown::HashMap; use itertools::{zip_eq, Itertools}; @@ -14,7 +14,7 @@ use crate::iop::ext_target::ExtensionTarget; use crate::iop::target::{BoolTarget, Target}; use crate::iop::wire::Wire; use crate::plonk::circuit_data::{VerifierCircuitTarget, VerifierOnlyCircuitData}; -use crate::plonk::config::{AlgebraicHasher, GenericConfig, Hasher}; +use crate::plonk::config::{AlgebraicHasher, GenericConfig}; use crate::plonk::proof::{Proof, ProofTarget, ProofWithPublicInputs, ProofWithPublicInputsTarget}; pub trait WitnessWrite { @@ -222,7 +222,7 @@ pub trait Witness: WitnessWrite { } } - fn get_merkle_cap_target>(&self, cap_target: MerkleCapTarget) -> MerkleCap + fn get_merkle_cap_target(&self, cap_target: MerkleCapTarget) -> MerkleCap where F: RichField, H: AlgebraicHasher, diff --git a/plonky2/src/lib.rs b/plonky2/src/lib.rs index 44bc2cf638..3bc266a9f5 100644 --- a/plonky2/src/lib.rs +++ b/plonky2/src/lib.rs @@ -1,7 +1,10 @@ #![allow(clippy::too_many_arguments)] #![allow(clippy::needless_range_loop)] +#![deny(rustdoc::broken_intra_doc_links)] +#![deny(missing_debug_implementations)] #![cfg_attr(not(feature = "std"), no_std)] +// #[cfg(not(feature = "std"))] pub extern crate alloc; /// Re-export of `plonky2_field`. diff --git a/plonky2/src/lookup_test.rs b/plonky2/src/lookup_test.rs index 3f70dcea4b..4e97bd9601 100644 --- a/plonky2/src/lookup_test.rs +++ b/plonky2/src/lookup_test.rs @@ -1,28 +1,34 @@ -static LOGGER_INITIALIZED: Once = Once::new(); - -use alloc::sync::Arc; -use std::sync::Once; +#[cfg(not(feature = "std"))] +use alloc::{sync::Arc, vec, vec::Vec}; +#[cfg(feature = "std")] +use std::sync::{Arc, Once}; use itertools::Itertools; -use log::{Level, LevelFilter}; +use log::Level; +use crate::field::types::Field; use crate::gadgets::lookup::{OTHER_TABLE, SMALLER_TABLE, TIP5_TABLE}; use crate::gates::lookup_table::LookupTable; use crate::gates::noop::NoopGate; +use crate::iop::witness::{PartialWitness, WitnessWrite}; +use crate::plonk::circuit_builder::CircuitBuilder; +use crate::plonk::circuit_data::CircuitConfig; +use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; use crate::plonk::prover::prove; use crate::util::timing::TimingTree; +const D: usize = 2; +type C = PoseidonGoldilocksConfig; +type F = >::F; + +const LUT_SIZE: usize = u16::MAX as usize + 1; + +#[cfg(feature = "std")] +static LOGGER_INITIALIZED: Once = Once::new(); + #[test] fn test_no_lookup() -> anyhow::Result<()> { - LOGGER_INITIALIZED.call_once(|| init_logger().unwrap()); - use crate::iop::witness::PartialWitness; - use crate::plonk::circuit_builder::CircuitBuilder; - use crate::plonk::circuit_data::CircuitConfig; - use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; + init_logger(); let config = CircuitConfig::standard_recursion_config(); let mut builder = CircuitBuilder::::new(config); @@ -42,14 +48,7 @@ fn test_no_lookup() -> anyhow::Result<()> { #[test] #[ignore] fn test_lookup_table_not_used() { - LOGGER_INITIALIZED.call_once(|| init_logger().unwrap()); - use crate::plonk::circuit_builder::CircuitBuilder; - use crate::plonk::circuit_data::CircuitConfig; - use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; + init_logger(); let config = CircuitConfig::standard_recursion_config(); let mut builder = CircuitBuilder::::new(config); @@ -64,14 +63,7 @@ fn test_lookup_table_not_used() { #[should_panic] #[test] fn test_lookup_without_table() { - LOGGER_INITIALIZED.call_once(|| init_logger().unwrap()); - use crate::plonk::circuit_builder::CircuitBuilder; - use crate::plonk::circuit_data::CircuitConfig; - use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; + init_logger(); let config = CircuitConfig::standard_recursion_config(); let mut builder = CircuitBuilder::::new(config); @@ -86,17 +78,8 @@ fn test_lookup_without_table() { #[test] #[ignore] fn test_one_lookup() -> anyhow::Result<()> { - use crate::field::types::Field; - use crate::iop::witness::{PartialWitness, WitnessWrite}; - use crate::plonk::circuit_builder::CircuitBuilder; - use crate::plonk::circuit_data::CircuitConfig; - use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; + init_logger(); - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - - LOGGER_INITIALIZED.call_once(|| init_logger().unwrap()); let tip5_table = TIP5_TABLE.to_vec(); let table: LookupTable = Arc::new((0..256).zip_eq(tip5_table).collect()); let config = CircuitConfig::standard_recursion_config(); @@ -148,18 +131,9 @@ fn test_one_lookup() -> anyhow::Result<()> { // Tests one lookup in two different lookup tables. #[test] #[ignore] -pub fn test_two_luts() -> anyhow::Result<()> { - use crate::field::types::Field; - use crate::iop::witness::{PartialWitness, WitnessWrite}; - use crate::plonk::circuit_builder::CircuitBuilder; - use crate::plonk::circuit_data::CircuitConfig; - use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - - LOGGER_INITIALIZED.call_once(|| init_logger().unwrap()); +fn test_two_luts() -> anyhow::Result<()> { + init_logger(); + let config = CircuitConfig::standard_recursion_config(); let mut builder = CircuitBuilder::::new(config); @@ -233,17 +207,9 @@ pub fn test_two_luts() -> anyhow::Result<()> { #[test] #[ignore] -pub fn test_different_inputs() -> anyhow::Result<()> { - use crate::field::types::Field; - use crate::iop::witness::{PartialWitness, WitnessWrite}; - use crate::plonk::circuit_builder::CircuitBuilder; - use crate::plonk::circuit_data::CircuitConfig; - use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - LOGGER_INITIALIZED.call_once(|| init_logger().unwrap()); +fn test_different_inputs() -> anyhow::Result<()> { + init_logger(); + let config = CircuitConfig::standard_recursion_config(); let mut builder = CircuitBuilder::::new(config); @@ -319,17 +285,9 @@ pub fn test_different_inputs() -> anyhow::Result<()> { // This test looks up over 514 values for one LookupTableGate, which means that several LookupGates are created. #[test] #[ignore] -pub fn test_many_lookups() -> anyhow::Result<()> { - use crate::field::types::Field; - use crate::iop::witness::{PartialWitness, WitnessWrite}; - use crate::plonk::circuit_builder::CircuitBuilder; - use crate::plonk::circuit_data::CircuitConfig; - use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - LOGGER_INITIALIZED.call_once(|| init_logger().unwrap()); +fn test_many_lookups() -> anyhow::Result<()> { + init_logger(); + let config = CircuitConfig::standard_recursion_config(); let mut builder = CircuitBuilder::::new(config); @@ -410,18 +368,9 @@ pub fn test_many_lookups() -> anyhow::Result<()> { // Tests whether, when adding the same LUT to the circuit, the circuit only adds one copy, with the same index. #[test] #[ignore] -pub fn test_same_luts() -> anyhow::Result<()> { - use crate::field::types::Field; - use crate::iop::witness::{PartialWitness, WitnessWrite}; - use crate::plonk::circuit_builder::CircuitBuilder; - use crate::plonk::circuit_data::CircuitConfig; - use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - - LOGGER_INITIALIZED.call_once(|| init_logger().unwrap()); +fn test_same_luts() -> anyhow::Result<()> { + init_logger(); + let config = CircuitConfig::standard_recursion_config(); let mut builder = CircuitBuilder::::new(config); @@ -476,21 +425,11 @@ pub fn test_same_luts() -> anyhow::Result<()> { #[test] #[ignore] fn test_big_lut() -> anyhow::Result<()> { - use crate::field::types::Field; - use crate::iop::witness::{PartialWitness, WitnessWrite}; - use crate::plonk::circuit_builder::CircuitBuilder; - use crate::plonk::circuit_data::CircuitConfig; - use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; + init_logger(); - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; - - LOGGER_INITIALIZED.call_once(|| init_logger().unwrap()); let config = CircuitConfig::standard_recursion_config(); let mut builder = CircuitBuilder::::new(config); - const LUT_SIZE: usize = u16::MAX as usize + 1; let inputs: [u16; LUT_SIZE] = core::array::from_fn(|i| i as u16); let lut_fn = |inp: u16| inp / 10; let lut_index = builder.add_lookup_table_from_fn(lut_fn, &inputs); @@ -530,21 +469,11 @@ fn test_big_lut() -> anyhow::Result<()> { #[test] #[ignore] fn test_many_lookups_on_big_lut() -> anyhow::Result<()> { - use crate::field::types::Field; - use crate::iop::witness::{PartialWitness, WitnessWrite}; - use crate::plonk::circuit_builder::CircuitBuilder; - use crate::plonk::circuit_data::CircuitConfig; - use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; - - const D: usize = 2; - type C = PoseidonGoldilocksConfig; - type F = >::F; + init_logger(); - LOGGER_INITIALIZED.call_once(|| init_logger().unwrap()); let config = CircuitConfig::standard_recursion_config(); let mut builder = CircuitBuilder::::new(config); - const LUT_SIZE: usize = u16::MAX as usize + 1; let inputs: [u16; LUT_SIZE] = core::array::from_fn(|i| i as u16); let lut_fn = |inp: u16| inp / 10; let lut_index = builder.add_lookup_table_from_fn(lut_fn, &inputs); @@ -589,11 +518,15 @@ fn test_many_lookups_on_big_lut() -> anyhow::Result<()> { data.verify(proof) } -fn init_logger() -> anyhow::Result<()> { - let mut builder = env_logger::Builder::from_default_env(); - builder.format_timestamp(None); - builder.filter_level(LevelFilter::Debug); +fn init_logger() { + #[cfg(feature = "std")] + { + LOGGER_INITIALIZED.call_once(|| { + let mut builder = env_logger::Builder::from_default_env(); + builder.format_timestamp(None); + builder.filter_level(log::LevelFilter::Debug); - builder.try_init()?; - Ok(()) + builder.try_init().unwrap(); + }); + } } diff --git a/plonky2/src/plonk/circuit_builder.rs b/plonky2/src/plonk/circuit_builder.rs index 9dd3757c5c..ecad452192 100644 --- a/plonky2/src/plonk/circuit_builder.rs +++ b/plonky2/src/plonk/circuit_builder.rs @@ -1,16 +1,14 @@ //! Logic for building plonky2 circuits. -use alloc::collections::BTreeMap; -use alloc::sync::Arc; -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{collections::BTreeMap, sync::Arc, vec, vec::Vec}; use core::cmp::max; #[cfg(feature = "std")] -use std::time::Instant; +use std::{collections::BTreeMap, sync::Arc, time::Instant}; use hashbrown::{HashMap, HashSet}; use itertools::Itertools; -use log::{debug, info, Level, warn}; +use log::{debug, info, warn, Level}; use crate::field::cosets::get_unique_coset_shifts; @@ -65,6 +63,7 @@ pub const NUM_COINS_LOOKUP: usize = 4; /// `ChallengeB` is used for the linear combination of input and output pairs in the polynomial RE. /// `ChallengeAlpha` is used for the running sums: 1/(alpha - combo_i). /// `ChallengeDelta` is a challenge on which to evaluate the interpolated LUT function. +#[derive(Debug)] pub enum LookupChallenges { ChallengeA = 0, ChallengeB = 1, @@ -137,6 +136,7 @@ pub struct LookupWire { /// // Verify the proof /// assert!(circuit_data.verify(proof).is_ok()); /// ``` +#[derive(Debug)] pub struct CircuitBuilder, const D: usize> { /// Circuit configuration to be used by this [`CircuitBuilder`]. pub config: CircuitConfig, @@ -339,10 +339,15 @@ impl, const D: usize> CircuitBuilder { [0; N].map(|_| self.add_virtual_target()) } - /// Adds a new `HashOutTarget`. `NUM_HASH_OUT_ELTS` being hardcoded to 4, it internally - /// adds 4 virtual targets in a vector fashion. + /// Adds a new `HashOutTarget`. pub fn add_virtual_hash(&mut self) -> HashOutTarget { - HashOutTarget::from_vec(self.add_virtual_targets(4)) + HashOutTarget::from(self.add_virtual_target_arr::<4>()) + } + + /// Registers a new `HashOutTarget` as a public input, adding + /// internally `NUM_HASH_OUT_ELTS` virtual targets. + pub fn add_virtual_hash_public_input(&mut self) -> HashOutTarget { + HashOutTarget::from(self.add_virtual_public_input_arr::<4>()) } /// Adds a new `MerkleCapTarget`, consisting in `1 << cap_height` `HashOutTarget`. @@ -355,6 +360,13 @@ impl, const D: usize> CircuitBuilder { (0..n).map(|_i| self.add_virtual_hash()).collect() } + /// Registers `n` new `HashOutTarget` as public inputs, in a vector fashion. + pub fn add_virtual_hashes_public_input(&mut self, n: usize) -> Vec { + (0..n) + .map(|_i| self.add_virtual_hash_public_input()) + .collect() + } + pub(crate) fn add_virtual_merkle_proof(&mut self, len: usize) -> MerkleProofTarget { MerkleProofTarget { siblings: self.add_virtual_hashes(len), @@ -1021,10 +1033,10 @@ impl, const D: usize> CircuitBuilder { /// Builds a "full circuit", with both prover and verifier data. pub fn build_with_options>( - mut self, - _commit_to_sigma: bool, + self, + commit_to_sigma: bool, ) -> CircuitData { - let (circuit_data, success) = self.try_build_with_options(_commit_to_sigma); + let (circuit_data, success) = self.try_build_with_options(commit_to_sigma); if !success { panic!("Failed to build circuit"); } @@ -1033,7 +1045,7 @@ impl, const D: usize> CircuitBuilder { pub fn try_build_with_options>( mut self, - commit_to_sigma: bool, + _commit_to_sigma: bool, ) -> (CircuitData, bool) { let mut timing = TimingTree::new("preprocess", Level::Trace); diff --git a/plonky2/src/plonk/circuit_data.rs b/plonky2/src/plonk/circuit_data.rs index ea3e570ebb..f3beae5a88 100644 --- a/plonky2/src/plonk/circuit_data.rs +++ b/plonky2/src/plonk/circuit_data.rs @@ -12,10 +12,11 @@ //! The verifier data can similarly be extracted by calling [`CircuitData::verifier_data`]. //! This is useful to allow even small devices to verify plonky2 proofs. -use alloc::collections::BTreeMap; -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{collections::BTreeMap, vec, vec::Vec}; use core::ops::{Range, RangeFrom}; +#[cfg(feature = "std")] +use std::collections::BTreeMap; use anyhow::Result; use serde::Serialize; @@ -251,6 +252,7 @@ impl, C: GenericConfig, const D: usize> /// structure as succinct as we can. Thus we include various precomputed data which isn't strictly /// required, like LDEs of preprocessed polynomials. If more succinctness was desired, we could /// construct a more minimal prover structure and convert back and forth. +#[derive(Debug)] pub struct ProverCircuitData< F: RichField + Extendable, C: GenericConfig, @@ -621,6 +623,10 @@ impl, const D: usize> CommonCircuitData { self.config.num_challenges * (1 + self.num_partial_products) } + /// Returns the total number of lookup polynomials. + // pub(crate) const fn num_all_lookup_polys(&self) -> usize { + // self.config.num_challenges * self.num_lookup_polys + // } fn fri_zs_polys(&self) -> Vec { FriPolynomialInfo::from_range(PlonkOracle::ZS_PARTIAL_PRODUCTS.index, self.zs_range()) } @@ -629,7 +635,15 @@ impl, const D: usize> CommonCircuitData { FriPolynomialInfo::from_range(PlonkOracle::QUOTIENT.index, 0..self.num_quotient_polys()) } - pub(crate) fn num_quotient_polys(&self) -> usize { + /// Returns the information for lookup polynomials, i.e. the index within the oracle and the indices of the polynomials within the commitment. + // fn fri_lookup_polys(&self) -> Vec { + // FriPolynomialInfo::from_range( + // PlonkOracle::ZS_PARTIAL_PRODUCTS.index, + // self.num_zs_partial_products_polys() + // ..self.num_zs_partial_products_polys() + self.num_all_lookup_polys(), + // ) + // } + pub(crate) const fn num_quotient_polys(&self) -> usize { self.config.num_challenges * self.quotient_degree_factor } diff --git a/plonky2/src/plonk/config.rs b/plonky2/src/plonk/config.rs index 39065dc32c..0a63a212aa 100644 --- a/plonky2/src/plonk/config.rs +++ b/plonky2/src/plonk/config.rs @@ -6,8 +6,8 @@ //! the Poseidon hash function both internally and natively, and one //! mixing Poseidon internally and truncated Keccak externally. -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use core::fmt::Debug; use serde::de::DeserializeOwned; @@ -115,7 +115,7 @@ pub trait GenericConfig: } /// Configuration using Poseidon over the Goldilocks field. -#[derive(Debug, Copy, Clone, Eq, PartialEq, Serialize)] +#[derive(Debug, Copy, Clone, Default, Eq, PartialEq, Serialize)] pub struct PoseidonGoldilocksConfig; impl GenericConfig<2> for PoseidonGoldilocksConfig { type F = GoldilocksField; @@ -125,7 +125,7 @@ impl GenericConfig<2> for PoseidonGoldilocksConfig { } /// Configuration using truncated Keccak over the Goldilocks field. -#[derive(Debug, Copy, Clone, Eq, PartialEq)] +#[derive(Debug, Copy, Clone, Default, Eq, PartialEq)] pub struct KeccakGoldilocksConfig; impl GenericConfig<2> for KeccakGoldilocksConfig { type F = GoldilocksField; diff --git a/plonky2/src/plonk/copy_constraint.rs b/plonky2/src/plonk/copy_constraint.rs index ea92ec1c9e..309f207d8b 100644 --- a/plonky2/src/plonk/copy_constraint.rs +++ b/plonky2/src/plonk/copy_constraint.rs @@ -1,8 +1,10 @@ +#[cfg(not(feature = "std"))] use alloc::string::String; use crate::iop::target::Target; /// A named copy constraint. +#[derive(Debug)] pub struct CopyConstraint { pub pair: (Target, Target), pub name: String, diff --git a/plonky2/src/plonk/get_challenges.rs b/plonky2/src/plonk/get_challenges.rs index 2374d9fae6..a718913578 100644 --- a/plonky2/src/plonk/get_challenges.rs +++ b/plonky2/src/plonk/get_challenges.rs @@ -1,5 +1,5 @@ -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use hashbrown::HashSet; diff --git a/plonky2/src/plonk/permutation_argument.rs b/plonky2/src/plonk/permutation_argument.rs index a0dd57707f..312f3e991b 100644 --- a/plonky2/src/plonk/permutation_argument.rs +++ b/plonky2/src/plonk/permutation_argument.rs @@ -1,3 +1,4 @@ +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use hashbrown::HashMap; diff --git a/plonky2/src/plonk/plonk_common.rs b/plonky2/src/plonk/plonk_common.rs index ca8ea9196a..170bfa170a 100644 --- a/plonky2/src/plonk/plonk_common.rs +++ b/plonky2/src/plonk/plonk_common.rs @@ -1,7 +1,7 @@ //! Utility methods and constants for Plonk. -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use crate::field::extension::Extendable; use crate::field::packed::PackedField; diff --git a/plonky2/src/plonk/proof.rs b/plonky2/src/plonk/proof.rs index a30ca36294..95f5bc37dd 100644 --- a/plonky2/src/plonk/proof.rs +++ b/plonky2/src/plonk/proof.rs @@ -4,8 +4,8 @@ //! [`CompressedProof`] or [`CompressedProofWithPublicInputs`] formats. //! The latter can be directly passed to a verifier to assert its correctness. -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use anyhow::ensure; use plonky2_maybe_rayon::*; @@ -257,6 +257,7 @@ impl, C: GenericConfig, const D: usize> } } +#[derive(Debug)] pub struct ProofChallenges, const D: usize> { /// Random values used in Plonk's permutation argument. pub plonk_betas: Vec, @@ -397,19 +398,23 @@ impl OpeningSetTarget { } #[cfg(test)] mod tests { + #[cfg(not(feature = "std"))] use alloc::sync::Arc; + #[cfg(feature = "std")] + use std::sync::Arc; use anyhow::Result; use itertools::Itertools; + use plonky2_field::types::Sample; - use crate::field::types::Sample; + use super::*; use crate::fri::reduction_strategies::FriReductionStrategy; use crate::gates::lookup_table::LookupTable; use crate::gates::noop::NoopGate; use crate::iop::witness::PartialWitness; use crate::plonk::circuit_builder::CircuitBuilder; use crate::plonk::circuit_data::CircuitConfig; - use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; + use crate::plonk::config::PoseidonGoldilocksConfig; use crate::plonk::verifier::verify; #[test] diff --git a/plonky2/src/plonk/prover.rs b/plonky2/src/plonk/prover.rs index bd715cf577..69e69b1d09 100644 --- a/plonky2/src/plonk/prover.rs +++ b/plonky2/src/plonk/prover.rs @@ -1,7 +1,7 @@ //! plonky2 prover implementation. -use alloc::vec::Vec; -use alloc::{format, vec}; +#[cfg(not(feature = "std"))] +use alloc::{format, vec, vec::Vec}; use core::mem::swap; diff --git a/plonky2/src/plonk/vanishing_poly.rs b/plonky2/src/plonk/vanishing_poly.rs index 9d79f3e624..15de357e3e 100644 --- a/plonky2/src/plonk/vanishing_poly.rs +++ b/plonky2/src/plonk/vanishing_poly.rs @@ -1,5 +1,6 @@ -use alloc::vec::Vec; -use alloc::{format, vec}; +#[cfg(not(feature = "std"))] +use alloc::{format, vec, vec::Vec}; + @@ -230,9 +231,8 @@ pub(crate) fn eval_vanishing_poly_base_batch< res_batch } - -/// Evaluates all lookup constraints, based on the logarithmic derivatives paper (https://eprint.iacr.org/2022/1530.pdf), -/// following the Tip5 paper's implementation (https://eprint.iacr.org/2023/107.pdf). +/// Evaluates all lookup constraints, based on the logarithmic derivatives paper (), +/// following the Tip5 paper's implementation (). /// /// There are three polynomials to check: /// - RE ensures the well formation of lookup tables; diff --git a/plonky2/src/plonk/vars.rs b/plonky2/src/plonk/vars.rs index b9d6d790ff..6cffc45c80 100644 --- a/plonky2/src/plonk/vars.rs +++ b/plonky2/src/plonk/vars.rs @@ -132,6 +132,7 @@ impl<'a, F: Field> EvaluationVarsBase<'a, F> { } /// Iterator of views (`EvaluationVarsBase`) into a `EvaluationVarsBaseBatch`. +#[derive(Debug)] pub struct EvaluationVarsBaseBatchIter<'a, F: Field> { i: usize, vars_batch: EvaluationVarsBaseBatch<'a, F>, @@ -159,6 +160,7 @@ impl<'a, F: Field> Iterator for EvaluationVarsBaseBatchIter<'a, F> { /// Iterator of packed views (`EvaluationVarsBasePacked`) into a `EvaluationVarsBaseBatch`. /// Note: if the length of `EvaluationVarsBaseBatch` is not a multiple of `P::WIDTH`, then the /// leftovers at the end are ignored. +#[derive(Debug)] pub struct EvaluationVarsBaseBatchIterPacked<'a, P: PackedField> { /// Index to yield next, in units of `P::Scalar`. E.g. if `P::WIDTH == 4`, then we will yield /// the vars for points `i`, `i + 1`, `i + 2`, and `i + 3`, packed. @@ -219,7 +221,7 @@ impl<'a, const D: usize> EvaluationTargets<'a, D> { } } -#[derive(Copy, Clone)] +#[derive(Copy, Clone, Debug)] pub struct EvaluationTargets<'a, const D: usize> { pub local_constants: &'a [ExtensionTarget], pub local_wires: &'a [ExtensionTarget], diff --git a/plonky2/src/recursion/conditional_recursive_verifier.rs b/plonky2/src/recursion/conditional_recursive_verifier.rs index 66b244ed32..ead7dbdffc 100644 --- a/plonky2/src/recursion/conditional_recursive_verifier.rs +++ b/plonky2/src/recursion/conditional_recursive_verifier.rs @@ -1,3 +1,4 @@ +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use itertools::Itertools; @@ -336,6 +337,9 @@ impl, const D: usize> CircuitBuilder { #[cfg(test)] mod tests { + #[cfg(not(feature = "std"))] + use alloc::vec; + use anyhow::Result; use hashbrown::HashMap; @@ -344,7 +348,7 @@ mod tests { use crate::gates::noop::NoopGate; use crate::iop::witness::{PartialWitness, WitnessWrite}; use crate::plonk::circuit_data::CircuitConfig; - use crate::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; + use crate::plonk::config::PoseidonGoldilocksConfig; use crate::recursion::dummy_circuit::{dummy_circuit, dummy_proof}; #[test] diff --git a/plonky2/src/recursion/cyclic_recursion.rs b/plonky2/src/recursion/cyclic_recursion.rs index 1412e5c080..4c8dd5a81f 100644 --- a/plonky2/src/recursion/cyclic_recursion.rs +++ b/plonky2/src/recursion/cyclic_recursion.rs @@ -1,5 +1,6 @@ #![allow(clippy::int_plus_one)] // Makes more sense for some inequalities below. +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use anyhow::{ensure, Result}; @@ -198,6 +199,9 @@ where #[cfg(test)] mod tests { + #[cfg(not(feature = "std"))] + use alloc::vec; + use anyhow::Result; use crate::field::extension::Extendable; diff --git a/plonky2/src/recursion/dummy_circuit.rs b/plonky2/src/recursion/dummy_circuit.rs index 3843885d38..dc38924937 100644 --- a/plonky2/src/recursion/dummy_circuit.rs +++ b/plonky2/src/recursion/dummy_circuit.rs @@ -1,6 +1,9 @@ -use alloc::string::{String, ToString}; -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{ + string::{String, ToString}, + vec, + vec::Vec, +}; use hashbrown::HashMap; use plonky2_field::extension::Extendable; diff --git a/plonky2/src/recursion/recursive_verifier.rs b/plonky2/src/recursion/recursive_verifier.rs index 5e5dd4d779..1cd3acda19 100644 --- a/plonky2/src/recursion/recursive_verifier.rs +++ b/plonky2/src/recursion/recursive_verifier.rs @@ -1,3 +1,6 @@ +#[cfg(not(feature = "std"))] +use alloc::vec; + use crate::field::extension::Extendable; use crate::hash::hash_types::{HashOutTarget, RichField}; use crate::plonk::circuit_builder::CircuitBuilder; @@ -152,13 +155,17 @@ impl, const D: usize> CircuitBuilder { let cap_height = fri_params.config.cap_height; let salt = salt_size(common_data.fri_params.hiding); - let num_leaves_per_oracle = &[ + let num_leaves_per_oracle = &mut vec![ common_data.num_preprocessed_polys(), config.num_wires + salt, - common_data.num_zs_partial_products_polys() + salt, - common_data.num_quotient_polys() + salt, + // NOTE: v2 change + common_data.num_zs_partial_products_polys()+ salt, // + common_data.num_all_lookup_polys() , ]; + if common_data.num_quotient_polys() > 0 { + num_leaves_per_oracle.push(common_data.num_quotient_polys() + salt); + } + ProofTarget { wires_cap: self.add_virtual_cap(cap_height), plonk_zs_partial_products_cap: self.add_virtual_cap(cap_height), @@ -186,7 +193,10 @@ impl, const D: usize> CircuitBuilder { #[cfg(test)] mod tests { - use alloc::sync::Arc; + #[cfg(not(feature = "std"))] + use alloc::{sync::Arc, vec}; + #[cfg(feature = "std")] + use std::sync::Arc; use anyhow::Result; use itertools::Itertools; @@ -200,12 +210,13 @@ mod tests { use crate::gates::noop::NoopGate; use crate::iop::witness::{PartialWitness, WitnessWrite}; use crate::plonk::circuit_data::{CircuitConfig, VerifierOnlyCircuitData}; - use crate::plonk::config::{GenericConfig, KeccakGoldilocksConfig, PoseidonGoldilocksConfig}; + use crate::plonk::config::{KeccakGoldilocksConfig, PoseidonGoldilocksConfig}; use crate::plonk::proof::{CompressedProofWithPublicInputs, ProofWithPublicInputs}; use crate::plonk::prover::prove; use crate::util::timing::TimingTree; #[test] + #[ignore] fn test_recursive_verifier() -> Result<()> { init_logger(); const D: usize = 2; @@ -273,6 +284,7 @@ mod tests { } #[test] + #[ignore] fn test_recursive_recursive_verifier() -> Result<()> { init_logger(); const D: usize = 2; @@ -379,6 +391,7 @@ mod tests { } #[test] + #[ignore] fn test_recursive_verifier_multi_hash() -> Result<()> { init_logger(); const D: usize = 2; @@ -674,6 +687,7 @@ mod tests { } /// Test serialization and print some size info. + /// TODO: need to fix this, many tests rely on this fn test_serialization< F: RichField + Extendable, C: GenericConfig, @@ -688,12 +702,17 @@ mod tests { let proof_from_bytes = ProofWithPublicInputs::from_bytes(proof_bytes, common_data)?; assert_eq!(proof, &proof_from_bytes); + #[cfg(feature = "std")] let now = std::time::Instant::now(); + let compressed_proof = proof.clone().compress(&vd.circuit_digest, common_data)?; let decompressed_compressed_proof = compressed_proof .clone() .decompress(&vd.circuit_digest, common_data)?; + + #[cfg(feature = "std")] info!("{:.4}s to compress proof", now.elapsed().as_secs_f64()); + assert_eq!(proof, &decompressed_compressed_proof); let compressed_proof_bytes = compressed_proof.to_bytes(); diff --git a/plonky2/src/util/context_tree.rs b/plonky2/src/util/context_tree.rs index a0a699710d..f3ba5b7282 100644 --- a/plonky2/src/util/context_tree.rs +++ b/plonky2/src/util/context_tree.rs @@ -1,10 +1,14 @@ -use alloc::string::{String, ToString}; -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{ + string::{String, ToString}, + vec, + vec::Vec, +}; use log::{log, Level}; /// The hierarchy of contexts, and the gate count contributed by each one. Useful for debugging. +#[derive(Debug)] pub(crate) struct ContextTree { /// The name of this scope. name: String, diff --git a/plonky2/src/util/mod.rs b/plonky2/src/util/mod.rs index e0f71f1272..8f9960034d 100644 --- a/plonky2/src/util/mod.rs +++ b/plonky2/src/util/mod.rs @@ -1,5 +1,6 @@ //! Utility module for helper methods and plonky2 serialization logic. +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use plonky2_maybe_rayon::*; @@ -41,6 +42,10 @@ pub(crate) const fn reverse_bits(n: usize, num_bits: usize) -> usize { #[cfg(test)] mod tests { + + #[cfg(not(feature = "std"))] + use alloc::vec; + use super::*; #[test] diff --git a/plonky2/src/util/partial_products.rs b/plonky2/src/util/partial_products.rs index 89be0fea86..1ceea7cab1 100644 --- a/plonky2/src/util/partial_products.rs +++ b/plonky2/src/util/partial_products.rs @@ -1,3 +1,4 @@ +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use core::iter; @@ -108,6 +109,9 @@ pub(crate) fn check_partial_products_circuit, const #[cfg(test)] mod tests { + #[cfg(not(feature = "std"))] + use alloc::vec; + use super::*; use crate::field::goldilocks_field::GoldilocksField; diff --git a/plonky2/src/util/reducing.rs b/plonky2/src/util/reducing.rs index e1ba397b1c..b99da32e6a 100644 --- a/plonky2/src/util/reducing.rs +++ b/plonky2/src/util/reducing.rs @@ -1,5 +1,5 @@ -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use core::borrow::Borrow; use crate::field::extension::{Extendable, FieldExtension}; diff --git a/plonky2/src/util/serialization/gate_serialization.rs b/plonky2/src/util/serialization/gate_serialization.rs index c5763fb0bf..f7880f8365 100644 --- a/plonky2/src/util/serialization/gate_serialization.rs +++ b/plonky2/src/util/serialization/gate_serialization.rs @@ -1,6 +1,9 @@ //! A module to help with GateRef serialization +#[cfg(not(feature = "std"))] use alloc::vec::Vec; +#[cfg(feature = "std")] +use std::vec::Vec; // For macros below use plonky2_field::extension::Extendable; @@ -76,7 +79,7 @@ macro_rules! impl_gate_serializer { fn write_gate( &self, - buf: &mut $crate::alloc::vec::Vec, + buf: &mut $crate::util::serialization::gate_serialization::Vec, gate: &$crate::gates::gate::GateRef, common: &$crate::plonk::circuit_data::CommonCircuitData, ) -> $crate::util::serialization::IoResult<()> { @@ -110,7 +113,16 @@ pub mod default { use crate::gates::reducing_extension::ReducingExtensionGate; use crate::hash::hash_types::RichField; use crate::util::serialization::GateSerializer; - + /// A gate serializer that can be used to serialize all default gates supported + /// by the `plonky2` library. + /// Being a unit struct, it can be simply called as + /// ```rust + /// use plonky2::util::serialization::DefaultGateSerializer; + /// let gate_serializer = DefaultGateSerializer; + /// ``` + /// Applications using custom gates should define their own serializer implementing + /// the `GateSerializer` trait. This can be easily done through the `impl_gate_serializer` macro. + #[derive(Debug)] pub struct DefaultGateSerializer; impl, const D: usize> GateSerializer for DefaultGateSerializer { impl_gate_serializer! { diff --git a/plonky2/src/util/serialization/generator_serialization.rs b/plonky2/src/util/serialization/generator_serialization.rs index bad24cebf2..527d8b4f6f 100644 --- a/plonky2/src/util/serialization/generator_serialization.rs +++ b/plonky2/src/util/serialization/generator_serialization.rs @@ -1,6 +1,9 @@ //! A module to help with WitnessGeneratorRef serialization -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +pub use alloc::vec::Vec; +#[cfg(feature = "std")] +pub use std::vec::Vec; // For macros below use plonky2_field::extension::Extendable; @@ -80,7 +83,7 @@ macro_rules! impl_generator_serializer { fn write_generator( &self, - buf: &mut $crate::alloc::vec::Vec, + buf: &mut $crate::util::serialization::generator_serialization::Vec, generator: &$crate::iop::generator::WitnessGeneratorRef, common: &$crate::plonk::circuit_data::CommonCircuitData, ) -> $crate::util::serialization::IoResult<()> { @@ -124,6 +127,20 @@ pub mod default { use crate::recursion::dummy_circuit::DummyProofGenerator; use crate::util::serialization::WitnessGeneratorSerializer; + /// A generator serializer that can be used to serialize all default generators supported + /// by the `plonky2` library. It can simply be called as + /// ```rust + /// use plonky2::util::serialization::DefaultGeneratorSerializer; + /// use plonky2::plonk::config::PoseidonGoldilocksConfig; + /// + /// const D: usize = 2; + /// type C = PoseidonGoldilocksConfig; + /// let generator_serializer = DefaultGeneratorSerializer::::default(); + /// ``` + /// Applications using custom generators should define their own serializer implementing + /// the `WitnessGeneratorSerializer` trait. This can be easily done through the + /// `impl_generator_serializer` macro. + #[derive(Debug, Default)] pub struct DefaultGeneratorSerializer, const D: usize> { pub _phantom: PhantomData, } diff --git a/plonky2/src/util/serialization/mod.rs b/plonky2/src/util/serialization/mod.rs index 46b9d5cfff..1ba78830fe 100644 --- a/plonky2/src/util/serialization/mod.rs +++ b/plonky2/src/util/serialization/mod.rs @@ -4,14 +4,14 @@ pub mod generator_serialization; #[macro_use] pub mod gate_serialization; -use alloc::collections::BTreeMap; -use alloc::sync::Arc; -use alloc::vec; -use alloc::vec::Vec; +#[cfg(not(feature = "std"))] +use alloc::{collections::BTreeMap, sync::Arc, vec, vec::Vec}; use core::convert::Infallible; use core::fmt::{Debug, Display, Formatter}; use core::mem::size_of; use core::ops::Range; +#[cfg(feature = "std")] +use std::{collections::BTreeMap, sync::Arc}; pub use gate_serialization::default::DefaultGateSerializer; pub use gate_serialization::GateSerializer; diff --git a/plonky2/src/util/timing.rs b/plonky2/src/util/timing.rs index 9c369b88bd..b25a124ced 100644 --- a/plonky2/src/util/timing.rs +++ b/plonky2/src/util/timing.rs @@ -1,10 +1,10 @@ +use log::{Level}; #[cfg(feature = "timing")] -use std::time::{Duration, Instant}; - -use log::{ Level}; +use web_time::{Duration, Instant}; /// The hierarchy of scopes, and the time consumed by each one. Useful for profiling. #[cfg(feature = "timing")] +#[derive(Debug)] pub struct TimingTree { /// The name of this scope. name: String, @@ -19,6 +19,7 @@ pub struct TimingTree { } #[cfg(not(feature = "timing"))] +#[derive(Debug)] pub struct TimingTree(Level); #[cfg(feature = "timing")] diff --git a/starky/Cargo.toml b/starky/Cargo.toml index a3f9b37c5d..cd7a21a35a 100644 --- a/starky/Cargo.toml +++ b/starky/Cargo.toml @@ -1,14 +1,15 @@ [package] name = "starky" description = "Implementation of STARKs" -version = "0.1.2" -license = "MIT OR Apache-2.0" +version = "0.2.1" authors = ["Daniel Lubarov ", "William Borgeaud "] readme = "README.md" -repository = "https://github.com/0xPolygonZero/plonky2" -keywords = ["cryptography", "STARK", "FRI"] -categories = ["cryptography"] -edition = "2021" +edition.workspace = true +license.workspace = true +homepage.workspace = true +repository.workspace = true +keywords.workspace = true +categories.workspace = true [features] default = ["parallel", "std", "timing"] @@ -17,11 +18,17 @@ std = ["anyhow/std", "plonky2/std"] timing = ["plonky2/timing"] [dependencies] -anyhow = { version = "1.0.40", default-features = false } -itertools = { version = "0.11.0", default-features = false } -log = { version = "0.4.14", default-features = false } -plonky2_maybe_rayon = { path = "../maybe_rayon", default-features = false } -plonky2 = { path = "../plonky2", default-features = false } +ahash = { workspace = true } +anyhow = { workspace = true } +hashbrown = { workspace = true } +itertools = { workspace = true } +log = { workspace = true } +num-bigint = { version = "0.4.3", default-features = false } + +# Local dependencies +plonky2 = { version = "0.2.0", path = "../plonky2", default-features = false } +plonky2_maybe_rayon = { version = "0.2.0", path = "../maybe_rayon", default-features = false } +plonky2_util = { version = "0.2.0", path = "../util", default-features = false } [dev-dependencies] env_logger = { version = "0.9.0", default-features = false } diff --git a/starky/LICENSE-APACHE b/starky/LICENSE-APACHE deleted file mode 100644 index 1e5006dc14..0000000000 --- a/starky/LICENSE-APACHE +++ /dev/null @@ -1,202 +0,0 @@ - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - -TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - -1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - -2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - -3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - -4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - -5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - -6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - -7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - -8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - -9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - -END OF TERMS AND CONDITIONS - -APPENDIX: How to apply the Apache License to your work. - - To apply the Apache License to your work, attach the following - boilerplate notice, with the fields enclosed by brackets "[]" - replaced with your own identifying information. (Don't include - the brackets!) The text should be enclosed in the appropriate - comment syntax for the file format. We also recommend that a - file or class name and description of purpose be included on the - same "printed page" as the copyright notice for easier - identification within third-party archives. - -Copyright [yyyy] [name of copyright owner] - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. - diff --git a/starky/LICENSE-MIT b/starky/LICENSE-MIT deleted file mode 100644 index 86d690b220..0000000000 --- a/starky/LICENSE-MIT +++ /dev/null @@ -1,21 +0,0 @@ -The MIT License (MIT) - -Copyright (c) 2022 The Plonky2 Authors - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. diff --git a/starky/src/config.rs b/starky/src/config.rs index 24ddb6a78f..8f95c0ea1c 100644 --- a/starky/src/config.rs +++ b/starky/src/config.rs @@ -1,17 +1,49 @@ +//! A [`StarkConfig`] defines all the parameters to be used when proving a +//! [`Stark`][crate::stark::Stark]. +//! +//! The default configuration is aimed for speed, yielding fast but large +//! proofs, with a targeted security level of 100 bits. + +#[cfg(not(feature = "std"))] +use alloc::format; + +use anyhow::{anyhow, Result}; +use plonky2::field::extension::Extendable; +use plonky2::field::types::Field; use plonky2::fri::reduction_strategies::FriReductionStrategy; use plonky2::fri::{FriConfig, FriParams}; +use plonky2::hash::hash_types::RichField; +/// A configuration containing the different parameters used by the STARK prover. +#[derive(Clone, Debug)] pub struct StarkConfig { + /// The targeted security level for the proofs generated with this configuration. pub security_bits: usize, /// The number of challenge points to generate, for IOPs that have soundness errors of (roughly) /// `degree / |F|`. pub num_challenges: usize, + /// The configuration of the FRI sub-protocol. pub fri_config: FriConfig, } +impl Default for StarkConfig { + fn default() -> Self { + Self::standard_fast_config() + } +} + impl StarkConfig { + /// Returns a custom STARK configuration. + pub const fn new(security_bits: usize, num_challenges: usize, fri_config: FriConfig) -> Self { + Self { + security_bits, + num_challenges, + fri_config, + } + } + /// A typical configuration with a rate of 2, resulting in fast but large proofs. /// Targets ~100 bit conjectured security. pub const fn standard_fast_config() -> Self { @@ -28,7 +60,88 @@ impl StarkConfig { } } - pub(crate) fn fri_params(&self, degree_bits: usize) -> FriParams { + /// Outputs the [`FriParams`] used during the FRI sub-protocol by this [`StarkConfig`]. + pub fn fri_params(&self, degree_bits: usize) -> FriParams { self.fri_config.fri_params(degree_bits, false) } + + /// Checks that this STARK configuration is consistent, i.e. that the different + /// parameters meet the targeted security level. + pub fn check_config, const D: usize>(&self) -> Result<()> { + let StarkConfig { + security_bits, + fri_config: + FriConfig { + rate_bits, + proof_of_work_bits, + num_query_rounds, + .. + }, + .. + } = &self; + + // Conjectured FRI security; see the ethSTARK paper. + let fri_field_bits = F::Extension::order().bits() as usize; + let fri_query_security_bits = num_query_rounds * rate_bits + *proof_of_work_bits as usize; + let fri_security_bits = fri_field_bits.min(fri_query_security_bits); + + if fri_security_bits < *security_bits { + Err(anyhow!(format!( + "FRI params fall short of target security {}, reaching only {}", + security_bits, fri_security_bits + ))) + } else { + Ok(()) + } + } +} + +#[cfg(test)] +mod tests { + use plonky2::field::goldilocks_field::GoldilocksField; + + use super::*; + + #[test] + fn test_valid_config() { + type F = GoldilocksField; + const D: usize = 2; + + let config = StarkConfig::standard_fast_config(); + assert!(config.check_config::().is_ok()); + + let high_rate_config = StarkConfig::new( + 100, + 2, + FriConfig { + rate_bits: 3, + cap_height: 4, + proof_of_work_bits: 16, + reduction_strategy: FriReductionStrategy::ConstantArityBits(4, 5), + num_query_rounds: 28, + }, + ); + assert!(high_rate_config.check_config::().is_ok()); + } + + #[test] + fn test_invalid_config() { + type F = GoldilocksField; + const D: usize = 2; + + let too_few_queries_config = StarkConfig::new( + 100, + 2, + FriConfig { + rate_bits: 1, + cap_height: 4, + proof_of_work_bits: 16, + reduction_strategy: FriReductionStrategy::ConstantArityBits(4, 5), + num_query_rounds: 50, + }, + ); + // The conjectured security yields `rate_bits` * `num_query_rounds` + `proof_of_work_bits` = 66 + // bits of security for FRI, which falls short of the 100 bits of security target. + assert!(too_few_queries_config.check_config::().is_err()); + } } diff --git a/starky/src/constraint_consumer.rs b/starky/src/constraint_consumer.rs index 0354893571..02eff4b197 100644 --- a/starky/src/constraint_consumer.rs +++ b/starky/src/constraint_consumer.rs @@ -1,5 +1,10 @@ -use alloc::vec; -use alloc::vec::Vec; +//! Implementation of the constraint consumer. +//! +//! The [`ConstraintConsumer`], and its circuit counterpart, allow a +//! prover to evaluate all polynomials of a [`Stark`][crate::stark::Stark]. + +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use core::marker::PhantomData; use plonky2::field::extension::Extendable; @@ -9,14 +14,15 @@ use plonky2::iop::ext_target::ExtensionTarget; use plonky2::iop::target::Target; use plonky2::plonk::circuit_builder::CircuitBuilder; +/// A [`ConstraintConsumer`] evaluates all constraint, permutation and cross-table +/// lookup polynomials of a [`Stark`][crate::stark::Stark]. +#[derive(Debug)] pub struct ConstraintConsumer { /// Random values used to combine multiple constraints into one. alphas: Vec, /// Running sums of constraints that have been emitted so far, scaled by powers of alpha. - // TODO(JN): This is pub so it can be used in a test. Once we have an API for accessing this - // result, it should be made private. - pub constraint_accs: Vec

, + constraint_accs: Vec

, /// The evaluation of `X - g^(n-1)`. z_last: P, @@ -31,6 +37,7 @@ pub struct ConstraintConsumer { } impl ConstraintConsumer

{ + /// Creates a new instance of [`ConstraintConsumer`]. pub fn new( alphas: Vec, z_last: P, @@ -46,6 +53,8 @@ impl ConstraintConsumer

{ } } + /// Consumes this [`ConstraintConsumer`] and outputs its sum of accumulated + /// constraints scaled by powers of `alpha`. pub fn accumulators(self) -> Vec

{ self.constraint_accs } @@ -76,6 +85,8 @@ impl ConstraintConsumer

{ } } +/// Circuit version of [`ConstraintConsumer`]. +#[derive(Debug)] pub struct RecursiveConstraintConsumer, const D: usize> { /// A random value used to combine multiple constraints into one. alphas: Vec, @@ -98,6 +109,7 @@ pub struct RecursiveConstraintConsumer, const D: us } impl, const D: usize> RecursiveConstraintConsumer { + /// Creates a new instance of [`RecursiveConstraintConsumer`]. pub fn new( zero: ExtensionTarget, alphas: Vec, @@ -115,6 +127,8 @@ impl, const D: usize> RecursiveConstraintConsumer Vec> { self.constraint_accs } diff --git a/evm/src/cross_table_lookup.rs b/starky/src/cross_table_lookup.rs similarity index 84% rename from evm/src/cross_table_lookup.rs rename to starky/src/cross_table_lookup.rs index 359b5309e8..da50c24c17 100644 --- a/evm/src/cross_table_lookup.rs +++ b/starky/src/cross_table_lookup.rs @@ -27,8 +27,11 @@ //! is similar, but we provide not only `local_values` but also `next_values` -- corresponding to //! the current and next row values -- when computing the linear combinations. +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use core::cmp::min; use core::fmt::Debug; +use core::iter::once; use anyhow::{ensure, Result}; use itertools::Itertools; @@ -37,40 +40,39 @@ use plonky2::field::packed::PackedField; use plonky2::field::polynomial::PolynomialValues; use plonky2::field::types::Field; use plonky2::hash::hash_types::RichField; -use plonky2::iop::challenger::{Challenger, RecursiveChallenger}; +use plonky2::iop::challenger::Challenger; use plonky2::iop::ext_target::ExtensionTarget; use plonky2::iop::target::Target; use plonky2::plonk::circuit_builder::CircuitBuilder; -use plonky2::plonk::config::{AlgebraicHasher, GenericConfig, Hasher}; +use plonky2::plonk::config::GenericConfig; use plonky2::util::ceil_div_usize; -use plonky2::util::serialization::{Buffer, IoResult, Read, Write}; use crate::config::StarkConfig; use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; use crate::evaluation_frame::StarkEvaluationFrame; use crate::lookup::{ - eval_helper_columns, eval_helper_columns_circuit, get_helper_cols, Column, ColumnFilter, - Filter, GrandProductChallenge, + eval_helper_columns, eval_helper_columns_circuit, get_grand_product_challenge_set, + get_helper_cols, Column, ColumnFilter, Filter, GrandProductChallenge, GrandProductChallengeSet, }; -use crate::proof::{StarkProofTarget, StarkProofWithMetadata}; +use crate::proof::{MultiProof, StarkProofTarget, StarkProofWithMetadata}; use crate::stark::Stark; /// An alias for `usize`, to represent the index of a STARK table in a multi-STARK setting. -pub(crate) type TableIdx = usize; +pub type TableIdx = usize; /// A `table` index with a linear combination of columns and a filter. /// `filter` is used to determine the rows to select in `table`. /// `columns` represents linear combinations of the columns of `table`. #[derive(Clone, Debug)] -pub(crate) struct TableWithColumns { +pub struct TableWithColumns { table: TableIdx, columns: Vec>, - pub(crate) filter: Option>, + filter: Option>, } impl TableWithColumns { /// Generates a new `TableWithColumns` given a `table` index, a linear combination of columns `columns` and a `filter`. - pub(crate) fn new(table: TableIdx, columns: Vec>, filter: Option>) -> Self { + pub fn new(table: TableIdx, columns: Vec>, filter: Option>) -> Self { Self { table, columns, @@ -81,7 +83,7 @@ impl TableWithColumns { /// Cross-table lookup data consisting in the lookup table (`looked_table`) and all the tables that look into `looked_table` (`looking_tables`). /// Each `looking_table` corresponds to a STARK's table whose rows have been filtered out and whose columns have been through a linear combination (see `eval_table`). The concatenation of those smaller tables should result in the `looked_table`. -#[derive(Clone)] +#[derive(Clone, Debug)] pub struct CrossTableLookup { /// Column linear combinations for all tables that are looking into the current table. pub(crate) looking_tables: Vec>, @@ -92,7 +94,7 @@ pub struct CrossTableLookup { impl CrossTableLookup { /// Creates a new `CrossTableLookup` given some looking tables and a looked table. /// All tables should have the same width. - pub(crate) fn new( + pub fn new( looking_tables: Vec>, looked_table: TableWithColumns, ) -> Self { @@ -109,7 +111,7 @@ impl CrossTableLookup { /// - the total number of helper columns for this table, over all Cross-table lookups, /// - the total number of z polynomials for this table, over all Cross-table lookups, /// - the number of helper columns for this table, for each Cross-table lookup. - pub(crate) fn num_ctl_helpers_zs_all( + pub fn num_ctl_helpers_zs_all( ctls: &[Self], table: TableIdx, num_challenges: usize, @@ -119,9 +121,9 @@ impl CrossTableLookup { let mut num_ctls = 0; let mut num_helpers_by_ctl = vec![0; ctls.len()]; for (i, ctl) in ctls.iter().enumerate() { - let all_tables = std::iter::once(&ctl.looked_table).chain(&ctl.looking_tables); + let all_tables = once(&ctl.looked_table).chain(&ctl.looking_tables); let num_appearances = all_tables.filter(|twc| twc.table == table).count(); - let is_helpers = num_appearances > 2; + let is_helpers = num_appearances > 1; if is_helpers { num_helpers_by_ctl[i] = ceil_div_usize(num_appearances, constraint_degree - 1); num_helpers += num_helpers_by_ctl[i]; @@ -140,23 +142,23 @@ impl CrossTableLookup { } /// Cross-table lookup data for one table. -#[derive(Clone, Default)] -pub(crate) struct CtlData<'a, F: Field> { +#[derive(Clone, Default, Debug)] +pub struct CtlData<'a, F: Field> { /// Data associated with all Z(x) polynomials for one table. - pub(crate) zs_columns: Vec>, + pub zs_columns: Vec>, } /// Cross-table lookup data associated with one Z(x) polynomial. /// One Z(x) polynomial can be associated to multiple tables, /// built from the same STARK. -#[derive(Clone)] -pub(crate) struct CtlZData<'a, F: Field> { +#[derive(Clone, Debug)] +pub struct CtlZData<'a, F: Field> { /// Helper columns to verify the Z polynomial values. pub(crate) helper_columns: Vec>, /// Z polynomial values. pub(crate) z: PolynomialValues, /// Cross-table lookup challenge. - pub(crate) challenge: GrandProductChallenge, + pub challenge: GrandProductChallenge, /// Vector of column linear combinations for the current tables. pub(crate) columns: Vec<&'a [Column]>, /// Vector of filter columns for the current table. @@ -164,17 +166,26 @@ pub(crate) struct CtlZData<'a, F: Field> { pub(crate) filter: Vec>>, } -impl<'a, F: Field> CtlData<'a, F> { - /// Returns the number of cross-table lookup polynomials. - pub(crate) fn len(&self) -> usize { - self.zs_columns.len() - } - - /// Returns whether there are no cross-table lookups. - pub(crate) fn is_empty(&self) -> bool { - self.zs_columns.is_empty() +impl<'a, F: Field> CtlZData<'a, F> { + /// Returns new CTL data from the provided arguments. + pub fn new( + helper_columns: Vec>, + z: PolynomialValues, + challenge: GrandProductChallenge, + columns: Vec<&'a [Column]>, + filter: Vec>>, + ) -> Self { + Self { + helper_columns, + z, + challenge, + columns, + filter, + } } +} +impl<'a, F: Field> CtlData<'a, F> { /// Returns all the cross-table lookup helper polynomials. pub(crate) fn ctl_helper_polys(&self) -> Vec> { let num_polys = self @@ -210,82 +221,58 @@ impl<'a, F: Field> CtlData<'a, F> { } } -/// Like `PermutationChallenge`, but with `num_challenges` copies to boost soundness. -#[derive(Clone, Eq, PartialEq, Debug)] -pub struct GrandProductChallengeSet { - pub(crate) challenges: Vec>, -} - -impl GrandProductChallengeSet { - pub(crate) fn to_buffer(&self, buffer: &mut Vec) -> IoResult<()> { - buffer.write_usize(self.challenges.len())?; - for challenge in &self.challenges { - buffer.write_target(challenge.beta)?; - buffer.write_target(challenge.gamma)?; - } - Ok(()) - } - - pub(crate) fn from_buffer(buffer: &mut Buffer) -> IoResult { - let length = buffer.read_usize()?; - let mut challenges = Vec::with_capacity(length); - for _ in 0..length { - challenges.push(GrandProductChallenge { - beta: buffer.read_target()?, - gamma: buffer.read_target()?, - }); - } - - Ok(GrandProductChallengeSet { challenges }) - } -} - -fn get_grand_product_challenge>( - challenger: &mut Challenger, -) -> GrandProductChallenge { - let beta = challenger.get_challenge(); - let gamma = challenger.get_challenge(); - GrandProductChallenge { beta, gamma } -} - -pub(crate) fn get_grand_product_challenge_set>( - challenger: &mut Challenger, - num_challenges: usize, -) -> GrandProductChallengeSet { - let challenges = (0..num_challenges) - .map(|_| get_grand_product_challenge(challenger)) - .collect(); - GrandProductChallengeSet { challenges } -} - -fn get_grand_product_challenge_target< +/// Outputs a tuple of (challenges, data) of CTL challenges and all +/// the CTL data necessary to prove a multi-STARK system. +pub fn get_ctl_data<'a, F, C, const D: usize, const N: usize>( + config: &StarkConfig, + trace_poly_values: &[Vec>; N], + all_cross_table_lookups: &'a [CrossTableLookup], + challenger: &mut Challenger, + max_constraint_degree: usize, +) -> (GrandProductChallengeSet, [CtlData<'a, F>; N]) +where F: RichField + Extendable, - H: AlgebraicHasher, - const D: usize, ->( - builder: &mut CircuitBuilder, - challenger: &mut RecursiveChallenger, -) -> GrandProductChallenge { - let beta = challenger.get_challenge(builder); - let gamma = challenger.get_challenge(builder); - GrandProductChallenge { beta, gamma } + C: GenericConfig, +{ + // Get challenges for the cross-table lookups. + let ctl_challenges = get_grand_product_challenge_set(challenger, config.num_challenges); + + // For each STARK, compute its cross-table lookup Z polynomials + // and get the associated `CtlData`. + let ctl_data = cross_table_lookup_data::( + trace_poly_values, + all_cross_table_lookups, + &ctl_challenges, + max_constraint_degree, + ); + + (ctl_challenges, ctl_data) } -pub(crate) fn get_grand_product_challenge_set_target< +/// Outputs all the CTL data necessary to prove a multi-STARK system. +pub fn get_ctl_vars_from_proofs<'a, F, C, const D: usize, const N: usize>( + multi_proof: &MultiProof, + all_cross_table_lookups: &'a [CrossTableLookup], + ctl_challenges: &'a GrandProductChallengeSet, + num_lookup_columns: &'a [usize; N], + max_constraint_degree: usize, +) -> [Vec>::Extension, >::Extension, D>>; + N] +where F: RichField + Extendable, - H: AlgebraicHasher, - const D: usize, ->( - builder: &mut CircuitBuilder, - challenger: &mut RecursiveChallenger, - num_challenges: usize, -) -> GrandProductChallengeSet { - let challenges = (0..num_challenges) - .map(|_| get_grand_product_challenge_target(builder, challenger)) - .collect(); - GrandProductChallengeSet { challenges } + C: GenericConfig, +{ + let num_ctl_helper_cols = + num_ctl_helper_columns_by_table(all_cross_table_lookups, max_constraint_degree); + + CtlCheckVars::from_proofs( + &multi_proof.stark_proofs, + all_cross_table_lookups, + ctl_challenges, + num_lookup_columns, + &num_ctl_helper_cols, + ) } - /// Returns the number of helper columns for each `Table`. pub(crate) fn num_ctl_helper_columns_by_table( ctls: &[CrossTableLookup], @@ -303,8 +290,8 @@ pub(crate) fn num_ctl_helper_columns_by_table( for (table, group) in grouped_lookups.into_iter() { let sum = group.count(); - if sum > 2 { - // We only need helper columns if there are more than 2 columns. + if sum > 1 { + // We only need helper columns if there are at least 2 columns. num_by_table[table] = ceil_div_usize(sum, constraint_degree - 1); } } @@ -314,6 +301,17 @@ pub(crate) fn num_ctl_helper_columns_by_table( res } +/// Gets the auxiliary polynomials associated to these CTL data. +pub(crate) fn get_ctl_auxiliary_polys( + ctl_data: Option<&CtlData>, +) -> Option>> { + ctl_data.map(|data| { + let mut ctl_polys = data.ctl_helper_polys(); + ctl_polys.extend(data.ctl_z_polys()); + ctl_polys + }) +} + /// Generates all the cross-table lookup data, for all tables. /// - `trace_poly_values` corresponds to the trace values for all tables. /// - `cross_table_lookups` corresponds to all the cross-table lookups, i.e. the looked and looking tables, as described in `CrossTableLookup`. @@ -428,7 +426,7 @@ fn ctl_helper_zs_cols( /// The initial sum `s` is 0. /// For each row, if the `filter_column` evaluates to 1, then the row is selected. All the column linear combinations are evaluated at said row. /// The evaluations of each elements of `columns` are then combined together to form a value `v`. -/// The values `v`` are grouped together, in groups of size `constraint_degree - 1` (2 in our case). For each group, we construct a helper +/// The values `v`` are grouped together, in groups of size `constraint_degree - 1`. For each group, we construct a helper /// column: h = \sum_i 1/(v_i). /// /// The sum is updated: `s += \sum h_i`, and is pushed to the vector of partial sums `z``. @@ -457,7 +455,7 @@ fn partial_sums( z.push(z[z.len() - 1] + x); } z.reverse(); - if columns_filters.len() > 2 { + if columns_filters.len() > 1 { helper_columns.push(z.into()); } else { helper_columns = vec![z.into()]; @@ -467,8 +465,8 @@ fn partial_sums( } /// Data necessary to check the cross-table lookups of a given table. -#[derive(Clone)] -pub(crate) struct CtlCheckVars<'a, F, FE, P, const D2: usize> +#[derive(Clone, Debug)] +pub struct CtlCheckVars<'a, F, FE, P, const D2: usize> where F: Field, FE: FieldExtension, @@ -493,13 +491,24 @@ impl<'a, F: RichField + Extendable, const D: usize> CtlCheckVars<'a, F, F::Extension, F::Extension, D> { /// Extracts the `CtlCheckVars` for each STARK. - pub(crate) fn from_proofs, const N: usize>( + pub fn from_proofs, const N: usize>( proofs: &[StarkProofWithMetadata; N], cross_table_lookups: &'a [CrossTableLookup], ctl_challenges: &'a GrandProductChallengeSet, num_lookup_columns: &[usize; N], num_helper_ctl_columns: &Vec<[usize; N]>, ) -> [Vec; N] { + let mut ctl_vars_per_table = [0; N].map(|_| vec![]); + // If there are no auxiliary polys in the proofs `openings`, + // return early. The verifier will reject the proofs when + // calling `validate_proof_shape`. + if proofs + .iter() + .any(|p| p.proof.openings.auxiliary_polys.is_none()) + { + return ctl_vars_per_table; + } + let mut total_num_helper_cols_by_table = [0; N]; for p_ctls in num_helper_ctl_columns { for j in 0..N { @@ -514,8 +523,14 @@ impl<'a, F: RichField + Extendable, const D: usize> .map(|(p, &num_lookup)| { let openings = &p.proof.openings; - let ctl_zs = &openings.auxiliary_polys[num_lookup..]; - let ctl_zs_next = &openings.auxiliary_polys_next[num_lookup..]; + let ctl_zs = &openings + .auxiliary_polys + .as_ref() + .expect("We cannot have CTls without auxiliary polynomials.")[num_lookup..]; + let ctl_zs_next = &openings + .auxiliary_polys_next + .as_ref() + .expect("We cannot have CTls without auxiliary polynomials.")[num_lookup..]; ctl_zs.iter().zip(ctl_zs_next).collect::>() }) .collect::>(); @@ -523,7 +538,6 @@ impl<'a, F: RichField + Extendable, const D: usize> // Put each cross-table lookup polynomial into the correct table data: if a CTL polynomial is extracted from looking/looked table t, then we add it to the `CtlCheckVars` of table t. let mut start_indices = [0; N]; let mut z_indices = [0; N]; - let mut ctl_vars_per_table = [0; N].map(|_| vec![]); for ( CrossTableLookup { looking_tables, @@ -698,8 +712,8 @@ pub(crate) fn eval_cross_table_lookup_checks { +#[derive(Clone, Debug)] +pub struct CtlCheckVarsTarget { ///Evaluation of the helper columns to check that the Z polyomial /// was constructed correctly. pub(crate) helper_columns: Vec>, @@ -716,8 +730,8 @@ pub(crate) struct CtlCheckVarsTarget { } impl<'a, F: Field, const D: usize> CtlCheckVarsTarget { - /// Circuit version of `from_proofs`. Extracts the `CtlCheckVarsTarget` for each STARK. - pub(crate) fn from_proof( + /// Circuit version of `from_proofs`, for a single STARK. + pub fn from_proof( table: TableIdx, proof: &StarkProofTarget, cross_table_lookups: &'a [CrossTableLookup], @@ -729,15 +743,24 @@ impl<'a, F: Field, const D: usize> CtlCheckVarsTarget { // Get all cross-table lookup polynomial openings for each STARK proof. let ctl_zs = { let openings = &proof.openings; - let ctl_zs = openings.auxiliary_polys.iter().skip(num_lookup_columns); + let ctl_zs = openings + .auxiliary_polys + .as_ref() + .expect("We cannot have CTls without auxiliary polynomials.") + .iter() + .skip(num_lookup_columns); let ctl_zs_next = openings .auxiliary_polys_next + .as_ref() + .expect("We cannot have CTls without auxiliary polynomials.") .iter() .skip(num_lookup_columns); ctl_zs.zip(ctl_zs_next).collect::>() }; - // Put each cross-table lookup polynomial into the correct table data: if a CTL polynomial is extracted from looking/looked table t, then we add it to the `CtlCheckVars` of table t. + // Put each cross-table lookup polynomial into the correct table's data. + // If a CTL polynomial is extracted from the looking/looked table `t``, + // then we add it to the `CtlCheckVars` of table `t``. let mut z_index = 0; let mut start_index = 0; let mut ctl_vars = vec![]; @@ -750,7 +773,8 @@ impl<'a, F: Field, const D: usize> CtlCheckVarsTarget { ) in cross_table_lookups.iter().enumerate() { for &challenges in &ctl_challenges.challenges { - // Group looking tables by `Table`, since we bundle the looking tables taken from the same `Table` together thanks to helper columns. + // Group looking tables by `Table`, since we bundle the looking tables + // taken from the same `Table` together thanks to helper columns. let count = looking_tables .iter() @@ -779,8 +803,6 @@ impl<'a, F: Field, const D: usize> CtlCheckVarsTarget { start_index += num_helper_ctl_columns[i]; z_index += 1; - // let columns = group.0.clone(); - // let filter = group.1.clone(); ctl_vars.push(Self { helper_columns, local_z: *looking_z, @@ -921,14 +943,10 @@ pub(crate) fn eval_cross_table_lookup_checks_circuit< } /// Verifies all cross-table lookups. -pub(crate) fn verify_cross_table_lookups< - F: RichField + Extendable, - const D: usize, - const N: usize, ->( +pub fn verify_cross_table_lookups, const D: usize, const N: usize>( cross_table_lookups: &[CrossTableLookup], ctl_zs_first: [Vec; N], - ctl_extra_looking_sums: Vec>, + ctl_extra_looking_sums: Option<&[Vec]>, config: &StarkConfig, ) -> Result<()> { let mut ctl_zs_openings = ctl_zs_first.iter().map(|v| v.iter()).collect::>(); @@ -941,7 +959,9 @@ pub(crate) fn verify_cross_table_lookups< ) in cross_table_lookups.iter().enumerate() { // Get elements looking into `looked_table` that are not associated to any STARK. - let extra_sum_vec = &ctl_extra_looking_sums[looked_table.table]; + let extra_sum_vec: &[F] = ctl_extra_looking_sums + .map(|v| v[looked_table.table].as_ref()) + .unwrap_or_default(); // We want to iterate on each looking table only once. let mut filtered_looking_tables = vec![]; for table in looking_tables { @@ -974,7 +994,7 @@ pub(crate) fn verify_cross_table_lookups< } /// Circuit version of `verify_cross_table_lookups`. Verifies all cross-table lookups. -pub(crate) fn verify_cross_table_lookups_circuit< +pub fn verify_cross_table_lookups_circuit< F: RichField + Extendable, const D: usize, const N: usize, @@ -982,7 +1002,7 @@ pub(crate) fn verify_cross_table_lookups_circuit< builder: &mut CircuitBuilder, cross_table_lookups: Vec>, ctl_zs_first: [Vec; N], - ctl_extra_looking_sums: Vec>, + ctl_extra_looking_sums: Option<&[Vec]>, inner_config: &StarkConfig, ) { let mut ctl_zs_openings = ctl_zs_first.iter().map(|v| v.iter()).collect::>(); @@ -992,7 +1012,9 @@ pub(crate) fn verify_cross_table_lookups_circuit< } in cross_table_lookups.into_iter() { // Get elements looking into `looked_table` that are not associated to any STARK. - let extra_sum_vec = &ctl_extra_looking_sums[looked_table.table]; + let extra_sum_vec: &[Target] = ctl_extra_looking_sums + .map(|v| v[looked_table.table].as_ref()) + .unwrap_or_default(); // We want to iterate on each looking table only once. let mut filtered_looking_tables = vec![]; for table in looking_tables { @@ -1019,26 +1041,30 @@ pub(crate) fn verify_cross_table_lookups_circuit< debug_assert!(ctl_zs_openings.iter_mut().all(|iter| iter.next().is_none())); } -#[cfg(test)] -pub(crate) mod testutils { - use std::collections::HashMap; +/// Debugging module used to assert correctness of the different CTLs of a multi-STARK system, +/// that can be used during the proof generation process. +/// +/// **Note**: This is an expensive check. +pub mod debug_utils { + #[cfg(not(feature = "std"))] + use alloc::{vec, vec::Vec}; + use hashbrown::HashMap; use plonky2::field::polynomial::PolynomialValues; use plonky2::field::types::Field; - use crate::all_stark::Table; - use crate::cross_table_lookup::{CrossTableLookup, TableWithColumns}; + use super::{CrossTableLookup, TableIdx, TableWithColumns}; - type MultiSet = HashMap, Vec<(Table, usize)>>; + type MultiSet = HashMap, Vec<(TableIdx, usize)>>; /// Check that the provided traces and cross-table lookups are consistent. - pub(crate) fn check_ctls( + pub fn check_ctls( trace_poly_values: &[Vec>], cross_table_lookups: &[CrossTableLookup], - extra_memory_looking_values: &[Vec], + extra_looking_values: &HashMap>>, ) { for (i, ctl) in cross_table_lookups.iter().enumerate() { - check_ctl(trace_poly_values, ctl, i, extra_memory_looking_values); + check_ctl(trace_poly_values, ctl, i, extra_looking_values.get(&i)); } } @@ -1046,7 +1072,7 @@ pub(crate) mod testutils { trace_poly_values: &[Vec>], ctl: &CrossTableLookup, ctl_index: usize, - extra_memory_looking_values: &[Vec], + extra_looking_values: Option<&Vec>>, ) { let CrossTableLookup { looking_tables, @@ -1063,15 +1089,15 @@ pub(crate) mod testutils { } process_table(trace_poly_values, looked_table, &mut looked_multiset); - // Extra looking values for memory - if ctl_index == Table::Memory as usize { - for row in extra_memory_looking_values.iter() { + // Include extra looking values if any for this `ctl_index`. + if let Some(values) = extra_looking_values { + for row in values.iter() { // The table and the row index don't matter here, as we just want to enforce - // that the special extra values do appear when looking against the Memory table. + // that the special extra values do appear when looking against the specified table. looking_multiset .entry(row.to_vec()) .or_default() - .push((Table::Cpu, 0)); + .push((0, 0)); } } @@ -1106,10 +1132,7 @@ pub(crate) mod testutils { .iter() .map(|c| c.eval_table(trace, i)) .collect::>(); - multiset - .entry(row) - .or_default() - .push((Table::all()[table.table], i)); + multiset.entry(row).or_default().push((table.table, i)); } else { assert_eq!(filter, F::ZERO, "Non-binary filter?") } @@ -1117,8 +1140,8 @@ pub(crate) mod testutils { } fn check_locations( - looking_locations: &[(Table, usize)], - looked_locations: &[(Table, usize)], + looking_locations: &[(TableIdx, usize)], + looked_locations: &[(TableIdx, usize)], ctl_index: usize, row: &[F], ) { diff --git a/starky/src/evaluation_frame.rs b/starky/src/evaluation_frame.rs index e2dcf2dbeb..fbfaf71e89 100644 --- a/starky/src/evaluation_frame.rs +++ b/starky/src/evaluation_frame.rs @@ -1,3 +1,5 @@ +//! Implementation of constraint evaluation frames for STARKs. + /// A trait for viewing an evaluation frame of a STARK table. /// /// It allows to access the current and next rows at a given step @@ -8,6 +10,7 @@ pub trait StarkEvaluationFrame &[T]; + /// Returns the public inputs for this evaluation frame. fn get_public_inputs(&self) -> &[U]; /// Outputs a new evaluation frame from the provided local and next values. @@ -24,6 +28,9 @@ pub trait StarkEvaluationFrame Self; } +/// An evaluation frame to be used when defining constraints of a STARK system, that +/// implements the [`StarkEvaluationFrame`] trait. +#[derive(Debug)] pub struct StarkFrame< T: Copy + Clone + Default, U: Copy + Clone + Default, diff --git a/starky/src/fibonacci_stark.rs b/starky/src/fibonacci_stark.rs index d34ccfd2d0..7aa40b6ed9 100644 --- a/starky/src/fibonacci_stark.rs +++ b/starky/src/fibonacci_stark.rs @@ -1,5 +1,9 @@ -use alloc::vec; -use alloc::vec::Vec; +//! An example of generating and verifying STARK proofs for the Fibonacci sequence. +//! The toy STARK system also includes two columns that are a permutation of the other, +//! to highlight the use of the permutation argument with logUp. + +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use core::marker::PhantomData; use plonky2::field::extension::{Extendable, FieldExtension}; @@ -11,14 +15,12 @@ use plonky2::plonk::circuit_builder::CircuitBuilder; use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; use crate::evaluation_frame::{StarkEvaluationFrame, StarkFrame}; -use crate::permutation::PermutationPair; use crate::stark::Stark; use crate::util::trace_rows_to_poly_values; /// Toy STARK system used for testing. -/// Computes a Fibonacci sequence with state `[x0, x1, i, j]` using the state transition -/// `x0' <- x1, x1' <- x0 + x1, i' <- i+1, j' <- j+1`. -/// Note: The `i, j` columns are only used to test the permutation argument. +/// Computes a Fibonacci sequence with state `[x0, x1]` using the state transition +/// `x0' <- x1, x1' <- x0 + x1. #[derive(Copy, Clone)] struct FibonacciStark, const D: usize> { num_rows: usize, @@ -41,34 +43,35 @@ impl, const D: usize> FibonacciStark { } } - /// Generate the trace using `x0, x1, 0, 1` as initial state values. + /// Generate the trace using `x0, x1` as initial state values. fn generate_trace(&self, x0: F, x1: F) -> Vec> { - let mut trace_rows = (0..self.num_rows) - .scan([x0, x1, F::ZERO, F::ONE], |acc, _| { + let trace_rows = (0..self.num_rows) + .scan([x0, x1], |acc, _| { let tmp = *acc; acc[0] = tmp[1]; acc[1] = tmp[0] + tmp[1]; - acc[2] = tmp[2] + F::ONE; - acc[3] = tmp[3] + F::ONE; Some(tmp) }) .collect::>(); - trace_rows[self.num_rows - 1][3] = F::ZERO; // So that column 2 and 3 are permutation of one another. trace_rows_to_poly_values(trace_rows) } } -const COLUMNS: usize = 4; -const PUBLIC_INPUTS: usize = 3; +const FIBONACCI_COLUMNS: usize = 2; +const FIBONACCI_PUBLIC_INPUTS: usize = 3; impl, const D: usize> Stark for FibonacciStark { - type EvaluationFrame = StarkFrame + type EvaluationFrame = StarkFrame where FE: FieldExtension, P: PackedField; - type EvaluationFrameTarget = - StarkFrame, ExtensionTarget, COLUMNS, PUBLIC_INPUTS>; + type EvaluationFrameTarget = StarkFrame< + ExtensionTarget, + ExtensionTarget, + FIBONACCI_COLUMNS, + FIBONACCI_PUBLIC_INPUTS, + >; fn eval_packed_generic( &self, @@ -126,10 +129,6 @@ impl, const D: usize> Stark for FibonacciStar fn constraint_degree(&self) -> usize { 2 } - - fn permutation_pairs(&self) -> Vec { - vec![PermutationPair::singletons(2, 3)] - } } #[cfg(test)] @@ -170,6 +169,7 @@ mod tests { let config = StarkConfig::standard_fast_config(); let num_rows = 1 << 5; let public_inputs = [F::ZERO, F::ONE, fibonacci(num_rows - 1, F::ZERO, F::ONE)]; + let stark = S::new(num_rows); let trace = stark.generate_trace(public_inputs[0], public_inputs[1]); let proof = prove::( @@ -218,6 +218,8 @@ mod tests { let config = StarkConfig::standard_fast_config(); let num_rows = 1 << 5; let public_inputs = [F::ZERO, F::ONE, fibonacci(num_rows - 1, F::ZERO, F::ONE)]; + + // Test first STARK let stark = S::new(num_rows); let trace = stark.generate_trace(public_inputs[0], public_inputs[1]); let proof = prove::( @@ -251,8 +253,9 @@ mod tests { let mut builder = CircuitBuilder::::new(circuit_config); let mut pw = PartialWitness::new(); let degree_bits = inner_proof.proof.recover_degree_bits(inner_config); - let pt = add_virtual_stark_proof_with_pis(&mut builder, stark, inner_config, degree_bits); - set_stark_proof_with_pis_target(&mut pw, &pt, &inner_proof); + let pt = + add_virtual_stark_proof_with_pis(&mut builder, &stark, inner_config, degree_bits, 0, 0); + set_stark_proof_with_pis_target(&mut pw, &pt, &inner_proof, builder.zero()); verify_stark_proof_circuit::(&mut builder, stark, pt, inner_config); diff --git a/starky/src/get_challenges.rs b/starky/src/get_challenges.rs index 2f1a9064b7..0cf48cfe4e 100644 --- a/starky/src/get_challenges.rs +++ b/starky/src/get_challenges.rs @@ -1,5 +1,3 @@ -use alloc::vec::Vec; - use plonky2::field::extension::Extendable; use plonky2::field::polynomial::PolynomialCoeffs; use plonky2::fri::proof::{FriProof, FriProofTarget}; @@ -12,17 +10,25 @@ use plonky2::plonk::circuit_builder::CircuitBuilder; use plonky2::plonk::config::{AlgebraicHasher, GenericConfig}; use crate::config::StarkConfig; -use crate::permutation::{ - get_n_permutation_challenge_sets, get_n_permutation_challenge_sets_target, +use crate::lookup::{ + get_grand_product_challenge_set, get_grand_product_challenge_set_target, + GrandProductChallengeSet, }; use crate::proof::*; -use crate::stark::Stark; -fn get_challenges( - stark: &S, - trace_cap: &MerkleCap, - permutation_zs_cap: Option<&MerkleCap>, - quotient_polys_cap: &MerkleCap, +/// Generates challenges for a STARK proof from a challenger and given +/// all the arguments needed to update the challenger state. +/// +/// Note: `trace_cap` is passed as `Option` to signify whether to observe it +/// or not by the challenger. Observing it here could be redundant in a +/// multi-STARK system where trace caps would have already been observed +/// before proving individually each STARK. +fn get_challenges( + challenger: &mut Challenger, + challenges: Option<&GrandProductChallengeSet>, + trace_cap: Option<&MerkleCap>, + auxiliary_polys_cap: Option<&MerkleCap>, + quotient_polys_cap: Option<&MerkleCap>, openings: &StarkOpeningSet, commit_phase_merkle_caps: &[MerkleCap], final_poly: &PolynomialCoeffs, @@ -33,33 +39,36 @@ fn get_challenges( where F: RichField + Extendable, C: GenericConfig, - S: Stark, { let num_challenges = config.num_challenges; - let mut challenger = Challenger::::new(); + if let Some(cap) = &trace_cap { + challenger.observe_cap(cap); + } - challenger.observe_cap(trace_cap); + let lookup_challenge_set = if let Some(&challenges) = challenges.as_ref() { + Some(challenges.clone()) + } else { + auxiliary_polys_cap + .is_some() + .then(|| get_grand_product_challenge_set(challenger, num_challenges)) + }; - let permutation_challenge_sets = permutation_zs_cap.map(|permutation_zs_cap| { - let tmp = get_n_permutation_challenge_sets( - &mut challenger, - num_challenges, - stark.permutation_batch_size(), - ); - challenger.observe_cap(permutation_zs_cap); - tmp - }); + if let Some(cap) = &auxiliary_polys_cap { + challenger.observe_cap(cap); + } let stark_alphas = challenger.get_n_challenges(num_challenges); - challenger.observe_cap(quotient_polys_cap); + if let Some(quotient_polys_cap) = quotient_polys_cap { + challenger.observe_cap(quotient_polys_cap); + } let stark_zeta = challenger.get_extension_challenge::(); challenger.observe_openings(&openings.to_fri_openings()); StarkProofChallenges { - permutation_challenge_sets, + lookup_challenge_set, stark_alphas, stark_zeta, fri_challenges: challenger.fri_challenges::( @@ -72,34 +81,30 @@ where } } -impl StarkProofWithPublicInputs +impl StarkProof where F: RichField + Extendable, C: GenericConfig, { - // TODO: Should be used later in compression? - #![allow(dead_code)] - pub(crate) fn fri_query_indices>( - &self, - stark: &S, - config: &StarkConfig, - degree_bits: usize, - ) -> Vec { - self.get_challenges(stark, config, degree_bits) - .fri_challenges - .fri_query_indices - } - /// Computes all Fiat-Shamir challenges used in the STARK proof. - pub(crate) fn get_challenges>( + /// For a single STARK system, the `ignore_trace_cap` boolean should + /// always be set to `false`. + /// + /// Multi-STARK systems may already observe individual trace caps + /// ahead of proving each table, and hence may ignore observing + /// again the cap when generating individual challenges. + pub fn get_challenges( &self, - stark: &S, + challenger: &mut Challenger, + challenges: Option<&GrandProductChallengeSet>, + ignore_trace_cap: bool, config: &StarkConfig, - degree_bits: usize, ) -> StarkProofChallenges { + let degree_bits = self.recover_degree_bits(config); + let StarkProof { trace_cap, - permutation_zs_cap, + auxiliary_polys_cap, quotient_polys_cap, openings, opening_proof: @@ -109,13 +114,20 @@ where pow_witness, .. }, - } = &self.proof; + } = &self; - get_challenges::( - stark, + let trace_cap = if ignore_trace_cap { + None + } else { + Some(trace_cap) + }; + + get_challenges::( + challenger, + challenges, trace_cap, - permutation_zs_cap.as_ref(), - quotient_polys_cap, + auxiliary_polys_cap.as_ref(), + quotient_polys_cap.as_ref(), openings, commit_phase_merkle_caps, final_poly, @@ -126,18 +138,39 @@ where } } -#[allow(clippy::too_many_arguments)] -pub(crate) fn get_challenges_target< +impl StarkProofWithPublicInputs +where F: RichField + Extendable, C: GenericConfig, - S: Stark, - const D: usize, ->( +{ + /// Computes all Fiat-Shamir challenges used in the STARK proof. + /// For a single STARK system, the `ignore_trace_cap` boolean should + /// always be set to `false`. + /// + /// Multi-STARK systems may already observe individual trace caps + /// ahead of proving each table, and hence may ignore observing + /// again the cap when generating individual challenges. + pub fn get_challenges( + &self, + challenger: &mut Challenger, + challenges: Option<&GrandProductChallengeSet>, + ignore_trace_cap: bool, + config: &StarkConfig, + ) -> StarkProofChallenges { + self.proof + .get_challenges(challenger, challenges, ignore_trace_cap, config) + } +} + +/// Circuit version of `get_challenges`, with the same flexibility around +/// `trace_cap` being passed as an `Option`. +fn get_challenges_target( builder: &mut CircuitBuilder, - stark: &S, - trace_cap: &MerkleCapTarget, - permutation_zs_cap: Option<&MerkleCapTarget>, - quotient_polys_cap: &MerkleCapTarget, + challenger: &mut RecursiveChallenger, + challenges: Option<&GrandProductChallengeSet>, + trace_cap: Option<&MerkleCapTarget>, + auxiliary_polys_cap: Option<&MerkleCapTarget>, + quotient_polys_cap: Option<&MerkleCapTarget>, openings: &StarkOpeningSetTarget, commit_phase_merkle_caps: &[MerkleCapTarget], final_poly: &PolynomialCoeffsExtTarget, @@ -145,34 +178,40 @@ pub(crate) fn get_challenges_target< config: &StarkConfig, ) -> StarkProofChallengesTarget where + F: RichField + Extendable, + C: GenericConfig, C::Hasher: AlgebraicHasher, { let num_challenges = config.num_challenges; - let mut challenger = RecursiveChallenger::::new(builder); + if let Some(trace_cap) = trace_cap { + challenger.observe_cap(trace_cap); + } - challenger.observe_cap(trace_cap); + let lookup_challenge_set = if let Some(&challenges) = challenges.as_ref() { + Some(challenges.clone()) + } else { + auxiliary_polys_cap + .is_some() + .then(|| get_grand_product_challenge_set_target(builder, challenger, num_challenges)) + }; - let permutation_challenge_sets = permutation_zs_cap.map(|permutation_zs_cap| { - let tmp = get_n_permutation_challenge_sets_target( - builder, - &mut challenger, - num_challenges, - stark.permutation_batch_size(), - ); - challenger.observe_cap(permutation_zs_cap); - tmp - }); + if let Some(cap) = auxiliary_polys_cap { + challenger.observe_cap(cap); + } let stark_alphas = challenger.get_n_challenges(builder, num_challenges); - challenger.observe_cap(quotient_polys_cap); + if let Some(cap) = quotient_polys_cap { + challenger.observe_cap(cap); + } + let stark_zeta = challenger.get_extension_challenge(builder); - challenger.observe_openings(&openings.to_fri_openings()); + challenger.observe_openings(&openings.to_fri_openings(builder.zero())); StarkProofChallengesTarget { - permutation_challenge_sets, + lookup_challenge_set, stark_alphas, stark_zeta, fri_challenges: challenger.fri_challenges::( @@ -185,23 +224,30 @@ where } } -impl StarkProofWithPublicInputsTarget { - pub(crate) fn get_challenges< - F: RichField + Extendable, - C: GenericConfig, - S: Stark, - >( +impl StarkProofTarget { + /// Creates all Fiat-Shamir `Target` challenges used in the STARK proof. + /// For a single STARK system, the `ignore_trace_cap` boolean should + /// always be set to `false`. + /// + /// Multi-STARK systems may already observe individual trace caps + /// ahead of proving each table, and hence may ignore observing + /// again the cap when generating individual challenges. + pub fn get_challenges( &self, builder: &mut CircuitBuilder, - stark: &S, + challenger: &mut RecursiveChallenger, + challenges: Option<&GrandProductChallengeSet>, + ignore_trace_cap: bool, config: &StarkConfig, ) -> StarkProofChallengesTarget where + F: RichField + Extendable, + C: GenericConfig, C::Hasher: AlgebraicHasher, { let StarkProofTarget { trace_cap, - permutation_zs_cap, + auxiliary_polys_cap, quotient_polys_cap, openings, opening_proof: @@ -211,14 +257,21 @@ impl StarkProofWithPublicInputsTarget { pow_witness, .. }, - } = &self.proof; + } = self; - get_challenges_target::( + let trace_cap = if ignore_trace_cap { + None + } else { + Some(trace_cap) + }; + + get_challenges_target::( builder, - stark, + challenger, + challenges, trace_cap, - permutation_zs_cap.as_ref(), - quotient_polys_cap, + auxiliary_polys_cap.as_ref(), + quotient_polys_cap.as_ref(), openings, commit_phase_merkle_caps, final_poly, @@ -228,6 +281,32 @@ impl StarkProofWithPublicInputsTarget { } } +impl StarkProofWithPublicInputsTarget { + /// Creates all Fiat-Shamir `Target` challenges used in the STARK proof. + /// For a single STARK system, the `ignore_trace_cap` boolean should + /// always be set to `false`. + /// + /// Multi-STARK systems may already observe individual trace caps + /// ahead of proving each table, and hence may ignore observing + /// again the cap when generating individual challenges. + pub fn get_challenges( + &self, + builder: &mut CircuitBuilder, + challenger: &mut RecursiveChallenger, + challenges: Option<&GrandProductChallengeSet>, + ignore_trace_cap: bool, + config: &StarkConfig, + ) -> StarkProofChallengesTarget + where + F: RichField + Extendable, + C: GenericConfig, + C::Hasher: AlgebraicHasher, + { + self.proof + .get_challenges::(builder, challenger, challenges, ignore_trace_cap, config) + } +} + // TODO: Deal with the compressed stuff. // impl, C: GenericConfig, const D: usize> // CompressedProofWithPublicInputs diff --git a/starky/src/lib.rs b/starky/src/lib.rs index 635e57bd0b..24bea760f1 100644 --- a/starky/src/lib.rs +++ b/starky/src/lib.rs @@ -1,23 +1,346 @@ +//! A FRI-based STARK implementation over the Goldilocks field, with support +//! for recursive proof verification through the plonky2 SNARK backend. +//! +//! This library is intended to provide all the necessary tools to prove, +//! verify, and recursively verify STARK statements. While the library +//! is tailored for a system with a single STARK, it also is flexible +//! enough to support a multi-STARK system, i.e. a system of independent +//! STARK statements possibly sharing common values. See section below for +//! more information on how to define such a system. +//! +//! +//! # Defining a STARK statement +//! +//! A STARK system is configured by a [`StarkConfig`][crate::config::StarkConfig] +//! defining all the parameters to be used when generating proofs associated +//! to the statement. How constraints should be defined over the STARK trace is +//! defined through the [`Stark`][crate::stark::Stark] trait, that takes a +//! [`StarkEvaluationFrame`][crate::evaluation_frame::StarkEvaluationFrame] of +//! two consecutive rows and a list of public inputs. +//! +//! ### Example: Fibonacci sequence +//! +//! To build a STARK for the modified Fibonacci sequence starting with two +//! user-provided values `x0` and `x1`, one can do the following: +//! +//! ```rust +//! # use core::marker::PhantomData; +//! // Imports all basic types. +//! use plonky2::field::extension::{Extendable, FieldExtension}; +//! use plonky2::field::packed::PackedField; +//! use plonky2::field::polynomial::PolynomialValues; +//! use plonky2::hash::hash_types::RichField; +//! # use starky::util::trace_rows_to_poly_values; +//! +//! // Imports to define the constraints of our STARK. +//! use starky::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; +//! use starky::evaluation_frame::{StarkEvaluationFrame, StarkFrame}; +//! use starky::stark::Stark; +//! +//! // Imports to define the recursive constraints of our STARK. +//! use plonky2::iop::ext_target::ExtensionTarget; +//! use plonky2::plonk::circuit_builder::CircuitBuilder; +//! +//! pub struct FibonacciStark, const D: usize> { +//! num_rows: usize, +//! _phantom: PhantomData, +//! } +//! +//! // Define witness generation. +//! impl, const D: usize> FibonacciStark { +//! // The first public input is `x0`. +//! const PI_INDEX_X0: usize = 0; +//! // The second public input is `x1`. +//! const PI_INDEX_X1: usize = 1; +//! // The third public input is the second element of the last row, +//! // which should be equal to the `num_rows`-th Fibonacci number. +//! const PI_INDEX_RES: usize = 2; +//! +//! /// Generate the trace using `x0, x1, 0` as initial state values. +//! fn generate_trace(&self, x0: F, x1: F) -> Vec> { +//! let mut trace_rows = (0..self.num_rows) +//! .scan([x0, x1, F::ZERO], |acc, _| { +//! let tmp = *acc; +//! acc[0] = tmp[1]; +//! acc[1] = tmp[0] + tmp[1]; +//! acc[2] = tmp[2] + F::ONE; +//! Some(tmp) +//! }) +//! .collect::>(); +//! +//! // Transpose the row-wise trace for the prover. +//! trace_rows_to_poly_values(trace_rows) +//! } +//! } +//! +//! // Define constraints. +//! const COLUMNS: usize = 3; +//! const PUBLIC_INPUTS: usize = 3; +//! +//! impl, const D: usize> Stark for FibonacciStark { +//! type EvaluationFrame = StarkFrame +//! where +//! FE: FieldExtension, +//! P: PackedField; +//! +//! type EvaluationFrameTarget = +//! StarkFrame, ExtensionTarget, COLUMNS, PUBLIC_INPUTS>; +//! +//! // Define this STARK's constraints. +//! fn eval_packed_generic( +//! &self, +//! vars: &Self::EvaluationFrame, +//! yield_constr: &mut ConstraintConsumer

, +//! ) where +//! FE: FieldExtension, +//! P: PackedField, +//! { +//! let local_values = vars.get_local_values(); +//! let next_values = vars.get_next_values(); +//! let public_inputs = vars.get_public_inputs(); +//! +//! // Check public inputs. +//! yield_constr.constraint_first_row(local_values[0] - public_inputs[Self::PI_INDEX_X0]); +//! yield_constr.constraint_first_row(local_values[1] - public_inputs[Self::PI_INDEX_X1]); +//! yield_constr.constraint_last_row(local_values[1] - public_inputs[Self::PI_INDEX_RES]); +//! +//! // Enforce the Fibonacci transition constraints. +//! // x0' <- x1 +//! yield_constr.constraint_transition(next_values[0] - local_values[1]); +//! // x1' <- x0 + x1 +//! yield_constr.constraint_transition(next_values[1] - local_values[0] - local_values[1]); +//! } +//! +//! // Define the constraints to recursively verify this STARK. +//! fn eval_ext_circuit( +//! &self, +//! builder: &mut CircuitBuilder, +//! vars: &Self::EvaluationFrameTarget, +//! yield_constr: &mut RecursiveConstraintConsumer, +//! ) { +//! let local_values = vars.get_local_values(); +//! let next_values = vars.get_next_values(); +//! let public_inputs = vars.get_public_inputs(); +//! +//! // Check public inputs. +//! let pis_constraints = [ +//! builder.sub_extension(local_values[0], public_inputs[Self::PI_INDEX_X0]), +//! builder.sub_extension(local_values[1], public_inputs[Self::PI_INDEX_X1]), +//! builder.sub_extension(local_values[1], public_inputs[Self::PI_INDEX_RES]), +//! ]; +//! +//! yield_constr.constraint_first_row(builder, pis_constraints[0]); +//! yield_constr.constraint_first_row(builder, pis_constraints[1]); +//! yield_constr.constraint_last_row(builder, pis_constraints[2]); +//! +//! // Enforce the Fibonacci transition constraints. +//! // x0' <- x1 +//! let first_col_constraint = builder.sub_extension(next_values[0], local_values[1]); +//! yield_constr.constraint_transition(builder, first_col_constraint); +//! // x1' <- x0 + x1 +//! let second_col_constraint = { +//! let tmp = builder.sub_extension(next_values[1], local_values[0]); +//! builder.sub_extension(tmp, local_values[1]) +//! }; +//! yield_constr.constraint_transition(builder, second_col_constraint); +//! } +//! +//! fn constraint_degree(&self) -> usize { +//! 2 +//! } +//! } +//! ``` +//! +//! One can then instantiate a new `FibonacciStark` instance, generate an associated +//! STARK trace, and generate a proof for it. +//! +//! ```rust +//! # use anyhow::Result; +//! # use core::marker::PhantomData; +//! # // Imports all basic types. +//! # use plonky2::field::extension::{Extendable, FieldExtension}; +//! # use plonky2::field::types::Field; +//! # use plonky2::field::packed::PackedField; +//! # use plonky2::field::polynomial::PolynomialValues; +//! # use plonky2::hash::hash_types::RichField; +//! # use starky::util::trace_rows_to_poly_values; +//! # // Imports to define the constraints of our STARK. +//! # use starky::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; +//! # use starky::evaluation_frame::{StarkEvaluationFrame, StarkFrame}; +//! # use starky::stark::Stark; +//! # // Imports to define the recursive constraints of our STARK. +//! # use plonky2::iop::ext_target::ExtensionTarget; +//! # use plonky2::plonk::circuit_builder::CircuitBuilder; +//! # use plonky2::util::timing::TimingTree; +//! # use plonky2::plonk::config::{GenericConfig, PoseidonGoldilocksConfig}; +//! # use starky::prover::prove; +//! # use starky::verifier::verify_stark_proof; +//! # use starky::config::StarkConfig; +//! # +//! # #[derive(Copy, Clone)] +//! # pub struct FibonacciStark, const D: usize> { +//! # num_rows: usize, +//! # _phantom: PhantomData, +//! # } +//! # // Define witness generation. +//! # impl, const D: usize> FibonacciStark { +//! # // The first public input is `x0`. +//! # const PI_INDEX_X0: usize = 0; +//! # // The second public input is `x1`. +//! # const PI_INDEX_X1: usize = 1; +//! # // The third public input is the second element of the last row, +//! # // which should be equal to the `num_rows`-th Fibonacci number. +//! # const PI_INDEX_RES: usize = 2; +//! # /// Generate the trace using `x0, x1, 0` as initial state values. +//! # fn generate_trace(&self, x0: F, x1: F) -> Vec> { +//! # let mut trace_rows = (0..self.num_rows) +//! # .scan([x0, x1, F::ZERO], |acc, _| { +//! # let tmp = *acc; +//! # acc[0] = tmp[1]; +//! # acc[1] = tmp[0] + tmp[1]; +//! # acc[2] = tmp[2] + F::ONE; +//! # Some(tmp) +//! # }) +//! # .collect::>(); +//! # // Transpose the row-wise trace for the prover. +//! # trace_rows_to_poly_values(trace_rows) +//! # } +//! # const fn new(num_rows: usize) -> Self { +//! # Self { +//! # num_rows, +//! # _phantom: PhantomData, +//! # } +//! # } +//! # } +//! # // Define constraints. +//! # const COLUMNS: usize = 3; +//! # const PUBLIC_INPUTS: usize = 3; +//! # impl, const D: usize> Stark for FibonacciStark { +//! # type EvaluationFrame = StarkFrame +//! # where +//! # FE: FieldExtension, +//! # P: PackedField; +//! # type EvaluationFrameTarget = +//! # StarkFrame, ExtensionTarget, COLUMNS, PUBLIC_INPUTS>; +//! # // Define this STARK's constraints. +//! # fn eval_packed_generic( +//! # &self, +//! # vars: &Self::EvaluationFrame, +//! # yield_constr: &mut ConstraintConsumer

, +//! # ) where +//! # FE: FieldExtension, +//! # P: PackedField, +//! # { +//! # let local_values = vars.get_local_values(); +//! # let next_values = vars.get_next_values(); +//! # let public_inputs = vars.get_public_inputs(); +//! # // Check public inputs. +//! # yield_constr.constraint_first_row(local_values[0] - public_inputs[Self::PI_INDEX_X0]); +//! # yield_constr.constraint_first_row(local_values[1] - public_inputs[Self::PI_INDEX_X1]); +//! # yield_constr.constraint_last_row(local_values[1] - public_inputs[Self::PI_INDEX_RES]); +//! # // Enforce the Fibonacci transition constraints. +//! # // x0' <- x1 +//! # yield_constr.constraint_transition(next_values[0] - local_values[1]); +//! # // x1' <- x0 + x1 +//! # yield_constr.constraint_transition(next_values[1] - local_values[0] - local_values[1]); +//! # } +//! # // Define the constraints to recursively verify this STARK. +//! # fn eval_ext_circuit( +//! # &self, +//! # builder: &mut CircuitBuilder, +//! # vars: &Self::EvaluationFrameTarget, +//! # yield_constr: &mut RecursiveConstraintConsumer, +//! # ) { +//! # let local_values = vars.get_local_values(); +//! # let next_values = vars.get_next_values(); +//! # let public_inputs = vars.get_public_inputs(); +//! # // Check public inputs. +//! # let pis_constraints = [ +//! # builder.sub_extension(local_values[0], public_inputs[Self::PI_INDEX_X0]), +//! # builder.sub_extension(local_values[1], public_inputs[Self::PI_INDEX_X1]), +//! # builder.sub_extension(local_values[1], public_inputs[Self::PI_INDEX_RES]), +//! # ]; +//! # yield_constr.constraint_first_row(builder, pis_constraints[0]); +//! # yield_constr.constraint_first_row(builder, pis_constraints[1]); +//! # yield_constr.constraint_last_row(builder, pis_constraints[2]); +//! # // Enforce the Fibonacci transition constraints. +//! # // x0' <- x1 +//! # let first_col_constraint = builder.sub_extension(next_values[0], local_values[1]); +//! # yield_constr.constraint_transition(builder, first_col_constraint); +//! # // x1' <- x0 + x1 +//! # let second_col_constraint = { +//! # let tmp = builder.sub_extension(next_values[1], local_values[0]); +//! # builder.sub_extension(tmp, local_values[1]) +//! # }; +//! # yield_constr.constraint_transition(builder, second_col_constraint); +//! # } +//! # fn constraint_degree(&self) -> usize { +//! # 2 +//! # } +//! # } +//! # fn fibonacci(n: usize, x0: F, x1: F) -> F { +//! # (0..n).fold((x0, x1), |x, _| (x.1, x.0 + x.1)).1 +//! # } +//! # +//! const D: usize = 2; +//! const CONFIG: StarkConfig = StarkConfig::standard_fast_config(); +//! type C = PoseidonGoldilocksConfig; +//! type F = >::F; +//! type S = FibonacciStark; +//! +//! fn main() { +//! let num_rows = 1 << 10; +//! let x0 = F::from_canonical_u32(2); +//! let x1 = F::from_canonical_u32(7); +//! +//! let public_inputs = [x0, x1, fibonacci(num_rows - 1, x0, x1)]; +//! let stark = FibonacciStark::::new(num_rows); +//! let trace = stark.generate_trace(public_inputs[0], public_inputs[1]); +//! +//! let proof = prove::( +//! stark, +//! &CONFIG, +//! trace, +//! &public_inputs, +//! &mut TimingTree::default(), +//! ).expect("We should have a valid proof!"); +//! +//! verify_stark_proof(stark, proof, &CONFIG) +//! .expect("We should be able to verify this proof!") +//! } +//! ``` +//! + #![allow(clippy::too_many_arguments)] +#![allow(clippy::needless_range_loop)] #![allow(clippy::type_complexity)] +#![deny(rustdoc::broken_intra_doc_links)] +#![deny(missing_debug_implementations)] +#![deny(missing_docs)] #![cfg_attr(not(feature = "std"), no_std)] +#[cfg(not(feature = "std"))] extern crate alloc; mod get_challenges; pub mod config; pub mod constraint_consumer; +pub mod cross_table_lookup; pub mod evaluation_frame; -pub mod permutation; +pub mod lookup; pub mod proof; pub mod prover; pub mod recursive_verifier; pub mod stark; pub mod stark_testing; pub mod util; -pub mod vanishing_poly; +mod vanishing_poly; pub mod verifier; #[cfg(test)] pub mod fibonacci_stark; +#[cfg(test)] +pub mod permutation_stark; +#[cfg(test)] +pub mod unconstrained_stark; diff --git a/evm/src/lookup.rs b/starky/src/lookup.rs similarity index 79% rename from evm/src/lookup.rs rename to starky/src/lookup.rs index f98814f9a1..16383cd690 100644 --- a/evm/src/lookup.rs +++ b/starky/src/lookup.rs @@ -1,3 +1,8 @@ +//! A Lookup protocol leveraging logarithmic derivatives, +//! introduced in . + +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use core::borrow::Borrow; use core::fmt::Debug; use core::iter::repeat; @@ -10,12 +15,15 @@ use plonky2::field::packed::PackedField; use plonky2::field::polynomial::PolynomialValues; use plonky2::field::types::Field; use plonky2::hash::hash_types::RichField; +use plonky2::iop::challenger::{Challenger, RecursiveChallenger}; use plonky2::iop::ext_target::ExtensionTarget; use plonky2::iop::target::Target; use plonky2::plonk::circuit_builder::CircuitBuilder; +use plonky2::plonk::config::{AlgebraicHasher, Hasher}; use plonky2::plonk::plonk_common::{ reduce_with_powers, reduce_with_powers_circuit, reduce_with_powers_ext_circuit, }; +use plonky2::util::serialization::{Buffer, IoResult, Read, Write}; use plonky2_util::ceil_div_usize; use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; @@ -26,13 +34,14 @@ use crate::stark::Stark; /// It's an arbitrary degree 2 combination of columns: `products` are the degree 2 terms, and `constants` are /// the degree 1 terms. #[derive(Clone, Debug)] -pub(crate) struct Filter { +pub struct Filter { products: Vec<(Column, Column)>, constants: Vec>, } impl Filter { - pub(crate) fn new(products: Vec<(Column, Column)>, constants: Vec>) -> Self { + /// Returns a filter from the provided `products` and `constants` vectors. + pub fn new(products: Vec<(Column, Column)>, constants: Vec>) -> Self { Self { products, constants, @@ -40,7 +49,7 @@ impl Filter { } /// Returns a filter made of a single column. - pub(crate) fn new_simple(col: Column) -> Self { + pub fn new_simple(col: Column) -> Self { Self { products: vec![], constants: vec![col], @@ -115,7 +124,7 @@ impl Filter { /// - a vector of `(usize, F)` corresponding to the column number and the associated multiplicand /// - the constant of the linear combination. #[derive(Clone, Debug)] -pub(crate) struct Column { +pub struct Column { linear_combination: Vec<(usize, F)>, next_row_linear_combination: Vec<(usize, F)>, constant: F, @@ -123,7 +132,7 @@ pub(crate) struct Column { impl Column { /// Returns the representation of a single column in the current row. - pub(crate) fn single(c: usize) -> Self { + pub fn single(c: usize) -> Self { Self { linear_combination: vec![(c, F::ONE)], next_row_linear_combination: vec![], @@ -132,14 +141,14 @@ impl Column { } /// Returns multiple single columns in the current row. - pub(crate) fn singles>>( + pub fn singles>>( cs: I, ) -> impl Iterator { cs.into_iter().map(|c| Self::single(*c.borrow())) } /// Returns the representation of a single column in the next row. - pub(crate) fn single_next_row(c: usize) -> Self { + pub fn single_next_row(c: usize) -> Self { Self { linear_combination: vec![], next_row_linear_combination: vec![(c, F::ONE)], @@ -148,14 +157,14 @@ impl Column { } /// Returns multiple single columns for the next row. - pub(crate) fn singles_next_row>>( + pub fn singles_next_row>>( cs: I, ) -> impl Iterator { cs.into_iter().map(|c| Self::single_next_row(*c.borrow())) } /// Returns a linear combination corresponding to a constant. - pub(crate) fn constant(constant: F) -> Self { + pub fn constant(constant: F) -> Self { Self { linear_combination: vec![], next_row_linear_combination: vec![], @@ -164,27 +173,32 @@ impl Column { } /// Returns a linear combination corresponding to 0. - pub(crate) fn zero() -> Self { + pub fn zero() -> Self { Self::constant(F::ZERO) } /// Returns a linear combination corresponding to 1. - pub(crate) fn one() -> Self { + pub fn one() -> Self { Self::constant(F::ONE) } /// Given an iterator of `(usize, F)` and a constant, returns the association linear combination of columns for the current row. - pub(crate) fn linear_combination_with_constant>( + pub fn linear_combination_with_constant>( iter: I, constant: F, ) -> Self { let v = iter.into_iter().collect::>(); assert!(!v.is_empty()); + + // Because this is a debug assertion, we only check it when the `std` + // feature is activated, as `Itertools::unique` relies on collections. + #[cfg(feature = "std")] debug_assert_eq!( v.iter().map(|(c, _)| c).unique().count(), v.len(), "Duplicate columns." ); + Self { linear_combination: v, next_row_linear_combination: vec![], @@ -193,9 +207,7 @@ impl Column { } /// Given an iterator of `(usize, F)` and a constant, returns the associated linear combination of columns for the current and the next rows. - pub(crate) fn linear_combination_and_next_row_with_constant< - I: IntoIterator, - >( + pub fn linear_combination_and_next_row_with_constant>( iter: I, next_row_iter: I, constant: F, @@ -204,16 +216,22 @@ impl Column { let next_row_v = next_row_iter.into_iter().collect::>(); assert!(!v.is_empty() || !next_row_v.is_empty()); - debug_assert_eq!( - v.iter().map(|(c, _)| c).unique().count(), - v.len(), - "Duplicate columns." - ); - debug_assert_eq!( - next_row_v.iter().map(|(c, _)| c).unique().count(), - next_row_v.len(), - "Duplicate columns." - ); + + // Because these are debug assertions, we only check them when the `std` + // feature is activated, as `Itertools::unique` relies on collections. + #[cfg(feature = "std")] + { + debug_assert_eq!( + v.iter().map(|(c, _)| c).unique().count(), + v.len(), + "Duplicate columns." + ); + debug_assert_eq!( + next_row_v.iter().map(|(c, _)| c).unique().count(), + next_row_v.len(), + "Duplicate columns." + ); + } Self { linear_combination: v, @@ -223,20 +241,20 @@ impl Column { } /// Returns a linear combination of columns, with no additional constant. - pub(crate) fn linear_combination>(iter: I) -> Self { + pub fn linear_combination>(iter: I) -> Self { Self::linear_combination_with_constant(iter, F::ZERO) } /// Given an iterator of columns (c_0, ..., c_n) containing bits in little endian order: /// returns the representation of c_0 + 2 * c_1 + ... + 2^n * c_n. - pub(crate) fn le_bits>>(cs: I) -> Self { + pub fn le_bits>>(cs: I) -> Self { Self::linear_combination(cs.into_iter().map(|c| *c.borrow()).zip(F::TWO.powers())) } /// Given an iterator of columns (c_0, ..., c_n) containing bits in little endian order: /// returns the representation of c_0 + 2 * c_1 + ... + 2^n * c_n + k where `k` is an /// additional constant. - pub(crate) fn le_bits_with_constant>>( + pub fn le_bits_with_constant>>( cs: I, constant: F, ) -> Self { @@ -248,7 +266,7 @@ impl Column { /// Given an iterator of columns (c_0, ..., c_n) containing bytes in little endian order: /// returns the representation of c_0 + 256 * c_1 + ... + 256^n * c_n. - pub(crate) fn le_bytes>>(cs: I) -> Self { + pub fn le_bytes>>(cs: I) -> Self { Self::linear_combination( cs.into_iter() .map(|c| *c.borrow()) @@ -257,7 +275,7 @@ impl Column { } /// Given an iterator of columns, returns the representation of their sum. - pub(crate) fn sum>>(cs: I) -> Self { + pub fn sum>>(cs: I) -> Self { Self::linear_combination(cs.into_iter().map(|c| *c.borrow()).zip(repeat(F::ONE))) } @@ -380,44 +398,60 @@ impl Column { pub(crate) type ColumnFilter<'a, F> = (&'a [Column], &'a Option>); +/// A [`Lookup`] defines a set of `columns`` whose values should appear in a +/// `table_column` (i.e. the lookup table associated to these looking columns), +/// along with a `frequencies_column` indicating the frequency of each looking +/// column in the looked table. +/// +/// It also features a `filter_columns` vector, optionally adding at most one +/// filter per looking column. +/// +/// The lookup argumented implemented here is based on logarithmic derivatives, +/// a technique described with the whole lookup protocol in +/// . +#[derive(Debug)] pub struct Lookup { /// Columns whose values should be contained in the lookup table. /// These are the f_i(x) polynomials in the logUp paper. - pub(crate) columns: Vec>, + pub columns: Vec>, /// Column containing the lookup table. - /// This is the t(x) polynomial in the paper. - pub(crate) table_column: Column, + /// This is the t(x) polynomial in the logUp paper. + pub table_column: Column, /// Column containing the frequencies of `columns` in `table_column`. /// This is the m(x) polynomial in the paper. - pub(crate) frequencies_column: Column, + pub frequencies_column: Column, /// Columns to filter some elements. There is at most one filter - /// column per column to range-check. - pub(crate) filter_columns: Vec>>, + /// column per column to lookup. + pub filter_columns: Vec>>, } impl Lookup { - pub(crate) fn num_helper_columns(&self, constraint_degree: usize) -> usize { + /// Outputs the number of helper columns needed by this [`Lookup`]. + pub fn num_helper_columns(&self, constraint_degree: usize) -> usize { // One helper column for each column batch of size `constraint_degree-1`, // then one column for the inverse of `table + challenge` and one for the `Z` polynomial. - ceil_div_usize(self.columns.len(), constraint_degree - 1) + 1 + ceil_div_usize( + self.columns.len(), + constraint_degree.checked_sub(1).unwrap_or(1), + ) + 1 } } /// Randomness for a single instance of a permutation check protocol. #[derive(Copy, Clone, Eq, PartialEq, Debug)] -pub(crate) struct GrandProductChallenge { +pub struct GrandProductChallenge { /// Randomness used to combine multiple columns into one. - pub(crate) beta: T, + pub beta: T, /// Random offset that's added to the beta-reduced column values. - pub(crate) gamma: T, + pub gamma: T, } impl GrandProductChallenge { - pub(crate) fn combine<'a, FE, P, T: IntoIterator, const D2: usize>( - &self, - terms: T, - ) -> P + /// Combines a series of values `t_i` with these challenge random values. + /// In particular, given `beta` and `gamma` challenges, this will compute + /// `(Σ t_i * beta^i) + gamma`. + pub fn combine<'a, FE, P, T: IntoIterator, const D2: usize>(&self, terms: T) -> P where FE: FieldExtension, P: PackedField, @@ -440,7 +474,8 @@ impl GrandProductChallenge { } impl GrandProductChallenge { - pub(crate) fn combine_base_circuit, const D: usize>( + /// Circuit version of `combine`. + pub fn combine_base_circuit, const D: usize>( &self, builder: &mut CircuitBuilder, terms: &[Target], @@ -450,6 +485,89 @@ impl GrandProductChallenge { } } +/// Like `GrandProductChallenge`, but with `num_challenges` copies to boost soundness. +#[derive(Clone, Eq, PartialEq, Debug)] +pub struct GrandProductChallengeSet { + /// A sequence of `num_challenges` challenge pairs, where `num_challenges` + /// is defined in [`StarkConfig`][crate::config::StarkConfig]. + pub challenges: Vec>, +} + +impl GrandProductChallengeSet { + /// Serializes this `GrandProductChallengeSet` of `Target`s. + pub fn to_buffer(&self, buffer: &mut Vec) -> IoResult<()> { + buffer.write_usize(self.challenges.len())?; + for challenge in &self.challenges { + buffer.write_target(challenge.beta)?; + buffer.write_target(challenge.gamma)?; + } + Ok(()) + } + + /// Serializes a `GrandProductChallengeSet` of `Target`s from the provided buffer. + pub fn from_buffer(buffer: &mut Buffer) -> IoResult { + let length = buffer.read_usize()?; + let mut challenges = Vec::with_capacity(length); + for _ in 0..length { + challenges.push(GrandProductChallenge { + beta: buffer.read_target()?, + gamma: buffer.read_target()?, + }); + } + + Ok(GrandProductChallengeSet { challenges }) + } +} + +fn get_grand_product_challenge>( + challenger: &mut Challenger, +) -> GrandProductChallenge { + let beta = challenger.get_challenge(); + let gamma = challenger.get_challenge(); + GrandProductChallenge { beta, gamma } +} + +/// Generates a new `GrandProductChallengeSet` containing `num_challenges` +/// pairs of challenges from the current `challenger` state. +pub fn get_grand_product_challenge_set>( + challenger: &mut Challenger, + num_challenges: usize, +) -> GrandProductChallengeSet { + let challenges = (0..num_challenges) + .map(|_| get_grand_product_challenge(challenger)) + .collect(); + GrandProductChallengeSet { challenges } +} + +fn get_grand_product_challenge_target< + F: RichField + Extendable, + H: AlgebraicHasher, + const D: usize, +>( + builder: &mut CircuitBuilder, + challenger: &mut RecursiveChallenger, +) -> GrandProductChallenge { + let beta = challenger.get_challenge(builder); + let gamma = challenger.get_challenge(builder); + GrandProductChallenge { beta, gamma } +} + +/// Circuit version of `get_grand_product_challenge_set`. +pub fn get_grand_product_challenge_set_target< + F: RichField + Extendable, + H: AlgebraicHasher, + const D: usize, +>( + builder: &mut CircuitBuilder, + challenger: &mut RecursiveChallenger, + num_challenges: usize, +) -> GrandProductChallengeSet { + let challenges = (0..num_challenges) + .map(|_| get_grand_product_challenge_target(builder, challenger)) + .collect(); + GrandProductChallengeSet { challenges } +} + /// logUp protocol from /// Compute the helper columns for the lookup argument. /// Given columns `f0,...,fk` and a column `t`, such that `∪fi ⊆ t`, and challenges `x`, @@ -461,11 +579,6 @@ pub(crate) fn lookup_helper_columns( challenge: F, constraint_degree: usize, ) -> Vec> { - assert_eq!( - constraint_degree, 3, - "TODO: Allow other constraint degrees." - ); - assert_eq!(lookup.columns.len(), lookup.filter_columns.len()); let num_total_logup_entries = trace_poly_values[0].values.len() * lookup.columns.len(); @@ -551,11 +664,11 @@ pub(crate) fn eval_helper_columns( P: PackedField, { if !helper_columns.is_empty() { - for (j, chunk) in columns.chunks(constraint_degree - 1).enumerate() { - let fs = - &filter[(constraint_degree - 1) * j..(constraint_degree - 1) * j + chunk.len()]; - let h = helper_columns[j]; - + let chunk_size = constraint_degree.checked_sub(1).unwrap_or(1); + for (chunk, (fs, &h)) in columns + .chunks(chunk_size) + .zip(filter.chunks(chunk_size).zip(helper_columns)) + { match chunk.len() { 2 => { let combin0 = challenges.combine(&chunk[0]); @@ -604,11 +717,11 @@ pub(crate) fn eval_helper_columns_circuit, const D: consumer: &mut RecursiveConstraintConsumer, ) { if !helper_columns.is_empty() { - for (j, chunk) in columns.chunks(constraint_degree - 1).enumerate() { - let fs = - &filter[(constraint_degree - 1) * j..(constraint_degree - 1) * j + chunk.len()]; - let h = helper_columns[j]; - + let chunk_size = constraint_degree.checked_sub(1).unwrap_or(1); + for (chunk, (fs, &h)) in columns + .chunks(chunk_size) + .zip(filter.chunks(chunk_size).zip(helper_columns)) + { let one = builder.one_extension(); match chunk.len() { 2 => { @@ -659,11 +772,17 @@ pub(crate) fn get_helper_cols( challenge: GrandProductChallenge, constraint_degree: usize, ) -> Vec> { - let num_helper_columns = ceil_div_usize(columns_filters.len(), constraint_degree - 1); + let num_helper_columns = ceil_div_usize( + columns_filters.len(), + constraint_degree.checked_sub(1).unwrap_or(1), + ); let mut helper_columns = Vec::with_capacity(num_helper_columns); - for mut cols_filts in &columns_filters.iter().chunks(constraint_degree - 1) { + for mut cols_filts in &columns_filters + .iter() + .chunks(constraint_degree.checked_sub(1).unwrap_or(1)) + { let (first_col, first_filter) = cols_filts.next().unwrap(); let mut filter_col = Vec::with_capacity(degree); @@ -742,6 +861,7 @@ pub(crate) fn get_helper_cols( helper_columns } +#[derive(Debug)] pub(crate) struct LookupCheckVars where F: Field, @@ -769,7 +889,6 @@ pub(crate) fn eval_packed_lookups_generic>>(); - // For each chunk, check that `h_i (x+f_2i) (x+f_{2i+1}) = (x+f_2i) * filter_{2i+1} + (x+f_{2i+1}) * filter_2i` if the chunk has length 2 - // or if it has length 1, check that `h_i * (x+f_2i) = filter_2i`, where x is the challenge + // For each chunk, check that `h_i (x+f_2i) (x+f_{2i+1}) = (x+f_2i) * filter_{2i+1} + (x+f_{2i+1}) * filter_2i` + // if the chunk has length 2 or if it has length 1, check that `h_i * (x+f_2i) = filter_2i`, where x is the challenge eval_helper_columns( &lookup.filter_columns, &lookup_columns, @@ -816,6 +935,7 @@ pub(crate) fn eval_packed_lookups_generic { pub(crate) local_values: Vec>, pub(crate) next_values: Vec>, @@ -838,7 +958,6 @@ pub(crate) fn eval_ext_lookups_circuit< let local_values = vars.get_local_values(); let next_values = vars.get_next_values(); - assert_eq!(degree, 3, "TODO: Allow other constraint degrees."); let mut start = 0; for lookup in lookups { let num_helper_columns = lookup.num_helper_columns(degree); diff --git a/starky/src/permutation.rs b/starky/src/permutation.rs deleted file mode 100644 index 1059a79b7f..0000000000 --- a/starky/src/permutation.rs +++ /dev/null @@ -1,398 +0,0 @@ -//! Permutation arguments. - -use alloc::vec; -use alloc::vec::Vec; - -use itertools::Itertools; -use plonky2::field::batch_util::batch_multiply_inplace; -use plonky2::field::extension::{Extendable, FieldExtension}; -use plonky2::field::packed::PackedField; -use plonky2::field::polynomial::PolynomialValues; -use plonky2::field::types::Field; -use plonky2::hash::hash_types::RichField; -use plonky2::iop::challenger::{Challenger, RecursiveChallenger}; -use plonky2::iop::ext_target::ExtensionTarget; -use plonky2::iop::target::Target; -use plonky2::plonk::circuit_builder::CircuitBuilder; -use plonky2::plonk::config::{AlgebraicHasher, Hasher}; -use plonky2::util::reducing::{ReducingFactor, ReducingFactorTarget}; -use plonky2_maybe_rayon::*; - -use crate::config::StarkConfig; -use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::evaluation_frame::StarkEvaluationFrame; -use crate::stark::Stark; - -/// A pair of lists of columns, `lhs` and `rhs`, that should be permutations of one another. -/// In particular, there should exist some permutation `pi` such that for any `i`, -/// `trace[lhs[i]] = pi(trace[rhs[i]])`. Here `trace` denotes the trace in column-major form, so -/// `trace[col]` is a column vector. -pub struct PermutationPair { - /// Each entry contains two column indices, representing two columns which should be - /// permutations of one another. - pub column_pairs: Vec<(usize, usize)>, -} - -impl PermutationPair { - pub fn singletons(lhs: usize, rhs: usize) -> Self { - Self { - column_pairs: vec![(lhs, rhs)], - } - } -} - -/// A single instance of a permutation check protocol. -pub(crate) struct PermutationInstance<'a, T: Copy> { - pub(crate) pair: &'a PermutationPair, - pub(crate) challenge: PermutationChallenge, -} - -/// Randomness for a single instance of a permutation check protocol. -#[derive(Copy, Clone)] -pub(crate) struct PermutationChallenge { - /// Randomness used to combine multiple columns into one. - pub(crate) beta: T, - /// Random offset that's added to the beta-reduced column values. - pub(crate) gamma: T, -} - -/// Like `PermutationChallenge`, but with `num_challenges` copies to boost soundness. -#[derive(Clone)] -pub(crate) struct PermutationChallengeSet { - pub(crate) challenges: Vec>, -} - -/// Compute all Z polynomials (for permutation arguments). -pub(crate) fn compute_permutation_z_polys( - stark: &S, - config: &StarkConfig, - trace_poly_values: &[PolynomialValues], - permutation_challenge_sets: &[PermutationChallengeSet], -) -> Vec> -where - F: RichField + Extendable, - S: Stark, -{ - let permutation_pairs = stark.permutation_pairs(); - let permutation_batches = get_permutation_batches( - &permutation_pairs, - permutation_challenge_sets, - config.num_challenges, - stark.permutation_batch_size(), - ); - - permutation_batches - .into_par_iter() - .map(|instances| compute_permutation_z_poly(&instances, trace_poly_values)) - .collect() -} - -/// Compute a single Z polynomial. -fn compute_permutation_z_poly( - instances: &[PermutationInstance], - trace_poly_values: &[PolynomialValues], -) -> PolynomialValues { - let degree = trace_poly_values[0].len(); - let (reduced_lhs_polys, reduced_rhs_polys): (Vec<_>, Vec<_>) = instances - .iter() - .map(|instance| permutation_reduced_polys(instance, trace_poly_values, degree)) - .unzip(); - - let numerator = poly_product_elementwise(reduced_lhs_polys.into_iter()); - let denominator = poly_product_elementwise(reduced_rhs_polys.into_iter()); - - // Compute the quotients. - let denominator_inverses = F::batch_multiplicative_inverse(&denominator.values); - let mut quotients = numerator.values; - batch_multiply_inplace(&mut quotients, &denominator_inverses); - - // Compute Z, which contains partial products of the quotients. - let mut partial_products = Vec::with_capacity(degree); - let mut acc = F::ONE; - for q in quotients { - partial_products.push(acc); - acc *= q; - } - PolynomialValues::new(partial_products) -} - -/// Computes the reduced polynomial, `\sum beta^i f_i(x) + gamma`, for both the "left" and "right" -/// sides of a given `PermutationPair`. -fn permutation_reduced_polys( - instance: &PermutationInstance, - trace_poly_values: &[PolynomialValues], - degree: usize, -) -> (PolynomialValues, PolynomialValues) { - let PermutationInstance { - pair: PermutationPair { column_pairs }, - challenge: PermutationChallenge { beta, gamma }, - } = instance; - - let mut reduced_lhs = PolynomialValues::constant(*gamma, degree); - let mut reduced_rhs = PolynomialValues::constant(*gamma, degree); - for ((lhs, rhs), weight) in column_pairs.iter().zip(beta.powers()) { - reduced_lhs.add_assign_scaled(&trace_poly_values[*lhs], weight); - reduced_rhs.add_assign_scaled(&trace_poly_values[*rhs], weight); - } - (reduced_lhs, reduced_rhs) -} - -/// Computes the elementwise product of a set of polynomials. Assumes that the set is non-empty and -/// that each polynomial has the same length. -fn poly_product_elementwise( - mut polys: impl Iterator>, -) -> PolynomialValues { - let mut product = polys.next().expect("Expected at least one polynomial"); - for poly in polys { - batch_multiply_inplace(&mut product.values, &poly.values) - } - product -} - -fn get_permutation_challenge>( - challenger: &mut Challenger, -) -> PermutationChallenge { - let beta = challenger.get_challenge(); - let gamma = challenger.get_challenge(); - PermutationChallenge { beta, gamma } -} - -fn get_permutation_challenge_set>( - challenger: &mut Challenger, - num_challenges: usize, -) -> PermutationChallengeSet { - let challenges = (0..num_challenges) - .map(|_| get_permutation_challenge(challenger)) - .collect(); - PermutationChallengeSet { challenges } -} - -pub(crate) fn get_n_permutation_challenge_sets>( - challenger: &mut Challenger, - num_challenges: usize, - num_sets: usize, -) -> Vec> { - (0..num_sets) - .map(|_| get_permutation_challenge_set(challenger, num_challenges)) - .collect() -} - -fn get_permutation_challenge_target< - F: RichField + Extendable, - H: AlgebraicHasher, - const D: usize, ->( - builder: &mut CircuitBuilder, - challenger: &mut RecursiveChallenger, -) -> PermutationChallenge { - let beta = challenger.get_challenge(builder); - let gamma = challenger.get_challenge(builder); - PermutationChallenge { beta, gamma } -} - -fn get_permutation_challenge_set_target< - F: RichField + Extendable, - H: AlgebraicHasher, - const D: usize, ->( - builder: &mut CircuitBuilder, - challenger: &mut RecursiveChallenger, - num_challenges: usize, -) -> PermutationChallengeSet { - let challenges = (0..num_challenges) - .map(|_| get_permutation_challenge_target(builder, challenger)) - .collect(); - PermutationChallengeSet { challenges } -} - -pub(crate) fn get_n_permutation_challenge_sets_target< - F: RichField + Extendable, - H: AlgebraicHasher, - const D: usize, ->( - builder: &mut CircuitBuilder, - challenger: &mut RecursiveChallenger, - num_challenges: usize, - num_sets: usize, -) -> Vec> { - (0..num_sets) - .map(|_| get_permutation_challenge_set_target(builder, challenger, num_challenges)) - .collect() -} - -/// Get a list of instances of our batch-permutation argument. These are permutation arguments -/// where the same `Z(x)` polynomial is used to check more than one permutation. -/// Before batching, each permutation pair leads to `num_challenges` permutation arguments, so we -/// start with the cartesian product of `permutation_pairs` and `0..num_challenges`. Then we -/// chunk these arguments based on our batch size. -pub(crate) fn get_permutation_batches<'a, T: Copy>( - permutation_pairs: &'a [PermutationPair], - permutation_challenge_sets: &[PermutationChallengeSet], - num_challenges: usize, - batch_size: usize, -) -> Vec>> { - permutation_pairs - .iter() - .cartesian_product(0..num_challenges) - .chunks(batch_size) - .into_iter() - .map(|batch| { - batch - .enumerate() - .map(|(i, (pair, chal))| { - let challenge = permutation_challenge_sets[i].challenges[chal]; - PermutationInstance { pair, challenge } - }) - .collect_vec() - }) - .collect() -} - -pub struct PermutationCheckVars -where - F: Field, - FE: FieldExtension, - P: PackedField, -{ - pub(crate) local_zs: Vec

, - pub(crate) next_zs: Vec

, - pub(crate) permutation_challenge_sets: Vec>, -} - -pub(crate) fn eval_permutation_checks( - stark: &S, - config: &StarkConfig, - vars: &S::EvaluationFrame, - permutation_data: PermutationCheckVars, - consumer: &mut ConstraintConsumer

, -) where - F: RichField + Extendable, - FE: FieldExtension, - P: PackedField, - S: Stark, -{ - let local_values = vars.get_local_values(); - - let PermutationCheckVars { - local_zs, - next_zs, - permutation_challenge_sets, - } = permutation_data; - - // Check that Z(1) = 1; - for &z in &local_zs { - consumer.constraint_first_row(z - FE::ONE); - } - - let permutation_pairs = stark.permutation_pairs(); - - let permutation_batches = get_permutation_batches( - &permutation_pairs, - &permutation_challenge_sets, - config.num_challenges, - stark.permutation_batch_size(), - ); - - // Each zs value corresponds to a permutation batch. - for (i, instances) in permutation_batches.iter().enumerate() { - // Z(gx) * down = Z x * up - let (reduced_lhs, reduced_rhs): (Vec

, Vec

) = instances - .iter() - .map(|instance| { - let PermutationInstance { - pair: PermutationPair { column_pairs }, - challenge: PermutationChallenge { beta, gamma }, - } = instance; - let mut factor = ReducingFactor::new(*beta); - let (lhs, rhs): (Vec<_>, Vec<_>) = column_pairs - .iter() - .map(|&(i, j)| (local_values[i], local_values[j])) - .unzip(); - ( - factor.reduce_ext(lhs.into_iter()) + FE::from_basefield(*gamma), - factor.reduce_ext(rhs.into_iter()) + FE::from_basefield(*gamma), - ) - }) - .unzip(); - let constraint = next_zs[i] * reduced_rhs.into_iter().product::

() - - local_zs[i] * reduced_lhs.into_iter().product::

(); - consumer.constraint(constraint); - } -} - -pub struct PermutationCheckDataTarget { - pub(crate) local_zs: Vec>, - pub(crate) next_zs: Vec>, - pub(crate) permutation_challenge_sets: Vec>, -} - -pub(crate) fn eval_permutation_checks_circuit( - builder: &mut CircuitBuilder, - stark: &S, - config: &StarkConfig, - vars: &S::EvaluationFrameTarget, - permutation_data: PermutationCheckDataTarget, - consumer: &mut RecursiveConstraintConsumer, -) where - F: RichField + Extendable, - S: Stark, -{ - let local_values = vars.get_local_values(); - - let PermutationCheckDataTarget { - local_zs, - next_zs, - permutation_challenge_sets, - } = permutation_data; - - let one = builder.one_extension(); - // Check that Z(1) = 1; - for &z in &local_zs { - let z_1 = builder.sub_extension(z, one); - consumer.constraint_first_row(builder, z_1); - } - - let permutation_pairs = stark.permutation_pairs(); - - let permutation_batches = get_permutation_batches( - &permutation_pairs, - &permutation_challenge_sets, - config.num_challenges, - stark.permutation_batch_size(), - ); - - // Each zs value corresponds to a permutation batch. - for (i, instances) in permutation_batches.iter().enumerate() { - let (reduced_lhs, reduced_rhs): (Vec>, Vec>) = - instances - .iter() - .map(|instance| { - let PermutationInstance { - pair: PermutationPair { column_pairs }, - challenge: PermutationChallenge { beta, gamma }, - } = instance; - let beta_ext = builder.convert_to_ext(*beta); - let gamma_ext = builder.convert_to_ext(*gamma); - let mut factor = ReducingFactorTarget::new(beta_ext); - let (lhs, rhs): (Vec<_>, Vec<_>) = column_pairs - .iter() - .map(|&(i, j)| (local_values[i], local_values[j])) - .unzip(); - let reduced_lhs = factor.reduce(&lhs, builder); - let reduced_rhs = factor.reduce(&rhs, builder); - ( - builder.add_extension(reduced_lhs, gamma_ext), - builder.add_extension(reduced_rhs, gamma_ext), - ) - }) - .unzip(); - let reduced_lhs_product = builder.mul_many_extension(reduced_lhs); - let reduced_rhs_product = builder.mul_many_extension(reduced_rhs); - // constraint = next_zs[i] * reduced_rhs_product - local_zs[i] * reduced_lhs_product - let constraint = { - let tmp = builder.mul_extension(local_zs[i], reduced_lhs_product); - builder.mul_sub_extension(next_zs[i], reduced_rhs_product, tmp) - }; - consumer.constraint(builder, constraint) - } -} diff --git a/starky/src/permutation_stark.rs b/starky/src/permutation_stark.rs new file mode 100644 index 0000000000..bddf420279 --- /dev/null +++ b/starky/src/permutation_stark.rs @@ -0,0 +1,236 @@ +//! An example of generating and verifying a STARK to highlight the use of the +//! permutation argument with logUp. + +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; +use core::marker::PhantomData; + +use plonky2::field::extension::{Extendable, FieldExtension}; +use plonky2::field::packed::PackedField; +use plonky2::field::polynomial::PolynomialValues; +use plonky2::hash::hash_types::RichField; +use plonky2::iop::ext_target::ExtensionTarget; +use plonky2::plonk::circuit_builder::CircuitBuilder; + +use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; +use crate::evaluation_frame::StarkFrame; +use crate::lookup::{Column, Lookup}; +use crate::stark::Stark; +use crate::util::trace_rows_to_poly_values; + +/// Computes a sequence with state `[i, j]` using the state transition +/// i' <- i+1, j' <- j+1`. +/// Note: The `0, 1` columns are the columns used to test the permutation argument. +#[derive(Copy, Clone)] +struct PermutationStark, const D: usize> { + num_rows: usize, + _phantom: PhantomData, +} + +impl, const D: usize> PermutationStark { + const fn new(num_rows: usize) -> Self { + Self { + num_rows, + _phantom: PhantomData, + } + } + + /// Generate the trace using `x0, x0+1, 1` as initial state values. + fn generate_trace(&self, x0: F) -> Vec> { + let mut trace_rows = (0..self.num_rows) + .scan([x0, x0 + F::ONE, F::ONE], |acc, _| { + let tmp = *acc; + acc[0] = tmp[0] + F::ONE; + acc[1] = tmp[1] + F::ONE; + // acc[2] (i.e. frequency column) remains unchanged, as we're permuting a strictly monotonous sequence. + Some(tmp) + }) + .collect::>(); + trace_rows[self.num_rows - 1][1] = x0; // So that column 0 and 1 are permutation of one another. + trace_rows_to_poly_values(trace_rows) + } +} + +const PERM_COLUMNS: usize = 3; +const PERM_PUBLIC_INPUTS: usize = 1; + +impl, const D: usize> Stark for PermutationStark { + type EvaluationFrame = StarkFrame + where + FE: FieldExtension, + P: PackedField; + + type EvaluationFrameTarget = + StarkFrame, ExtensionTarget, PERM_COLUMNS, PERM_PUBLIC_INPUTS>; + + fn constraint_degree(&self) -> usize { + 0 + } + + fn lookups(&self) -> Vec> { + vec![Lookup { + columns: vec![Column::single(0)], + table_column: Column::single(1), + frequencies_column: Column::single(2), + filter_columns: vec![None; 1], + }] + } + + // We don't constrain any register, for the sake of highlighting the permutation argument only. + fn eval_packed_generic( + &self, + _vars: &Self::EvaluationFrame, + _yield_constr: &mut ConstraintConsumer

, + ) where + FE: FieldExtension, + P: PackedField, + { + } + + // We don't constrain any register, for the sake of highlighting the permutation argument only. + fn eval_ext_circuit( + &self, + _builder: &mut CircuitBuilder, + _vars: &Self::EvaluationFrameTarget, + _yield_constr: &mut RecursiveConstraintConsumer, + ) { + } +} + +#[cfg(test)] +mod tests { + use anyhow::Result; + use plonky2::field::extension::Extendable; + use plonky2::field::types::Field; + use plonky2::hash::hash_types::RichField; + use plonky2::iop::witness::PartialWitness; + use plonky2::plonk::circuit_builder::CircuitBuilder; + use plonky2::plonk::circuit_data::CircuitConfig; + use plonky2::plonk::config::{AlgebraicHasher, GenericConfig, PoseidonGoldilocksConfig}; + use plonky2::util::timing::TimingTree; + + use crate::config::StarkConfig; + use crate::permutation_stark::PermutationStark; + use crate::proof::StarkProofWithPublicInputs; + use crate::prover::prove; + use crate::recursive_verifier::{ + add_virtual_stark_proof_with_pis, set_stark_proof_with_pis_target, + verify_stark_proof_circuit, + }; + use crate::stark::Stark; + use crate::stark_testing::{test_stark_circuit_constraints, test_stark_low_degree}; + use crate::verifier::verify_stark_proof; + + #[test] + fn test_pemutations_stark() -> Result<()> { + const D: usize = 2; + type C = PoseidonGoldilocksConfig; + type F = >::F; + type S = PermutationStark; + + let config = StarkConfig::standard_fast_config(); + let num_rows = 1 << 5; + + let public_input = F::ZERO; + + let stark = S::new(num_rows); + let trace = stark.generate_trace(public_input); + let proof = prove::( + stark, + &config, + trace, + &[public_input], + &mut TimingTree::default(), + )?; + + verify_stark_proof(stark, proof, &config) + } + + #[test] + fn test_permutation_stark_degree() -> Result<()> { + const D: usize = 2; + type C = PoseidonGoldilocksConfig; + type F = >::F; + type S = PermutationStark; + + let num_rows = 1 << 5; + let stark = S::new(num_rows); + test_stark_low_degree(stark) + } + + #[test] + fn test_permutation_stark_circuit() -> Result<()> { + const D: usize = 2; + type C = PoseidonGoldilocksConfig; + type F = >::F; + type S = PermutationStark; + + let num_rows = 1 << 5; + let stark = S::new(num_rows); + test_stark_circuit_constraints::(stark) + } + + #[test] + fn test_recursive_stark_verifier() -> Result<()> { + init_logger(); + const D: usize = 2; + type C = PoseidonGoldilocksConfig; + type F = >::F; + type S = PermutationStark; + + let config = StarkConfig::standard_fast_config(); + let num_rows = 1 << 5; + let public_input = F::ZERO; + + let stark = S::new(num_rows); + let trace = stark.generate_trace(public_input); + let proof = prove::( + stark, + &config, + trace, + &[public_input], + &mut TimingTree::default(), + )?; + verify_stark_proof(stark, proof.clone(), &config)?; + + recursive_proof::(stark, proof, &config, true) + } + + fn recursive_proof< + F: RichField + Extendable, + C: GenericConfig, + S: Stark + Copy, + InnerC: GenericConfig, + const D: usize, + >( + stark: S, + inner_proof: StarkProofWithPublicInputs, + inner_config: &StarkConfig, + print_gate_counts: bool, + ) -> Result<()> + where + InnerC::Hasher: AlgebraicHasher, + { + let circuit_config = CircuitConfig::standard_recursion_config(); + let mut builder = CircuitBuilder::::new(circuit_config); + let mut pw = PartialWitness::new(); + let degree_bits = inner_proof.proof.recover_degree_bits(inner_config); + let pt = + add_virtual_stark_proof_with_pis(&mut builder, &stark, inner_config, degree_bits, 0, 0); + set_stark_proof_with_pis_target(&mut pw, &pt, &inner_proof, builder.zero()); + + verify_stark_proof_circuit::(&mut builder, stark, pt, inner_config); + + if print_gate_counts { + builder.print_gate_counts(0); + } + + let data = builder.build::(); + let proof = data.prove(pw)?; + data.verify(proof) + } + + fn init_logger() { + let _ = env_logger::builder().format_timestamp(None).try_init(); + } +} diff --git a/starky/src/proof.rs b/starky/src/proof.rs index 6bd5f78761..d521be027a 100644 --- a/starky/src/proof.rs +++ b/starky/src/proof.rs @@ -1,5 +1,9 @@ -use alloc::vec; -use alloc::vec::Vec; +//! All the different proof types and their associated `circuit` versions +//! to be used when proving (recursive) [`Stark`][crate::stark::Stark] +//! statements + +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use itertools::Itertools; use plonky2::field::extension::{Extendable, FieldExtension}; @@ -14,20 +18,22 @@ use plonky2::hash::hash_types::{MerkleCapTarget, RichField}; use plonky2::hash::merkle_tree::MerkleCap; use plonky2::iop::ext_target::ExtensionTarget; use plonky2::iop::target::Target; -use plonky2::plonk::config::GenericConfig; +use plonky2::plonk::config::{GenericConfig, Hasher}; +use plonky2::util::serialization::{Buffer, IoResult, Read, Write}; use plonky2_maybe_rayon::*; use crate::config::StarkConfig; -use crate::permutation::PermutationChallengeSet; +use crate::lookup::GrandProductChallengeSet; +/// Merkle caps and openings that form the proof of a single STARK. #[derive(Debug, Clone)] pub struct StarkProof, C: GenericConfig, const D: usize> { /// Merkle cap of LDEs of trace values. pub trace_cap: MerkleCap, - /// Merkle cap of LDEs of permutation Z values. - pub permutation_zs_cap: Option>, + /// Optional merkle cap of LDEs of permutation Z values, if any. + pub auxiliary_polys_cap: Option>, /// Merkle cap of LDEs of trace values. - pub quotient_polys_cap: MerkleCap, + pub quotient_polys_cap: Option>, /// Purported values of each polynomial at the challenge point. pub openings: StarkOpeningSet, /// A batch FRI argument for all openings. @@ -46,15 +52,64 @@ impl, C: GenericConfig, const D: usize> S } } +/// Circuit version of [`StarkProof`]. +/// Merkle caps and openings that form the proof of a single STARK. +#[derive(Clone, Debug, PartialEq, Eq)] pub struct StarkProofTarget { + /// `Target` for the Merkle cap trace values LDEs. pub trace_cap: MerkleCapTarget, - pub permutation_zs_cap: Option, - pub quotient_polys_cap: MerkleCapTarget, + /// Optional `Target` for the Merkle cap of lookup helper and CTL columns LDEs, if any. + pub auxiliary_polys_cap: Option, + /// `Target` for the Merkle cap of quotient polynomial evaluations LDEs. + pub quotient_polys_cap: Option, + /// `Target`s for the purported values of each polynomial at the challenge point. pub openings: StarkOpeningSetTarget, + /// `Target`s for the batch FRI argument for all openings. pub opening_proof: FriProofTarget, } impl StarkProofTarget { + /// Serializes a STARK proof. + pub fn to_buffer(&self, buffer: &mut Vec) -> IoResult<()> { + buffer.write_target_merkle_cap(&self.trace_cap)?; + buffer.write_bool(self.auxiliary_polys_cap.is_some())?; + if let Some(poly) = &self.auxiliary_polys_cap { + buffer.write_target_merkle_cap(poly)?; + } + buffer.write_bool(self.quotient_polys_cap.is_some())?; + if let Some(poly) = &self.quotient_polys_cap { + buffer.write_target_merkle_cap(poly)?; + } + buffer.write_target_fri_proof(&self.opening_proof)?; + self.openings.to_buffer(buffer)?; + Ok(()) + } + + /// Deserializes a STARK proof. + pub fn from_buffer(buffer: &mut Buffer) -> IoResult { + let trace_cap = buffer.read_target_merkle_cap()?; + let auxiliary_polys_cap = if buffer.read_bool()? { + Some(buffer.read_target_merkle_cap()?) + } else { + None + }; + let quotient_polys_cap = if buffer.read_bool()? { + Some(buffer.read_target_merkle_cap()?) + } else { + None + }; + let opening_proof = buffer.read_target_fri_proof()?; + let openings = StarkOpeningSetTarget::from_buffer(buffer)?; + + Ok(Self { + trace_cap, + auxiliary_polys_cap, + quotient_polys_cap, + openings, + opening_proof, + }) + } + /// Recover the length of the trace from a STARK proof and a STARK config. pub fn recover_degree_bits(&self, config: &StarkConfig) -> usize { let initial_merkle_proof = &self.opening_proof.query_round_proofs[0] @@ -66,22 +121,31 @@ impl StarkProofTarget { } } +/// Merkle caps and openings that form the proof of a single STARK, along with its public inputs. #[derive(Debug, Clone)] pub struct StarkProofWithPublicInputs< F: RichField + Extendable, C: GenericConfig, const D: usize, > { + /// A STARK proof. pub proof: StarkProof, + /// Public inputs associated to this STARK proof. // TODO: Maybe make it generic over a `S: Stark` and replace with `[F; S::PUBLIC_INPUTS]`. pub public_inputs: Vec, } +/// Circuit version of [`StarkProofWithPublicInputs`]. +#[derive(Debug, Clone)] pub struct StarkProofWithPublicInputsTarget { + /// `Target` STARK proof. pub proof: StarkProofTarget, + /// `Target` public inputs for this STARK proof. pub public_inputs: Vec, } +/// A compressed proof format of a single STARK. +#[derive(Debug, Clone)] pub struct CompressedStarkProof< F: RichField + Extendable, C: GenericConfig, @@ -95,76 +159,165 @@ pub struct CompressedStarkProof< pub opening_proof: CompressedFriProof, } +/// A compressed [`StarkProof`] format of a single STARK with its public inputs. +#[derive(Debug, Clone)] pub struct CompressedStarkProofWithPublicInputs< F: RichField + Extendable, C: GenericConfig, const D: usize, > { + /// A compressed STARK proof. pub proof: CompressedStarkProof, + /// Public inputs for this compressed STARK proof. pub public_inputs: Vec, } -pub(crate) struct StarkProofChallenges, const D: usize> { - /// Randomness used in any permutation arguments. - pub permutation_challenge_sets: Option>>, +/// A [`StarkProof`] along with metadata about the initial Fiat-Shamir state, which is used when +/// creating a recursive wrapper proof around a STARK proof. +#[derive(Debug, Clone)] +pub struct StarkProofWithMetadata +where + F: RichField + Extendable, + C: GenericConfig, +{ + /// Initial Fiat-Shamir state. + pub init_challenger_state: >::Permutation, + /// Proof for a single STARK. + pub proof: StarkProof, +} + +/// A combination of STARK proofs for independent statements operating on possibly shared variables, +/// along with Cross-Table Lookup (CTL) challenges to assert consistency of common variables across tables. +#[derive(Debug, Clone)] +pub struct MultiProof< + F: RichField + Extendable, + C: GenericConfig, + const D: usize, + const N: usize, +> { + /// Proofs for all the different STARK modules. + pub stark_proofs: [StarkProofWithMetadata; N], + /// Cross-table lookup challenges. + pub ctl_challenges: GrandProductChallengeSet, +} +impl, C: GenericConfig, const D: usize, const N: usize> + MultiProof +{ + /// Returns the degree (i.e. the trace length) of each STARK proof, + /// from their common [`StarkConfig`]. + pub fn recover_degree_bits(&self, config: &StarkConfig) -> [usize; N] { + core::array::from_fn(|i| self.stark_proofs[i].proof.recover_degree_bits(config)) + } +} + +/// Randomness used for a STARK proof. +#[derive(Debug)] +pub struct StarkProofChallenges, const D: usize> { + /// Optional randomness used in any permutation argument. + pub lookup_challenge_set: Option>, /// Random values used to combine STARK constraints. pub stark_alphas: Vec, - /// Point at which the STARK polynomials are opened. pub stark_zeta: F::Extension, - + /// Randomness used in FRI. pub fri_challenges: FriChallenges, } -pub(crate) struct StarkProofChallengesTarget { - pub permutation_challenge_sets: Option>>, +/// Circuit version of [`StarkProofChallenges`]. +#[derive(Debug)] +pub struct StarkProofChallengesTarget { + /// Optional `Target`'s randomness used in any permutation argument. + pub lookup_challenge_set: Option>, + /// `Target`s for the random values used to combine STARK constraints. pub stark_alphas: Vec, + /// `ExtensionTarget` for the point at which the STARK polynomials are opened. pub stark_zeta: ExtensionTarget, + /// `Target`s for the randomness used in FRI. pub fri_challenges: FriChallengesTarget, } +/// Randomness for all STARK proofs contained in a [`MultiProof`]`. +#[derive(Debug)] +pub struct MultiProofChallenges, const D: usize, const N: usize> { + /// Randomness used in each STARK proof. + pub stark_challenges: [StarkProofChallenges; N], + /// Randomness used for cross-table lookups. It is shared by all STARKs. + pub ctl_challenges: GrandProductChallengeSet, +} + /// Purported values of each polynomial at the challenge point. #[derive(Debug, Clone)] pub struct StarkOpeningSet, const D: usize> { + /// Openings of trace polynomials at `zeta`. pub local_values: Vec, + /// Openings of trace polynomials at `g * zeta`. pub next_values: Vec, - pub permutation_zs: Option>, - pub permutation_zs_next: Option>, - pub quotient_polys: Vec, + /// Openings of lookups and cross-table lookups `Z` polynomials at `zeta`. + pub auxiliary_polys: Option>, + /// Openings of lookups and cross-table lookups `Z` polynomials at `g * zeta`. + pub auxiliary_polys_next: Option>, + /// Openings of cross-table lookups `Z` polynomials at `1`. + pub ctl_zs_first: Option>, + /// Openings of quotient polynomials at `zeta`. + pub quotient_polys: Option>, } impl, const D: usize> StarkOpeningSet { + /// Returns a `StarkOpeningSet` given all the polynomial commitments, the number + /// of permutation `Z`polynomials, the evaluation point and a generator `g`. + /// + /// Polynomials are evaluated at point `zeta` and, if necessary, at `g * zeta`. pub fn new>( zeta: F::Extension, g: F, trace_commitment: &PolynomialBatch, - permutation_zs_commitment: Option<&PolynomialBatch>, - quotient_commitment: &PolynomialBatch, + auxiliary_polys_commitment: Option<&PolynomialBatch>, + quotient_commitment: Option<&PolynomialBatch>, + num_lookup_columns: usize, + requires_ctl: bool, + num_ctl_polys: &[usize], ) -> Self { + // Batch evaluates polynomials on the LDE, at a point `z`. let eval_commitment = |z: F::Extension, c: &PolynomialBatch| { c.polynomials .par_iter() .map(|p| p.to_extension().eval(z)) .collect::>() }; + // Batch evaluates polynomials at a base field point `z`. + let eval_commitment_base = |z: F, c: &PolynomialBatch| { + c.polynomials + .par_iter() + .map(|p| p.eval(z)) + .collect::>() + }; + + let auxiliary_first = auxiliary_polys_commitment.map(|c| eval_commitment_base(F::ONE, c)); + // `g * zeta`. let zeta_next = zeta.scalar_mul(g); Self { local_values: eval_commitment(zeta, trace_commitment), next_values: eval_commitment(zeta_next, trace_commitment), - permutation_zs: permutation_zs_commitment.map(|c| eval_commitment(zeta, c)), - permutation_zs_next: permutation_zs_commitment.map(|c| eval_commitment(zeta_next, c)), - quotient_polys: eval_commitment(zeta, quotient_commitment), + auxiliary_polys: auxiliary_polys_commitment.map(|c| eval_commitment(zeta, c)), + auxiliary_polys_next: auxiliary_polys_commitment.map(|c| eval_commitment(zeta_next, c)), + ctl_zs_first: requires_ctl.then(|| { + let total_num_helper_cols: usize = num_ctl_polys.iter().sum(); + auxiliary_first.unwrap()[num_lookup_columns + total_num_helper_cols..].to_vec() + }), + quotient_polys: quotient_commitment.map(|c| eval_commitment(zeta, c)), } } + /// Constructs the openings required by FRI. + /// All openings but `ctl_zs_first` are grouped together. pub(crate) fn to_fri_openings(&self) -> FriOpenings { let zeta_batch = FriOpeningBatch { values: self .local_values .iter() - .chain(self.permutation_zs.iter().flatten()) - .chain(&self.quotient_polys) + .chain(self.auxiliary_polys.iter().flatten()) + .chain(self.quotient_polys.iter().flatten()) .copied() .collect_vec(), }; @@ -172,32 +325,124 @@ impl, const D: usize> StarkOpeningSet { values: self .next_values .iter() - .chain(self.permutation_zs_next.iter().flatten()) + .chain(self.auxiliary_polys_next.iter().flatten()) .copied() .collect_vec(), }; - FriOpenings { - batches: vec![zeta_batch, zeta_next_batch], + + let mut batches = vec![zeta_batch, zeta_next_batch]; + + if let Some(ctl_zs_first) = self.ctl_zs_first.as_ref() { + debug_assert!(!ctl_zs_first.is_empty()); + debug_assert!(self.auxiliary_polys.is_some()); + debug_assert!(self.auxiliary_polys_next.is_some()); + + let ctl_first_batch = FriOpeningBatch { + values: ctl_zs_first + .iter() + .copied() + .map(F::Extension::from_basefield) + .collect(), + }; + + batches.push(ctl_first_batch); } + + FriOpenings { batches } } } +/// Circuit version of [`StarkOpeningSet`]. +/// `Target`s for the purported values of each polynomial at the challenge point. +#[derive(Clone, Debug, PartialEq, Eq)] pub struct StarkOpeningSetTarget { + /// `ExtensionTarget`s for the openings of trace polynomials at `zeta`. pub local_values: Vec>, + /// `ExtensionTarget`s for the opening of trace polynomials at `g * zeta`. pub next_values: Vec>, - pub permutation_zs: Option>>, - pub permutation_zs_next: Option>>, - pub quotient_polys: Vec>, + /// `ExtensionTarget`s for the opening of lookups and cross-table lookups `Z` polynomials at `zeta`. + pub auxiliary_polys: Option>>, + /// `ExtensionTarget`s for the opening of lookups and cross-table lookups `Z` polynomials at `g * zeta`. + pub auxiliary_polys_next: Option>>, + /// `ExtensionTarget`s for the opening of lookups and cross-table lookups `Z` polynomials at 1. + pub ctl_zs_first: Option>, + /// `ExtensionTarget`s for the opening of quotient polynomials at `zeta`. + pub quotient_polys: Option>>, } impl StarkOpeningSetTarget { - pub(crate) fn to_fri_openings(&self) -> FriOpeningsTarget { + /// Serializes a STARK's opening set. + pub(crate) fn to_buffer(&self, buffer: &mut Vec) -> IoResult<()> { + buffer.write_target_ext_vec(&self.local_values)?; + buffer.write_target_ext_vec(&self.next_values)?; + if let Some(poly) = &self.auxiliary_polys { + buffer.write_bool(true)?; + buffer.write_target_ext_vec(poly)?; + } else { + buffer.write_bool(false)?; + } + if let Some(poly_next) = &self.auxiliary_polys_next { + buffer.write_bool(true)?; + buffer.write_target_ext_vec(poly_next)?; + } else { + buffer.write_bool(false)?; + } + if let Some(ctl_zs_first) = &self.ctl_zs_first { + buffer.write_bool(true)?; + buffer.write_target_vec(ctl_zs_first)?; + } else { + buffer.write_bool(false)?; + } + buffer.write_bool(self.quotient_polys.is_some())?; + if let Some(quotient_polys) = &self.quotient_polys { + buffer.write_target_ext_vec(quotient_polys)?; + } + Ok(()) + } + + /// Deserializes a STARK's opening set. + pub(crate) fn from_buffer(buffer: &mut Buffer) -> IoResult { + let local_values = buffer.read_target_ext_vec::()?; + let next_values = buffer.read_target_ext_vec::()?; + let auxiliary_polys = if buffer.read_bool()? { + Some(buffer.read_target_ext_vec::()?) + } else { + None + }; + let auxiliary_polys_next = if buffer.read_bool()? { + Some(buffer.read_target_ext_vec::()?) + } else { + None + }; + let ctl_zs_first = if buffer.read_bool()? { + Some(buffer.read_target_vec()?) + } else { + None + }; + let quotient_polys = if buffer.read_bool()? { + Some(buffer.read_target_ext_vec::()?) + } else { + None + }; + + Ok(Self { + local_values, + next_values, + auxiliary_polys, + auxiliary_polys_next, + ctl_zs_first, + quotient_polys, + }) + } + + /// Circuit version of `to_fri_openings`for [`FriOpeningsTarget`]. + pub(crate) fn to_fri_openings(&self, zero: Target) -> FriOpeningsTarget { let zeta_batch = FriOpeningBatchTarget { values: self .local_values .iter() - .chain(self.permutation_zs.iter().flatten()) - .chain(&self.quotient_polys) + .chain(self.auxiliary_polys.iter().flatten()) + .chain(self.quotient_polys.iter().flatten()) .copied() .collect_vec(), }; @@ -205,12 +450,28 @@ impl StarkOpeningSetTarget { values: self .next_values .iter() - .chain(self.permutation_zs_next.iter().flatten()) + .chain(self.auxiliary_polys_next.iter().flatten()) .copied() .collect_vec(), }; - FriOpeningsTarget { - batches: vec![zeta_batch, zeta_next_batch], + + let mut batches = vec![zeta_batch, zeta_next_batch]; + + if let Some(ctl_zs_first) = self.ctl_zs_first.as_ref() { + debug_assert!(!ctl_zs_first.is_empty()); + debug_assert!(self.auxiliary_polys.is_some()); + debug_assert!(self.auxiliary_polys_next.is_some()); + + let ctl_first_batch = FriOpeningBatchTarget { + values: ctl_zs_first + .iter() + .copied() + .map(|t| t.to_ext_target(zero)) + .collect(), + }; + + batches.push(ctl_first_batch); } + FriOpeningsTarget { batches } } } diff --git a/starky/src/prover.rs b/starky/src/prover.rs index 56154d9105..c7b77b9336 100644 --- a/starky/src/prover.rs +++ b/starky/src/prover.rs @@ -1,3 +1,6 @@ +//! Implementation of the STARK prover. + +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use core::iter::once; @@ -20,16 +23,17 @@ use plonky2_maybe_rayon::*; use crate::config::StarkConfig; use crate::constraint_consumer::ConstraintConsumer; +use crate::cross_table_lookup::{get_ctl_auxiliary_polys, CtlCheckVars, CtlData}; use crate::evaluation_frame::StarkEvaluationFrame; -use crate::permutation::{ - compute_permutation_z_polys, get_n_permutation_challenge_sets, PermutationChallengeSet, - PermutationCheckVars, +use crate::lookup::{ + get_grand_product_challenge_set, lookup_helper_columns, GrandProductChallengeSet, Lookup, + LookupCheckVars, }; use crate::proof::{StarkOpeningSet, StarkProof, StarkProofWithPublicInputs}; use crate::stark::Stark; use crate::vanishing_poly::eval_vanishing_poly; -#[allow(clippy::useless_asref)] +/// From a STARK trace, computes a STARK proof to attest its correctness. pub fn prove( stark: S, config: &StarkConfig, @@ -69,80 +73,217 @@ where let mut challenger = Challenger::new(); challenger.observe_cap(&trace_cap); + prove_with_commitment( + &stark, + config, + &trace_poly_values, + &trace_commitment, + None, + None, + &mut challenger, + public_inputs, + timing, + ) +} + +/// Generates a proof for a single STARK table, including: +/// +/// - the initial state of the challenger, +/// - all the required Merkle caps, +/// - all the required polynomial and FRI argument openings. +/// - individual `ctl_data` and common `ctl_challenges` if the STARK is part +/// of a multi-STARK system. +pub fn prove_with_commitment( + stark: &S, + config: &StarkConfig, + trace_poly_values: &[PolynomialValues], + trace_commitment: &PolynomialBatch, + ctl_data: Option<&CtlData>, + ctl_challenges: Option<&GrandProductChallengeSet>, + challenger: &mut Challenger, + public_inputs: &[F], + timing: &mut TimingTree, +) -> Result> +where + F: RichField + Extendable, + C: GenericConfig, + S: Stark, +{ + let degree = trace_poly_values[0].len(); + let degree_bits = log2_strict(degree); + let fri_params = config.fri_params(degree_bits); + let rate_bits = config.fri_config.rate_bits; + let cap_height = config.fri_config.cap_height; + assert!( + fri_params.total_arities() <= degree_bits + rate_bits - cap_height, + "FRI total reduction arity is too large.", + ); + + let constraint_degree = stark.constraint_degree(); + assert!( + constraint_degree <= (1 << rate_bits) + 1, + "The degree of the Stark constraints must be <= blowup_factor + 1" + ); + // Permutation arguments. - let permutation_zs_commitment_challenges = stark.uses_permutation_args().then(|| { - let permutation_challenge_sets = get_n_permutation_challenge_sets( - &mut challenger, - config.num_challenges, - stark.permutation_batch_size(), - ); - let permutation_z_polys = compute_permutation_z_polys::( - &stark, - config, - &trace_poly_values, - &permutation_challenge_sets, - ); - let permutation_zs_commitment = timed!( + let constraint_degree = stark.constraint_degree(); + let lookup_challenges = stark.uses_lookups().then(|| { + if let Some(c) = ctl_challenges { + c.challenges.iter().map(|ch| ch.beta).collect::>() + } else { + get_grand_product_challenge_set(challenger, config.num_challenges) + .challenges + .iter() + .map(|ch| ch.beta) + .collect::>() + } + }); + + let lookups = stark.lookups(); + let lookup_helper_columns = timed!( + timing, + "compute lookup helper columns", + lookup_challenges.as_ref().map(|challenges| { + let mut columns = Vec::new(); + for lookup in &lookups { + for &challenge in challenges { + columns.extend(lookup_helper_columns( + lookup, + trace_poly_values, + challenge, + constraint_degree, + )); + } + } + columns + }) + ); + let num_lookup_columns = lookup_helper_columns.as_ref().map_or(0, |v| v.len()); + + // We add CTLs, if there are any, to the permutation arguments so that + // we can batch commit to all auxiliary polynomials. + let auxiliary_polys = match lookup_helper_columns { + None => get_ctl_auxiliary_polys(ctl_data), + Some(mut lookup_columns) => { + if let Some(p) = get_ctl_auxiliary_polys(ctl_data) { + lookup_columns.extend(p) + }; + + Some(lookup_columns) + } + }; + + debug_assert!( + (stark.uses_lookups() || stark.requires_ctls()) || auxiliary_polys.is_none(), + "There should be auxiliary polynomials if and only if we have either lookups or require cross-table lookups." + ); + + // Get the polynomial commitments for all auxiliary polynomials. + let auxiliary_polys_commitment = auxiliary_polys.map(|aux_polys| { + timed!( timing, - "compute permutation Z commitments", + "compute auxiliary polynomials commitment", PolynomialBatch::from_values( - permutation_z_polys, + aux_polys, rate_bits, false, config.fri_config.cap_height, timing, None, ) - ); - (permutation_zs_commitment, permutation_challenge_sets) + ) }); - let permutation_zs_commitment = permutation_zs_commitment_challenges - .as_ref() - .map(|(comm, _)| comm); - let permutation_zs_cap = permutation_zs_commitment + + let auxiliary_polys_cap = auxiliary_polys_commitment .as_ref() .map(|commit| commit.merkle_tree.cap.clone()); - if let Some(cap) = &permutation_zs_cap { + if let Some(cap) = &auxiliary_polys_cap { challenger.observe_cap(cap); } let alphas = challenger.get_n_challenges(config.num_challenges); - let quotient_polys = compute_quotient_polys::::Packing, C, S, D>( - &stark, - &trace_commitment, - &permutation_zs_commitment_challenges, - public_inputs, - alphas, - degree_bits, - config, - ); - let all_quotient_chunks = quotient_polys - .into_par_iter() - .flat_map(|mut quotient_poly| { - quotient_poly - .trim_to_len(degree * stark.quotient_degree_factor()) - .expect("Quotient has failed, the vanishing polynomial is not divisible by Z_H"); - // Split quotient into degree-n chunks. - quotient_poly.chunks(degree) - }) - .collect(); - let quotient_commitment = timed!( + + let num_ctl_polys = ctl_data + .map(|data| data.num_ctl_helper_polys()) + .unwrap_or_default(); + + // This is an expensive check, hence is only run when `debug_assertions` are enabled. + #[cfg(debug_assertions)] + { + check_constraints( + stark, + trace_commitment, + public_inputs, + &auxiliary_polys_commitment, + lookup_challenges.as_ref(), + &lookups, + ctl_data, + alphas.clone(), + degree_bits, + num_lookup_columns, + &num_ctl_polys, + ); + } + + let quotient_polys = timed!( timing, - "compute quotient commitment", - PolynomialBatch::from_coeffs( - all_quotient_chunks, - rate_bits, - false, - config.fri_config.cap_height, - timing, - None, + "compute quotient polys", + compute_quotient_polys::::Packing, C, S, D>( + stark, + trace_commitment, + &auxiliary_polys_commitment, + lookup_challenges.as_ref(), + &lookups, + ctl_data, + public_inputs, + alphas.clone(), + degree_bits, + num_lookup_columns, + &num_ctl_polys, + config, ) ); - let quotient_polys_cap = quotient_commitment.merkle_tree.cap.clone(); - challenger.observe_cap("ient_polys_cap); + let (quotient_commitment, quotient_polys_cap) = if let Some(quotient_polys) = quotient_polys { + let all_quotient_chunks = timed!( + timing, + "split quotient polys", + quotient_polys + .into_par_iter() + .flat_map(|mut quotient_poly| { + quotient_poly + .trim_to_len(degree * stark.quotient_degree_factor()) + .expect( + "Quotient has failed, the vanishing polynomial is not divisible by Z_H", + ); + // Split quotient into degree-n chunks. + quotient_poly.chunks(degree) + }) + .collect() + ); + // Commit to the quotient polynomials. + let quotient_commitment = timed!( + timing, + "compute quotient commitment", + PolynomialBatch::from_coeffs( + all_quotient_chunks, + rate_bits, + false, + config.fri_config.cap_height, + timing, + None, + ) + ); + // Observe the quotient polynomials Merkle cap. + let quotient_polys_cap = quotient_commitment.merkle_tree.cap.clone(); + challenger.observe_cap("ient_polys_cap); + (Some(quotient_commitment), Some(quotient_polys_cap)) + } else { + (None, None) + }; let zeta = challenger.get_extension_challenge::(); + // To avoid leaking witness data, we want to ensure that our opening locations, `zeta` and // `g * zeta`, are not in our subgroup `H`. It suffices to check `zeta` only, since // `(g * zeta)^n = zeta^n`, where `n` is the order of `g`. @@ -151,34 +292,41 @@ where zeta.exp_power_of_2(degree_bits) != F::Extension::ONE, "Opening point is in the subgroup." ); + + // Compute all openings: evaluate all committed polynomials at `zeta` and, when necessary, at `g * zeta`. let openings = StarkOpeningSet::new( zeta, g, - &trace_commitment, - permutation_zs_commitment, - "ient_commitment, + trace_commitment, + auxiliary_polys_commitment.as_ref(), + quotient_commitment.as_ref(), + stark.num_lookup_helper_columns(config), + stark.requires_ctls(), + &num_ctl_polys, ); + // Get the FRI openings and observe them. challenger.observe_openings(&openings.to_fri_openings()); - let initial_merkle_trees = once(&trace_commitment) - .chain(permutation_zs_commitment) - .chain(once("ient_commitment)) + let initial_merkle_trees = once(trace_commitment) + .chain(&auxiliary_polys_commitment) + .chain("ient_commitment) .collect_vec(); let opening_proof = timed!( timing, "compute openings proof", PolynomialBatch::prove_openings( - &stark.fri_instance(zeta, g, config), + &stark.fri_instance(zeta, g, num_ctl_polys.iter().sum(), num_ctl_polys, config), &initial_merkle_trees, - &mut challenger, + challenger, &fri_params, timing, ) ); + let proof = StarkProof { - trace_cap, - permutation_zs_cap, + trace_cap: trace_commitment.merkle_tree.cap.clone(), + auxiliary_polys_cap, quotient_polys_cap, openings, opening_proof, @@ -191,27 +339,34 @@ where } /// Computes the quotient polynomials `(sum alpha^i C_i(x)) / Z_H(x)` for `alpha` in `alphas`, -/// where the `C_i`s are the Stark constraints. +/// where the `C_i`s are the STARK constraints. fn compute_quotient_polys<'a, F, P, C, S, const D: usize>( stark: &S, trace_commitment: &'a PolynomialBatch, - permutation_zs_commitment_challenges: &'a Option<( - PolynomialBatch, - Vec>, - )>, + auxiliary_polys_commitment: &'a Option>, + lookup_challenges: Option<&'a Vec>, + lookups: &[Lookup], + ctl_data: Option<&CtlData>, public_inputs: &[F], alphas: Vec, degree_bits: usize, + num_lookup_columns: usize, + num_ctl_columns: &[usize], config: &StarkConfig, -) -> Vec> +) -> Option>> where F: RichField + Extendable, P: PackedField, C: GenericConfig, S: Stark, { + if stark.quotient_degree_factor() == 0 { + return None; + } + let degree = 1 << degree_bits; let rate_bits = config.fri_config.rate_bits; + let total_num_helper_cols: usize = num_ctl_columns.iter().sum(); let quotient_degree_bits = log2_ceil(stark.quotient_degree_factor()); assert!( @@ -263,23 +418,83 @@ where lagrange_basis_first, lagrange_basis_last, ); + // Get the local and next row evaluations for the current STARK, + // as well as the public inputs. let vars = S::EvaluationFrame::from_values( &get_trace_values_packed(i_start), &get_trace_values_packed(i_next_start), public_inputs, ); - let permutation_check_data = permutation_zs_commitment_challenges.as_ref().map( - |(permutation_zs_commitment, permutation_challenge_sets)| PermutationCheckVars { - local_zs: permutation_zs_commitment.get_lde_values_packed(i_start, step), - next_zs: permutation_zs_commitment.get_lde_values_packed(i_next_start, step), - permutation_challenge_sets: permutation_challenge_sets.to_vec(), - }, - ); + // Get the local and next row evaluations for the permutation argument, + // as well as the associated challenges. + let lookup_vars = lookup_challenges.map(|challenges| LookupCheckVars { + local_values: auxiliary_polys_commitment + .as_ref() + .unwrap() + .get_lde_values_packed(i_start, step)[..num_lookup_columns] + .to_vec(), + next_values: auxiliary_polys_commitment + .as_ref() + .unwrap() + .get_lde_values_packed(i_next_start, step)[..num_lookup_columns] + .to_vec(), + challenges: challenges.to_vec(), + }); + + // Get all the data for this STARK's CTLs, if any: + // - the local and next row evaluations for the CTL Z polynomials + // - the associated challenges. + // - for each CTL: + // - the filter `Column` + // - the `Column`s that form the looking/looked table. + + let ctl_vars = ctl_data.map(|data| { + let mut start_index = 0; + data.zs_columns + .iter() + .enumerate() + .map(|(i, zs_columns)| { + let num_ctl_helper_cols = num_ctl_columns[i]; + let helper_columns = auxiliary_polys_commitment + .as_ref() + .unwrap() + .get_lde_values_packed(i_start, step) + [num_lookup_columns + start_index + ..num_lookup_columns + start_index + num_ctl_helper_cols] + .to_vec(); + + let ctl_vars = CtlCheckVars:: { + helper_columns, + local_z: auxiliary_polys_commitment + .as_ref() + .unwrap() + .get_lde_values_packed(i_start, step) + [num_lookup_columns + total_num_helper_cols + i], + next_z: auxiliary_polys_commitment + .as_ref() + .unwrap() + .get_lde_values_packed(i_next_start, step) + [num_lookup_columns + total_num_helper_cols + i], + challenges: zs_columns.challenge, + columns: zs_columns.columns.clone(), + filter: zs_columns.filter.clone(), + }; + + start_index += num_ctl_helper_cols; + + ctl_vars + }) + .collect::>() + }); + + // Evaluate the polynomial combining all constraints, including + // those associated to the permutation arguments. eval_vanishing_poly::( stark, - config, &vars, - permutation_check_data, + lookups, + lookup_vars, + ctl_vars.as_deref(), &mut consumer, ); @@ -301,9 +516,153 @@ where }) .collect::>(); - transpose("ient_values) - .into_par_iter() - .map(PolynomialValues::new) - .map(|values| values.coset_ifft(F::coset_shift())) - .collect() + Some( + transpose("ient_values) + .into_par_iter() + .map(PolynomialValues::new) + .map(|values| values.coset_ifft(F::coset_shift())) + .collect(), + ) +} + +/// Check that all constraints evaluate to zero on `H`. +/// Can also be used to check the degree of the constraints by evaluating on a larger subgroup. +/// +/// Debugging module, to assert that all constraints evaluate to zero on `H`. +/// It can also be used to check the degree of the constraints by evaluating on a larger subgroup. +/// +/// **Note**: this is an expensive check, hence is only available when the `debug_assertions` +/// flag is activated, to not hinder performances with regular `release` build. +#[cfg(debug_assertions)] +fn check_constraints<'a, F, C, S, const D: usize>( + stark: &S, + trace_commitment: &'a PolynomialBatch, + public_inputs: &[F], + auxiliary_commitment: &'a Option>, + lookup_challenges: Option<&'a Vec>, + lookups: &[Lookup], + ctl_data: Option<&CtlData>, + alphas: Vec, + degree_bits: usize, + num_lookup_columns: usize, + num_ctl_helper_cols: &[usize], +) where + F: RichField + Extendable, + C: GenericConfig, + S: Stark, +{ + let degree = 1 << degree_bits; + let rate_bits = 0; // Set this to higher value to check constraint degree. + let total_num_helper_cols: usize = num_ctl_helper_cols.iter().sum(); + + let size = degree << rate_bits; + let step = 1 << rate_bits; + + // Evaluation of the first Lagrange polynomial. + let lagrange_first = PolynomialValues::selector(degree, 0).lde(rate_bits); + // Evaluation of the last Lagrange polynomial. + let lagrange_last = PolynomialValues::selector(degree, degree - 1).lde(rate_bits); + + let subgroup = F::two_adic_subgroup(degree_bits + rate_bits); + + // Get the evaluations of a batch of polynomials over our subgroup. + let get_subgroup_evals = |comm: &PolynomialBatch| -> Vec> { + let values = comm + .polynomials + .par_iter() + .map(|coeffs| coeffs.clone().fft().values) + .collect::>(); + transpose(&values) + }; + + // Get batch evaluations of the trace and permutation polynomials over our subgroup. + let trace_subgroup_evals = get_subgroup_evals(trace_commitment); + let auxiliary_subgroup_evals = auxiliary_commitment.as_ref().map(get_subgroup_evals); + + // Last element of the subgroup. + let last = F::primitive_root_of_unity(degree_bits).inverse(); + + let constraint_values = (0..size) + .map(|i| { + let i_next = (i + step) % size; + + let x = subgroup[i]; + let z_last = x - last; + let lagrange_basis_first = lagrange_first.values[i]; + let lagrange_basis_last = lagrange_last.values[i]; + + let mut consumer = ConstraintConsumer::new( + alphas.clone(), + z_last, + lagrange_basis_first, + lagrange_basis_last, + ); + // Get the local and next row evaluations for the current STARK's trace. + let vars = S::EvaluationFrame::from_values( + &trace_subgroup_evals[i], + &trace_subgroup_evals[i_next], + public_inputs, + ); + // Get the local and next row evaluations for the current STARK's permutation argument. + let lookup_vars = lookup_challenges.map(|challenges| LookupCheckVars { + local_values: auxiliary_subgroup_evals.as_ref().unwrap()[i][..num_lookup_columns] + .to_vec(), + next_values: auxiliary_subgroup_evals.as_ref().unwrap()[i_next] + [..num_lookup_columns] + .to_vec(), + challenges: challenges.to_vec(), + }); + + // Get the local and next row evaluations for the current STARK's CTL Z polynomials. + let mut start_index = 0; + let ctl_vars = ctl_data.map(|data| { + data.zs_columns + .iter() + .enumerate() + .map(|(iii, zs_columns)| { + let num_helper_cols = num_ctl_helper_cols[iii]; + let helper_columns = auxiliary_subgroup_evals.as_ref().unwrap()[i] + [num_lookup_columns + start_index + ..num_lookup_columns + start_index + num_helper_cols] + .to_vec(); + let ctl_vars = CtlCheckVars:: { + helper_columns, + local_z: auxiliary_subgroup_evals.as_ref().unwrap()[i] + [num_lookup_columns + total_num_helper_cols + iii], + next_z: auxiliary_subgroup_evals.as_ref().unwrap()[i_next] + [num_lookup_columns + total_num_helper_cols + iii], + challenges: zs_columns.challenge, + columns: zs_columns.columns.clone(), + filter: zs_columns.filter.clone(), + }; + + start_index += num_helper_cols; + + ctl_vars + }) + .collect::>() + }); + + // Evaluate the polynomial combining all constraints, including those associated + // to the permutation arguments. + eval_vanishing_poly::( + stark, + &vars, + lookups, + lookup_vars, + ctl_vars.as_deref(), + &mut consumer, + ); + consumer.accumulators() + }) + .collect::>(); + + // Assert that all constraints evaluate to 0 over our subgroup. + for v in constraint_values { + assert!( + v.iter().all(|x| x.is_zero()), + "Constraint failed in {}", + core::any::type_name::() + ); + } } diff --git a/starky/src/recursive_verifier.rs b/starky/src/recursive_verifier.rs index 18db561be2..83e39398b3 100644 --- a/starky/src/recursive_verifier.rs +++ b/starky/src/recursive_verifier.rs @@ -1,3 +1,7 @@ +//! Implementation of the STARK recursive verifier, i.e. where proof +//! verification if encoded in a plonky2 circuit. + +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use core::iter::once; @@ -7,7 +11,9 @@ use plonky2::field::extension::Extendable; use plonky2::field::types::Field; use plonky2::fri::witness_util::set_fri_proof_target; use plonky2::hash::hash_types::RichField; +use plonky2::iop::challenger::RecursiveChallenger; use plonky2::iop::ext_target::ExtensionTarget; +use plonky2::iop::target::Target; use plonky2::iop::witness::Witness; use plonky2::plonk::circuit_builder::CircuitBuilder; use plonky2::plonk::config::{AlgebraicHasher, GenericConfig}; @@ -16,8 +22,9 @@ use plonky2::with_context; use crate::config::StarkConfig; use crate::constraint_consumer::RecursiveConstraintConsumer; +use crate::cross_table_lookup::CtlCheckVarsTarget; use crate::evaluation_frame::StarkEvaluationFrame; -use crate::permutation::PermutationCheckDataTarget; +use crate::lookup::LookupCheckVarsTarget; use crate::proof::{ StarkOpeningSetTarget, StarkProof, StarkProofChallengesTarget, StarkProofTarget, StarkProofWithPublicInputs, StarkProofWithPublicInputsTarget, @@ -25,6 +32,8 @@ use crate::proof::{ use crate::stark::Stark; use crate::vanishing_poly::eval_vanishing_poly_circuit; +/// Encodes the verification of a [`StarkProofWithPublicInputsTarget`] +/// for some statement in a circuit. pub fn verify_stark_proof_circuit< F: RichField + Extendable, C: GenericConfig, @@ -39,51 +48,57 @@ pub fn verify_stark_proof_circuit< C::Hasher: AlgebraicHasher, { assert_eq!(proof_with_pis.public_inputs.len(), S::PUBLIC_INPUTS); - let degree_bits = proof_with_pis.proof.recover_degree_bits(inner_config); + + let mut challenger = RecursiveChallenger::::new(builder); let challenges = with_context!( builder, "compute challenges", - proof_with_pis.get_challenges::(builder, &stark, inner_config) + proof_with_pis.get_challenges::(builder, &mut challenger, None, false, inner_config) ); verify_stark_proof_with_challenges_circuit::( builder, - stark, - proof_with_pis, + &stark, + &proof_with_pis.proof, + &proof_with_pis.public_inputs, challenges, + None, inner_config, - degree_bits, ); } -/// Recursively verifies an inner proof. -fn verify_stark_proof_with_challenges_circuit< +/// Recursively verifies an inner STARK proof. +pub fn verify_stark_proof_with_challenges_circuit< F: RichField + Extendable, C: GenericConfig, S: Stark, const D: usize, >( builder: &mut CircuitBuilder, - stark: S, - proof_with_pis: StarkProofWithPublicInputsTarget, + stark: &S, + proof: &StarkProofTarget, + public_inputs: &[Target], challenges: StarkProofChallengesTarget, + ctl_vars: Option<&[CtlCheckVarsTarget]>, inner_config: &StarkConfig, - degree_bits: usize, ) where C::Hasher: AlgebraicHasher, { - check_permutation_options(&stark, &proof_with_pis, &challenges).unwrap(); + check_lookup_options(stark, proof, &challenges).unwrap(); + + let zero = builder.zero(); let one = builder.one_extension(); - let StarkProofWithPublicInputsTarget { - proof, - public_inputs, - } = proof_with_pis; + let num_ctl_polys = ctl_vars + .map(|v| v.iter().map(|ctl| ctl.helper_columns.len()).sum::()) + .unwrap_or_default(); + let StarkOpeningSetTarget { local_values, next_values, - permutation_zs, - permutation_zs_next, + auxiliary_polys, + auxiliary_polys_next, + ctl_zs_first, quotient_polys, } = &proof.openings; @@ -91,11 +106,12 @@ fn verify_stark_proof_with_challenges_circuit< local_values, next_values, &public_inputs - .into_iter() - .map(|t| builder.convert_to_ext(t)) + .iter() + .map(|&t| builder.convert_to_ext(t)) .collect::>(), ); + let degree_bits = proof.recover_degree_bits(inner_config); let zeta_pow_deg = builder.exp_power_of_2_extension(challenges.stark_zeta, degree_bits); let z_h_zeta = builder.sub_extension(zeta_pow_deg, one); let (l_0, l_last) = @@ -112,53 +128,67 @@ fn verify_stark_proof_with_challenges_circuit< l_last, ); - let permutation_data = stark - .uses_permutation_args() - .then(|| PermutationCheckDataTarget { - local_zs: permutation_zs.as_ref().unwrap().clone(), - next_zs: permutation_zs_next.as_ref().unwrap().clone(), - permutation_challenge_sets: challenges.permutation_challenge_sets.unwrap(), - }); + let num_lookup_columns = stark.num_lookup_helper_columns(inner_config); + let lookup_challenges = stark.uses_lookups().then(|| { + challenges + .lookup_challenge_set + .as_ref() + .unwrap() + .challenges + .iter() + .map(|ch| ch.beta) + .collect::>() + }); + + let lookup_vars = stark.uses_lookups().then(|| LookupCheckVarsTarget { + local_values: auxiliary_polys.as_ref().unwrap()[..num_lookup_columns].to_vec(), + next_values: auxiliary_polys_next.as_ref().unwrap()[..num_lookup_columns].to_vec(), + challenges: lookup_challenges.unwrap(), + }); with_context!( builder, "evaluate vanishing polynomial", eval_vanishing_poly_circuit::( builder, - &stark, - inner_config, + stark, &vars, - permutation_data, - &mut consumer, + lookup_vars, + ctl_vars, + &mut consumer ) ); let vanishing_polys_zeta = consumer.accumulators(); // Check each polynomial identity, of the form `vanishing(x) = Z_H(x) quotient(x)`, at zeta. let mut scale = ReducingFactorTarget::new(zeta_pow_deg); - for (i, chunk) in quotient_polys - .chunks(stark.quotient_degree_factor()) - .enumerate() - { - let recombined_quotient = scale.reduce(chunk, builder); - let computed_vanishing_poly = builder.mul_extension(z_h_zeta, recombined_quotient); - builder.connect_extension(vanishing_polys_zeta[i], computed_vanishing_poly); + if let Some(quotient_polys) = quotient_polys { + for (i, chunk) in quotient_polys + .chunks(stark.quotient_degree_factor()) + .enumerate() + { + let recombined_quotient = scale.reduce(chunk, builder); + let computed_vanishing_poly = builder.mul_extension(z_h_zeta, recombined_quotient); + builder.connect_extension(vanishing_polys_zeta[i], computed_vanishing_poly); + } } - let merkle_caps = once(proof.trace_cap) - .chain(proof.permutation_zs_cap) - .chain(once(proof.quotient_polys_cap)) + let merkle_caps = once(proof.trace_cap.clone()) + .chain(proof.auxiliary_polys_cap.clone()) + .chain(proof.quotient_polys_cap.clone()) .collect_vec(); let fri_instance = stark.fri_instance_target( builder, challenges.stark_zeta, F::primitive_root_of_unity(degree_bits), + num_ctl_polys, + ctl_zs_first.as_ref().map_or(0, |c| c.len()), inner_config, ); builder.verify_fri_proof::( &fri_instance, - &proof.openings.to_fri_openings(), + &proof.openings.to_fri_openings(zero), &challenges.fri_challenges, &merkle_caps, &proof.opening_proof, @@ -185,17 +215,27 @@ fn eval_l_0_and_l_last_circuit, const D: usize>( ) } +/// Adds a new `StarkProofWithPublicInputsTarget` to this circuit. pub fn add_virtual_stark_proof_with_pis< F: RichField + Extendable, S: Stark, const D: usize, >( builder: &mut CircuitBuilder, - stark: S, + stark: &S, config: &StarkConfig, degree_bits: usize, + num_ctl_helper_zs: usize, + num_ctl_zs: usize, ) -> StarkProofWithPublicInputsTarget { - let proof = add_virtual_stark_proof::(builder, stark, config, degree_bits); + let proof = add_virtual_stark_proof::( + builder, + stark, + config, + degree_bits, + num_ctl_helper_zs, + num_ctl_zs, + ); let public_inputs = builder.add_virtual_targets(S::PUBLIC_INPUTS); StarkProofWithPublicInputsTarget { proof, @@ -203,61 +243,88 @@ pub fn add_virtual_stark_proof_with_pis< } } +/// Adds a new `StarkProofTarget` to this circuit. pub fn add_virtual_stark_proof, S: Stark, const D: usize>( builder: &mut CircuitBuilder, - stark: S, + stark: &S, config: &StarkConfig, degree_bits: usize, + num_ctl_helper_zs: usize, + num_ctl_zs: usize, ) -> StarkProofTarget { let fri_params = config.fri_params(degree_bits); let cap_height = fri_params.config.cap_height; let num_leaves_per_oracle = once(S::COLUMNS) .chain( - stark - .uses_permutation_args() - .then(|| stark.num_permutation_batches(config)), + (stark.uses_lookups() || stark.requires_ctls()) + .then(|| stark.num_lookup_helper_columns(config) + num_ctl_helper_zs), + ) + .chain( + (stark.quotient_degree_factor() > 0) + .then(|| stark.quotient_degree_factor() * config.num_challenges), ) - .chain(once(stark.quotient_degree_factor() * config.num_challenges)) .collect_vec(); - let permutation_zs_cap = stark - .uses_permutation_args() + let auxiliary_polys_cap = (stark.uses_lookups() || stark.requires_ctls()) .then(|| builder.add_virtual_cap(cap_height)); + let quotient_polys_cap = + (stark.constraint_degree() > 0).then(|| builder.add_virtual_cap(cap_height)); + StarkProofTarget { trace_cap: builder.add_virtual_cap(cap_height), - permutation_zs_cap, - quotient_polys_cap: builder.add_virtual_cap(cap_height), - openings: add_stark_opening_set_target::(builder, stark, config), + auxiliary_polys_cap, + quotient_polys_cap, + openings: add_virtual_stark_opening_set::( + builder, + stark, + num_ctl_helper_zs, + num_ctl_zs, + config, + ), opening_proof: builder.add_virtual_fri_proof(&num_leaves_per_oracle, &fri_params), } } -fn add_stark_opening_set_target, S: Stark, const D: usize>( +fn add_virtual_stark_opening_set, S: Stark, const D: usize>( builder: &mut CircuitBuilder, - stark: S, + stark: &S, + num_ctl_helper_zs: usize, + num_ctl_zs: usize, config: &StarkConfig, ) -> StarkOpeningSetTarget { - let num_challenges = config.num_challenges; StarkOpeningSetTarget { local_values: builder.add_virtual_extension_targets(S::COLUMNS), next_values: builder.add_virtual_extension_targets(S::COLUMNS), - permutation_zs: stark - .uses_permutation_args() - .then(|| builder.add_virtual_extension_targets(stark.num_permutation_batches(config))), - permutation_zs_next: stark - .uses_permutation_args() - .then(|| builder.add_virtual_extension_targets(stark.num_permutation_batches(config))), - quotient_polys: builder - .add_virtual_extension_targets(stark.quotient_degree_factor() * num_challenges), + auxiliary_polys: (stark.uses_lookups() || stark.requires_ctls()).then(|| { + builder.add_virtual_extension_targets( + stark.num_lookup_helper_columns(config) + num_ctl_helper_zs, + ) + }), + auxiliary_polys_next: (stark.uses_lookups() || stark.requires_ctls()).then(|| { + builder.add_virtual_extension_targets( + stark.num_lookup_helper_columns(config) + num_ctl_helper_zs, + ) + }), + ctl_zs_first: stark + .requires_ctls() + .then(|| builder.add_virtual_targets(num_ctl_zs)), + quotient_polys: (stark.constraint_degree() > 0).then(|| { + builder.add_virtual_extension_targets( + stark.quotient_degree_factor() * config.num_challenges, + ) + }), } } +/// Set the targets in a `StarkProofWithPublicInputsTarget` to +/// their corresponding values in a `StarkProofWithPublicInputs`. pub fn set_stark_proof_with_pis_target, W, const D: usize>( witness: &mut W, stark_proof_with_pis_target: &StarkProofWithPublicInputsTarget, stark_proof_with_pis: &StarkProofWithPublicInputs, + zero: Target, ) where F: RichField + Extendable, C::Hasher: AlgebraicHasher, @@ -277,53 +344,61 @@ pub fn set_stark_proof_with_pis_target, W, const D witness.set_target(pi_t, pi); } - set_stark_proof_target(witness, pt, proof); + set_stark_proof_target(witness, pt, proof, zero); } +/// Set the targets in a [`StarkProofTarget`] to their corresponding values in a +/// [`StarkProof`]. pub fn set_stark_proof_target, W, const D: usize>( witness: &mut W, proof_target: &StarkProofTarget, proof: &StarkProof, + zero: Target, ) where F: RichField + Extendable, C::Hasher: AlgebraicHasher, W: Witness, { witness.set_cap_target(&proof_target.trace_cap, &proof.trace_cap); - witness.set_cap_target(&proof_target.quotient_polys_cap, &proof.quotient_polys_cap); + if let (Some(quotient_polys_cap_target), Some(quotient_polys_cap)) = + (&proof_target.quotient_polys_cap, &proof.quotient_polys_cap) + { + witness.set_cap_target(quotient_polys_cap_target, quotient_polys_cap); + } witness.set_fri_openings( - &proof_target.openings.to_fri_openings(), + &proof_target.openings.to_fri_openings(zero), &proof.openings.to_fri_openings(), ); - if let (Some(permutation_zs_cap_target), Some(permutation_zs_cap)) = - (&proof_target.permutation_zs_cap, &proof.permutation_zs_cap) - { - witness.set_cap_target(permutation_zs_cap_target, permutation_zs_cap); + if let (Some(auxiliary_polys_cap_target), Some(auxiliary_polys_cap)) = ( + &proof_target.auxiliary_polys_cap, + &proof.auxiliary_polys_cap, + ) { + witness.set_cap_target(auxiliary_polys_cap_target, auxiliary_polys_cap); } set_fri_proof_target(witness, &proof_target.opening_proof, &proof.opening_proof); } -/// Utility function to check that all permutation data wrapped in `Option`s are `Some` iff -/// the Stark uses a permutation argument. -fn check_permutation_options, S: Stark, const D: usize>( +/// Utility function to check that all lookups data wrapped in `Option`s are `Some` iff +/// the STARK uses a permutation argument. +fn check_lookup_options, S: Stark, const D: usize>( stark: &S, - proof_with_pis: &StarkProofWithPublicInputsTarget, + proof: &StarkProofTarget, challenges: &StarkProofChallengesTarget, ) -> Result<()> { let options_is_some = [ - proof_with_pis.proof.permutation_zs_cap.is_some(), - proof_with_pis.proof.openings.permutation_zs.is_some(), - proof_with_pis.proof.openings.permutation_zs_next.is_some(), - challenges.permutation_challenge_sets.is_some(), + proof.auxiliary_polys_cap.is_some(), + proof.openings.auxiliary_polys.is_some(), + proof.openings.auxiliary_polys_next.is_some(), + challenges.lookup_challenge_set.is_some(), ]; ensure!( options_is_some - .into_iter() - .all(|b| b == stark.uses_permutation_args()), - "Permutation data doesn't match with Stark configuration." + .iter() + .all(|&b| b == stark.uses_lookups() || stark.requires_ctls()), + "Lookups data doesn't match with STARK configuration." ); Ok(()) } diff --git a/starky/src/stark.rs b/starky/src/stark.rs index 1e7b07117b..c47f969245 100644 --- a/starky/src/stark.rs +++ b/starky/src/stark.rs @@ -1,8 +1,12 @@ -use alloc::vec; -use alloc::vec::Vec; +//! Implementation of the [`Stark`] trait that defines the set of constraints +//! related to a statement. + +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use plonky2::field::extension::{Extendable, FieldExtension}; use plonky2::field::packed::PackedField; +use plonky2::field::types::Field; use plonky2::fri::structure::{ FriBatchInfo, FriBatchInfoTarget, FriInstanceInfo, FriInstanceInfoTarget, FriOracleInfo, FriPolynomialInfo, @@ -10,17 +14,17 @@ use plonky2::fri::structure::{ use plonky2::hash::hash_types::RichField; use plonky2::iop::ext_target::ExtensionTarget; use plonky2::plonk::circuit_builder::CircuitBuilder; -use plonky2::util::ceil_div_usize; use crate::config::StarkConfig; use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; use crate::evaluation_frame::StarkEvaluationFrame; -use crate::permutation::PermutationPair; +use crate::lookup::Lookup; /// Represents a STARK system. pub trait Stark, const D: usize>: Sync { /// The total number of columns in the trace. const COLUMNS: usize = Self::EvaluationFrameTarget::COLUMNS; + /// The total number of public inputs. const PUBLIC_INPUTS: usize = Self::EvaluationFrameTarget::PUBLIC_INPUTS; /// This is used to evaluate constraints natively. @@ -32,7 +36,7 @@ pub trait Stark, const D: usize>: Sync { /// The `Target` version of `Self::EvaluationFrame`, used to evaluate constraints recursively. type EvaluationFrameTarget: StarkEvaluationFrame, ExtensionTarget>; - /// Evaluate constraints at a vector of points. + /// Evaluates constraints at a vector of points. /// /// The points are elements of a field `FE`, a degree `D2` extension of `F`. This lets us /// evaluate constraints over a larger domain if desired. This can also be called with `FE = F` @@ -46,7 +50,7 @@ pub trait Stark, const D: usize>: Sync { FE: FieldExtension, P: PackedField; - /// Evaluate constraints at a vector of points from the base field `F`. + /// Evaluates constraints at a vector of points from the base field `F`. fn eval_packed_base>( &self, vars: &Self::EvaluationFrame, @@ -55,7 +59,7 @@ pub trait Stark, const D: usize>: Sync { self.eval_packed_generic(vars, yield_constr) } - /// Evaluate constraints at a single point from the degree `D` extension field. + /// Evaluates constraints at a single point from the degree `D` extension field. fn eval_ext( &self, vars: &Self::EvaluationFrame, @@ -64,10 +68,10 @@ pub trait Stark, const D: usize>: Sync { self.eval_packed_generic(vars, yield_constr) } - /// Evaluate constraints at a vector of points from the degree `D` extension field. This is like - /// `eval_ext`, except in the context of a recursive circuit. - /// Note: constraints must be added through`yield_constr.constraint(builder, constraint)` in the - /// same order as they are given in `eval_packed_generic`. + /// Evaluates constraints at a vector of points from the degree `D` extension field. + /// This is like `eval_ext`, except in the context of a recursive circuit. + /// Note: constraints must be added through`yield_constr.constraint(builder, constraint)` + /// in the same order as they are given in `eval_packed_generic`. fn eval_ext_circuit( &self, builder: &mut CircuitBuilder, @@ -75,14 +79,19 @@ pub trait Stark, const D: usize>: Sync { yield_constr: &mut RecursiveConstraintConsumer, ); - /// The maximum constraint degree. + /// Outputs the maximum constraint degree of this [`Stark`]. fn constraint_degree(&self) -> usize; - /// The maximum constraint degree. + /// Outputs the maximum quotient polynomial's degree factor of this [`Stark`]. fn quotient_degree_factor(&self) -> usize { - 1.max(self.constraint_degree() - 1) + match self.constraint_degree().checked_sub(1) { + Some(v) => 1.max(v), + None => 0, + } } + /// Outputs the number of quotient polynomials this [`Stark`] would require with + /// the provided [`StarkConfig`] fn num_quotient_polys(&self, config: &StarkConfig) -> usize { self.quotient_degree_factor() * config.num_challenges } @@ -92,49 +101,71 @@ pub trait Stark, const D: usize>: Sync { &self, zeta: F::Extension, g: F, + num_ctl_helpers: usize, + num_ctl_zs: Vec, config: &StarkConfig, ) -> FriInstanceInfo { let mut oracles = vec![]; - let trace_info = FriPolynomialInfo::from_range(oracles.len(), 0..Self::COLUMNS); oracles.push(FriOracleInfo { num_polys: Self::COLUMNS, blinding: false, }); - let permutation_zs_info = if self.uses_permutation_args() { - let num_z_polys = self.num_permutation_batches(config); - let polys = FriPolynomialInfo::from_range(oracles.len(), 0..num_z_polys); + let num_lookup_columns = self.num_lookup_helper_columns(config); + let num_auxiliary_polys = num_lookup_columns + num_ctl_helpers + num_ctl_zs.len(); + let auxiliary_polys_info = if self.uses_lookups() || self.requires_ctls() { + let aux_polys = FriPolynomialInfo::from_range(oracles.len(), 0..num_auxiliary_polys); oracles.push(FriOracleInfo { - num_polys: num_z_polys, + num_polys: num_auxiliary_polys, blinding: false, }); - polys + aux_polys } else { vec![] }; - let num_quotient_polys = self.quotient_degree_factor() * config.num_challenges; - let quotient_info = FriPolynomialInfo::from_range(oracles.len(), 0..num_quotient_polys); - oracles.push(FriOracleInfo { - num_polys: num_quotient_polys, - blinding: false, - }); + let num_quotient_polys = self.num_quotient_polys(config); + let quotient_info = if num_quotient_polys > 0 { + let quotient_polys = + FriPolynomialInfo::from_range(oracles.len(), 0..num_quotient_polys); + oracles.push(FriOracleInfo { + num_polys: num_quotient_polys, + blinding: false, + }); + quotient_polys + } else { + vec![] + }; let zeta_batch = FriBatchInfo { point: zeta, polynomials: [ trace_info.clone(), - permutation_zs_info.clone(), + auxiliary_polys_info.clone(), quotient_info, ] .concat(), }; let zeta_next_batch = FriBatchInfo { point: zeta.scalar_mul(g), - polynomials: [trace_info, permutation_zs_info].concat(), + polynomials: [trace_info, auxiliary_polys_info].concat(), }; - let batches = vec![zeta_batch, zeta_next_batch]; + + let mut batches = vec![zeta_batch, zeta_next_batch]; + + if self.requires_ctls() { + let ctl_zs_info = FriPolynomialInfo::from_range( + 1, // auxiliary oracle index + num_lookup_columns + num_ctl_helpers..num_auxiliary_polys, + ); + let ctl_first_batch = FriBatchInfo { + point: F::Extension::ONE, + polynomials: ctl_zs_info, + }; + + batches.push(ctl_first_batch); + } FriInstanceInfo { oracles, batches } } @@ -145,40 +176,48 @@ pub trait Stark, const D: usize>: Sync { builder: &mut CircuitBuilder, zeta: ExtensionTarget, g: F, + num_ctl_helper_polys: usize, + num_ctl_zs: usize, config: &StarkConfig, ) -> FriInstanceInfoTarget { let mut oracles = vec![]; - let trace_info = FriPolynomialInfo::from_range(oracles.len(), 0..Self::COLUMNS); oracles.push(FriOracleInfo { num_polys: Self::COLUMNS, blinding: false, }); - let permutation_zs_info = if self.uses_permutation_args() { - let num_z_polys = self.num_permutation_batches(config); - let polys = FriPolynomialInfo::from_range(oracles.len(), 0..num_z_polys); + let num_lookup_columns = self.num_lookup_helper_columns(config); + let num_auxiliary_polys = num_lookup_columns + num_ctl_helper_polys + num_ctl_zs; + let auxiliary_polys_info = if self.uses_lookups() || self.requires_ctls() { + let aux_polys = FriPolynomialInfo::from_range(oracles.len(), 0..num_auxiliary_polys); oracles.push(FriOracleInfo { - num_polys: num_z_polys, + num_polys: num_auxiliary_polys, blinding: false, }); - polys + aux_polys } else { vec![] }; - let num_quotient_polys = self.quotient_degree_factor() * config.num_challenges; - let quotient_info = FriPolynomialInfo::from_range(oracles.len(), 0..num_quotient_polys); - oracles.push(FriOracleInfo { - num_polys: num_quotient_polys, - blinding: false, - }); + let num_quotient_polys = self.num_quotient_polys(config); + let quotient_info = if num_quotient_polys > 0 { + let quotient_polys = + FriPolynomialInfo::from_range(oracles.len(), 0..num_quotient_polys); + oracles.push(FriOracleInfo { + num_polys: num_quotient_polys, + blinding: false, + }); + quotient_polys + } else { + vec![] + }; let zeta_batch = FriBatchInfoTarget { point: zeta, polynomials: [ trace_info.clone(), - permutation_zs_info.clone(), + auxiliary_polys_info.clone(), quotient_info, ] .concat(), @@ -186,40 +225,53 @@ pub trait Stark, const D: usize>: Sync { let zeta_next = builder.mul_const_extension(g, zeta); let zeta_next_batch = FriBatchInfoTarget { point: zeta_next, - polynomials: [trace_info, permutation_zs_info].concat(), + polynomials: [trace_info, auxiliary_polys_info].concat(), }; - let batches = vec![zeta_batch, zeta_next_batch]; + + let mut batches = vec![zeta_batch, zeta_next_batch]; + + if self.requires_ctls() { + let ctl_zs_info = FriPolynomialInfo::from_range( + 1, // auxiliary oracle index + num_lookup_columns + num_ctl_helper_polys..num_auxiliary_polys, + ); + let ctl_first_batch = FriBatchInfoTarget { + point: builder.one_extension(), + polynomials: ctl_zs_info, + }; + + batches.push(ctl_first_batch); + } FriInstanceInfoTarget { oracles, batches } } - /// Pairs of lists of columns that should be permutations of one another. A permutation argument - /// will be used for each such pair. Empty by default. - fn permutation_pairs(&self) -> Vec { + /// Outputs all the [`Lookup`] this STARK table needs to perform across its columns. + fn lookups(&self) -> Vec> { vec![] } - fn uses_permutation_args(&self) -> bool { - !self.permutation_pairs().is_empty() + /// Outputs the number of total lookup helper columns, based on this STARK's vector + /// of [`Lookup`] and the number of challenges used by this [`StarkConfig`]. + fn num_lookup_helper_columns(&self, config: &StarkConfig) -> usize { + self.lookups() + .iter() + .map(|lookup| lookup.num_helper_columns(self.constraint_degree())) + .sum::() + * config.num_challenges } - /// The number of permutation argument instances that can be combined into a single constraint. - fn permutation_batch_size(&self) -> usize { - // The permutation argument constraints look like - // Z(x) \prod(...) = Z(g x) \prod(...) - // where each product has a number of terms equal to the batch size. So our batch size - // should be one less than our constraint degree, which happens to be our quotient degree. - self.quotient_degree_factor() + /// Indicates whether this STARK uses lookups over some of its columns, and as such requires + /// additional steps during proof generation to handle auxiliary polynomials. + fn uses_lookups(&self) -> bool { + !self.lookups().is_empty() } - fn num_permutation_instances(&self, config: &StarkConfig) -> usize { - self.permutation_pairs().len() * config.num_challenges - } - - fn num_permutation_batches(&self, config: &StarkConfig) -> usize { - ceil_div_usize( - self.num_permutation_instances(config), - self.permutation_batch_size(), - ) + /// Indicates whether this STARK belongs to a multi-STARK system, and as such may require + /// cross-table lookups to connect shared values across different traces. + /// + /// It defaults to `false`, i.e. for simple uni-STARK systems. + fn requires_ctls(&self) -> bool { + false } } diff --git a/starky/src/stark_testing.rs b/starky/src/stark_testing.rs index a454a29c34..bbe1c840c9 100644 --- a/starky/src/stark_testing.rs +++ b/starky/src/stark_testing.rs @@ -1,5 +1,7 @@ -use alloc::vec; -use alloc::vec::Vec; +//! Utility module for testing [`Stark`] implementation. + +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; use anyhow::{ensure, Result}; use plonky2::field::extension::{Extendable, FieldExtension}; @@ -56,7 +58,7 @@ pub fn test_stark_low_degree, S: Stark, const .collect::>(); let constraint_eval_degree = PolynomialValues::new(constraint_evals).degree(); - let maximum_degree = WITNESS_SIZE * stark.constraint_degree() - 1; + let maximum_degree = (WITNESS_SIZE * stark.constraint_degree()).saturating_sub(1); ensure!( constraint_eval_degree <= maximum_degree, diff --git a/starky/src/unconstrained_stark.rs b/starky/src/unconstrained_stark.rs new file mode 100644 index 0000000000..2f93c25556 --- /dev/null +++ b/starky/src/unconstrained_stark.rs @@ -0,0 +1,201 @@ +//! An example of proving and verifying an empty STARK (that is, +//! a proof of knowledge of the trace) + +#[cfg(not(feature = "std"))] +use alloc::{vec, vec::Vec}; +use core::marker::PhantomData; + +use plonky2::field::extension::{Extendable, FieldExtension}; +use plonky2::field::packed::PackedField; +use plonky2::field::polynomial::PolynomialValues; +use plonky2::hash::hash_types::RichField; +use plonky2::iop::ext_target::ExtensionTarget; +use plonky2::plonk::circuit_builder::CircuitBuilder; + +use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; +use crate::evaluation_frame::StarkFrame; +use crate::stark::Stark; +use crate::util::trace_rows_to_poly_values; + +/// A trace wirh arbitrary values +#[derive(Copy, Clone)] +struct UnconstrainedStark, const D: usize> { + num_rows: usize, + _phantom: PhantomData, +} + +impl, const D: usize> UnconstrainedStark { + const fn new(num_rows: usize) -> Self { + Self { + num_rows, + _phantom: PhantomData, + } + } + + /// Generate the trace using two columns of random values + fn generate_trace(&self) -> Vec> { + let trace_rows = (0..self.num_rows) + .map(|_| [F::rand(), F::rand()]) + .collect::>(); + trace_rows_to_poly_values(trace_rows) + } +} + +const COLUMNS: usize = 2; +const PUBLIC_INPUTS: usize = 0; + +impl, const D: usize> Stark for UnconstrainedStark { + type EvaluationFrame = StarkFrame + where + FE: FieldExtension, + P: PackedField; + + type EvaluationFrameTarget = + StarkFrame, ExtensionTarget, COLUMNS, PUBLIC_INPUTS>; + + fn constraint_degree(&self) -> usize { + 0 + } + + // We don't constrain any register. + fn eval_packed_generic( + &self, + _vars: &Self::EvaluationFrame, + _yield_constr: &mut ConstraintConsumer

, + ) where + FE: FieldExtension, + P: PackedField, + { + } + + // We don't constrain any register. + fn eval_ext_circuit( + &self, + _builder: &mut CircuitBuilder, + _vars: &Self::EvaluationFrameTarget, + _yield_constr: &mut RecursiveConstraintConsumer, + ) { + } +} + +#[cfg(test)] +mod tests { + use anyhow::Result; + use plonky2::field::extension::Extendable; + use plonky2::hash::hash_types::RichField; + use plonky2::iop::witness::PartialWitness; + use plonky2::plonk::circuit_builder::CircuitBuilder; + use plonky2::plonk::circuit_data::CircuitConfig; + use plonky2::plonk::config::{AlgebraicHasher, GenericConfig, PoseidonGoldilocksConfig}; + use plonky2::util::timing::TimingTree; + + use crate::config::StarkConfig; + use crate::proof::StarkProofWithPublicInputs; + use crate::prover::prove; + use crate::recursive_verifier::{ + add_virtual_stark_proof_with_pis, set_stark_proof_with_pis_target, + verify_stark_proof_circuit, + }; + use crate::stark::Stark; + use crate::stark_testing::{test_stark_circuit_constraints, test_stark_low_degree}; + use crate::unconstrained_stark::UnconstrainedStark; + use crate::verifier::verify_stark_proof; + + #[test] + fn test_unconstrained_stark() -> Result<()> { + const D: usize = 2; + type C = PoseidonGoldilocksConfig; + type F = >::F; + type S = UnconstrainedStark; + + let config = StarkConfig::standard_fast_config(); + let num_rows = 1 << 5; + + let stark = S::new(num_rows); + let trace = stark.generate_trace(); + let proof = prove::(stark, &config, trace, &[], &mut TimingTree::default())?; + + verify_stark_proof(stark, proof, &config) + } + + #[test] + fn test_unconstrained_stark_degree() -> Result<()> { + const D: usize = 2; + type C = PoseidonGoldilocksConfig; + type F = >::F; + type S = UnconstrainedStark; + + let num_rows = 1 << 5; + let stark = S::new(num_rows); + test_stark_low_degree(stark) + } + + #[test] + fn test_unconstrained_stark_circuit() -> Result<()> { + const D: usize = 2; + type C = PoseidonGoldilocksConfig; + type F = >::F; + type S = UnconstrainedStark; + + let num_rows = 1 << 5; + let stark = S::new(num_rows); + test_stark_circuit_constraints::(stark) + } + + #[test] + fn test_recursive_stark_verifier() -> Result<()> { + init_logger(); + const D: usize = 2; + type C = PoseidonGoldilocksConfig; + type F = >::F; + type S = UnconstrainedStark; + + let config = StarkConfig::standard_fast_config(); + let num_rows = 1 << 5; + + let stark = S::new(num_rows); + let trace = stark.generate_trace(); + let proof = prove::(stark, &config, trace, &[], &mut TimingTree::default())?; + verify_stark_proof(stark, proof.clone(), &config)?; + + recursive_proof::(stark, proof, &config, true) + } + + fn recursive_proof< + F: RichField + Extendable, + C: GenericConfig, + S: Stark + Copy, + InnerC: GenericConfig, + const D: usize, + >( + stark: S, + inner_proof: StarkProofWithPublicInputs, + inner_config: &StarkConfig, + print_gate_counts: bool, + ) -> Result<()> + where + InnerC::Hasher: AlgebraicHasher, + { + let circuit_config = CircuitConfig::standard_recursion_config(); + let mut builder = CircuitBuilder::::new(circuit_config); + let mut pw = PartialWitness::new(); + let degree_bits = inner_proof.proof.recover_degree_bits(inner_config); + let pt = + add_virtual_stark_proof_with_pis(&mut builder, &stark, inner_config, degree_bits, 0, 0); + set_stark_proof_with_pis_target(&mut pw, &pt, &inner_proof, builder.zero()); + + verify_stark_proof_circuit::(&mut builder, stark, pt, inner_config); + + if print_gate_counts { + builder.print_gate_counts(0); + } + + let data = builder.build::(); + let proof = data.prove(pw)?; + data.verify(proof) + } + + fn init_logger() { + let _ = env_logger::builder().format_timestamp(None).try_init(); + } +} diff --git a/starky/src/util.rs b/starky/src/util.rs index 1adee0003b..08b2c70253 100644 --- a/starky/src/util.rs +++ b/starky/src/util.rs @@ -1,3 +1,6 @@ +//! Utility module providing some helper functions. + +#[cfg(not(feature = "std"))] use alloc::vec::Vec; use itertools::Itertools; diff --git a/starky/src/vanishing_poly.rs b/starky/src/vanishing_poly.rs index 0a399dce53..c5ea5c1076 100644 --- a/starky/src/vanishing_poly.rs +++ b/starky/src/vanishing_poly.rs @@ -3,19 +3,25 @@ use plonky2::field::packed::PackedField; use plonky2::hash::hash_types::RichField; use plonky2::plonk::circuit_builder::CircuitBuilder; -use crate::config::StarkConfig; use crate::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsumer}; -use crate::permutation::{ - eval_permutation_checks, eval_permutation_checks_circuit, PermutationCheckDataTarget, - PermutationCheckVars, +use crate::cross_table_lookup::{ + eval_cross_table_lookup_checks, eval_cross_table_lookup_checks_circuit, CtlCheckVars, + CtlCheckVarsTarget, +}; +use crate::lookup::{ + eval_ext_lookups_circuit, eval_packed_lookups_generic, Lookup, LookupCheckVars, + LookupCheckVarsTarget, }; use crate::stark::Stark; +/// Evaluates all constraint, permutation and cross-table lookup polynomials +/// of the current STARK at the local and next values. pub(crate) fn eval_vanishing_poly( stark: &S, - config: &StarkConfig, vars: &S::EvaluationFrame, - permutation_data: Option>, + lookups: &[Lookup], + lookup_vars: Option>, + ctl_vars: Option<&[CtlCheckVars]>, consumer: &mut ConstraintConsumer

, ) where F: RichField + Extendable, @@ -23,38 +29,57 @@ pub(crate) fn eval_vanishing_poly( P: PackedField, S: Stark, { + // Evaluate all of the STARK's table constraints. stark.eval_packed_generic(vars, consumer); - if let Some(permutation_data) = permutation_data { - eval_permutation_checks::( + if let Some(lookup_vars) = lookup_vars { + // Evaluate the STARK constraints related to the permutation arguments. + eval_packed_lookups_generic::( stark, - config, + lookups, vars, - permutation_data, + lookup_vars, consumer, ); } + if let Some(ctl_vars) = ctl_vars { + // Evaluate the STARK constraints related to the CTLs. + eval_cross_table_lookup_checks::( + vars, + ctl_vars, + consumer, + stark.constraint_degree(), + ); + } } +/// Circuit version of `eval_vanishing_poly`. +/// Evaluates all constraint, permutation and cross-table lookup polynomials +/// of the current STARK at the local and next values. pub(crate) fn eval_vanishing_poly_circuit( builder: &mut CircuitBuilder, stark: &S, - config: &StarkConfig, vars: &S::EvaluationFrameTarget, - permutation_data: Option>, + lookup_vars: Option>, + ctl_vars: Option<&[CtlCheckVarsTarget]>, consumer: &mut RecursiveConstraintConsumer, ) where F: RichField + Extendable, S: Stark, { + // Evaluate all of the STARK's table constraints. stark.eval_ext_circuit(builder, vars, consumer); - if let Some(permutation_data) = permutation_data { - eval_permutation_checks_circuit::( + if let Some(lookup_vars) = lookup_vars { + // Evaluate all of the STARK's constraints related to the permutation argument. + eval_ext_lookups_circuit::(builder, stark, vars, lookup_vars, consumer); + } + if let Some(ctl_vars) = ctl_vars { + // Evaluate all of the STARK's constraints related to the CTLs. + eval_cross_table_lookup_checks_circuit::( builder, - stark, - config, vars, - permutation_data, + ctl_vars, consumer, + stark.constraint_degree(), ); } } diff --git a/starky/src/verifier.rs b/starky/src/verifier.rs index 28b9a3e2b3..d56072ad3a 100644 --- a/starky/src/verifier.rs +++ b/starky/src/verifier.rs @@ -1,4 +1,8 @@ +//! Implementation of the STARK verifier. + +#[cfg(not(feature = "std"))] use alloc::vec::Vec; +use core::any::type_name; use core::iter::once; use anyhow::{anyhow, ensure, Result}; @@ -7,17 +11,21 @@ use plonky2::field::extension::{Extendable, FieldExtension}; use plonky2::field::types::Field; use plonky2::fri::verifier::verify_fri_proof; use plonky2::hash::hash_types::RichField; +use plonky2::hash::merkle_tree::MerkleCap; +use plonky2::iop::challenger::Challenger; use plonky2::plonk::config::GenericConfig; use plonky2::plonk::plonk_common::reduce_with_powers; use crate::config::StarkConfig; use crate::constraint_consumer::ConstraintConsumer; +use crate::cross_table_lookup::CtlCheckVars; use crate::evaluation_frame::StarkEvaluationFrame; -use crate::permutation::PermutationCheckVars; +use crate::lookup::LookupCheckVars; use crate::proof::{StarkOpeningSet, StarkProof, StarkProofChallenges, StarkProofWithPublicInputs}; use crate::stark::Stark; use crate::vanishing_poly::eval_vanishing_poly; +/// Verifies a [`StarkProofWithPublicInputs`] against a STARK statement. pub fn verify_stark_proof< F: RichField + Extendable, C: GenericConfig, @@ -29,36 +37,66 @@ pub fn verify_stark_proof< config: &StarkConfig, ) -> Result<()> { ensure!(proof_with_pis.public_inputs.len() == S::PUBLIC_INPUTS); - let degree_bits = proof_with_pis.proof.recover_degree_bits(config); - let challenges = proof_with_pis.get_challenges(&stark, config, degree_bits); - verify_stark_proof_with_challenges(stark, proof_with_pis, challenges, degree_bits, config) + let mut challenger = Challenger::::new(); + + let challenges = proof_with_pis.get_challenges(&mut challenger, None, false, config); + + verify_stark_proof_with_challenges( + &stark, + &proof_with_pis.proof, + &challenges, + None, + &proof_with_pis.public_inputs, + config, + ) } -pub(crate) fn verify_stark_proof_with_challenges< +/// Verifies a [`StarkProofWithPublicInputs`] against a STARK statement, +/// with the provided [`StarkProofChallenges`]. +/// It also supports optional cross-table lookups data and challenges, +/// in case this proof is part of a multi-STARK system. +pub fn verify_stark_proof_with_challenges( + stark: &S, + proof: &StarkProof, + challenges: &StarkProofChallenges, + ctl_vars: Option<&[CtlCheckVars]>, + public_inputs: &[F], + config: &StarkConfig, +) -> Result<()> +where F: RichField + Extendable, C: GenericConfig, S: Stark, - const D: usize, ->( - stark: S, - proof_with_pis: StarkProofWithPublicInputs, - challenges: StarkProofChallenges, - degree_bits: usize, - config: &StarkConfig, -) -> Result<()> { - validate_proof_shape(&stark, &proof_with_pis, config)?; - check_permutation_options(&stark, &proof_with_pis, &challenges)?; - let StarkProofWithPublicInputs { +{ + log::debug!("Checking proof: {}", type_name::()); + + let (num_ctl_z_polys, num_ctl_polys) = ctl_vars + .map(|ctls| { + ( + ctls.len(), + ctls.iter().map(|ctl| ctl.helper_columns.len()).sum(), + ) + }) + .unwrap_or_default(); + + validate_proof_shape( + stark, proof, public_inputs, - } = proof_with_pis; + config, + num_ctl_polys, + num_ctl_z_polys, + )?; + let StarkOpeningSet { local_values, next_values, - permutation_zs, - permutation_zs_next, + auxiliary_polys, + auxiliary_polys_next, + ctl_zs_first: _, quotient_polys, } = &proof.openings; + let vars = S::EvaluationFrame::from_values( local_values, next_values, @@ -68,9 +106,12 @@ pub(crate) fn verify_stark_proof_with_challenges< .map(F::Extension::from_basefield) .collect::>(), ); + + let degree_bits = proof.recover_degree_bits(config); let (l_0, l_last) = eval_l_0_and_l_last(degree_bits, challenges.stark_zeta); let last = F::primitive_root_of_unity(degree_bits).inverse(); let z_last = challenges.stark_zeta - last.into(); + let mut consumer = ConstraintConsumer::::new( challenges .stark_alphas @@ -81,16 +122,36 @@ pub(crate) fn verify_stark_proof_with_challenges< l_0, l_last, ); - let permutation_data = stark.uses_permutation_args().then(|| PermutationCheckVars { - local_zs: permutation_zs.as_ref().unwrap().clone(), - next_zs: permutation_zs_next.as_ref().unwrap().clone(), - permutation_challenge_sets: challenges.permutation_challenge_sets.unwrap(), + + let num_lookup_columns = stark.num_lookup_helper_columns(config); + let lookup_challenges = if stark.uses_lookups() { + Some( + challenges + .lookup_challenge_set + .as_ref() + .unwrap() + .challenges + .iter() + .map(|ch| ch.beta) + .collect::>(), + ) + } else { + None + }; + + let lookup_vars = stark.uses_lookups().then(|| LookupCheckVars { + local_values: auxiliary_polys.as_ref().unwrap()[..num_lookup_columns].to_vec(), + next_values: auxiliary_polys_next.as_ref().unwrap()[..num_lookup_columns].to_vec(), + challenges: lookup_challenges.unwrap(), }); + let lookups = stark.lookups(); + eval_vanishing_poly::( - &stark, - config, + stark, &vars, - permutation_data, + &lookups, + lookup_vars, + ctl_vars, &mut consumer, ); let vanishing_polys_zeta = consumer.accumulators(); @@ -103,8 +164,10 @@ pub(crate) fn verify_stark_proof_with_challenges< // where the "real" quotient polynomial is `t(X) = t_0(X) + t_1(X)*X^n + t_2(X)*X^{2n} + ...`. // So to reconstruct `t(zeta)` we can compute `reduce_with_powers(chunk, zeta^n)` for each // `quotient_degree_factor`-sized chunk of the original evaluations. + for (i, chunk) in quotient_polys - .chunks(stark.quotient_degree_factor()) + .iter() + .flat_map(|x| x.chunks(stark.quotient_degree_factor())) .enumerate() { ensure!( @@ -113,15 +176,25 @@ pub(crate) fn verify_stark_proof_with_challenges< ); } - let merkle_caps = once(proof.trace_cap) - .chain(proof.permutation_zs_cap) - .chain(once(proof.quotient_polys_cap)) + let merkle_caps = once(proof.trace_cap.clone()) + .chain(proof.auxiliary_polys_cap.clone()) + .chain(proof.quotient_polys_cap.clone()) .collect_vec(); + let num_ctl_zs = ctl_vars + .map(|vars| { + vars.iter() + .map(|ctl| ctl.helper_columns.len()) + .collect::>() + }) + .unwrap_or_default(); + verify_fri_proof::( &stark.fri_instance( challenges.stark_zeta, F::primitive_root_of_unity(degree_bits), + num_ctl_polys, + num_ctl_zs, config, ), &proof.openings.to_fri_openings(), @@ -136,23 +209,22 @@ pub(crate) fn verify_stark_proof_with_challenges< fn validate_proof_shape( stark: &S, - proof_with_pis: &StarkProofWithPublicInputs, + proof: &StarkProof, + public_inputs: &[F], config: &StarkConfig, + num_ctl_helpers: usize, + num_ctl_zs: usize, ) -> anyhow::Result<()> where F: RichField + Extendable, C: GenericConfig, S: Stark, { - let StarkProofWithPublicInputs { - proof, - public_inputs, - } = proof_with_pis; let degree_bits = proof.recover_degree_bits(config); let StarkProof { trace_cap, - permutation_zs_cap, + auxiliary_polys_cap, quotient_polys_cap, openings, // The shape of the opening proof will be checked in the FRI verifier (see @@ -163,8 +235,9 @@ where let StarkOpeningSet { local_values, next_values, - permutation_zs, - permutation_zs_next, + auxiliary_polys, + auxiliary_polys_next, + ctl_zs_first, quotient_polys, } = openings; @@ -172,34 +245,31 @@ where let fri_params = config.fri_params(degree_bits); let cap_height = fri_params.config.cap_height; - let num_zs = stark.num_permutation_batches(config); ensure!(trace_cap.height() == cap_height); - ensure!(quotient_polys_cap.height() == cap_height); + ensure!( + quotient_polys_cap.is_none() + || quotient_polys_cap.as_ref().map(|q| q.height()) == Some(cap_height) + ); ensure!(local_values.len() == S::COLUMNS); ensure!(next_values.len() == S::COLUMNS); - ensure!(quotient_polys.len() == stark.num_quotient_polys(config)); - - if stark.uses_permutation_args() { - let permutation_zs_cap = permutation_zs_cap - .as_ref() - .ok_or_else(|| anyhow!("Missing Zs cap"))?; - let permutation_zs = permutation_zs - .as_ref() - .ok_or_else(|| anyhow!("Missing permutation_zs"))?; - let permutation_zs_next = permutation_zs_next - .as_ref() - .ok_or_else(|| anyhow!("Missing permutation_zs_next"))?; - - ensure!(permutation_zs_cap.height() == cap_height); - ensure!(permutation_zs.len() == num_zs); - ensure!(permutation_zs_next.len() == num_zs); + ensure!(if let Some(quotient_polys) = quotient_polys { + quotient_polys.len() == stark.num_quotient_polys(config) } else { - ensure!(permutation_zs_cap.is_none()); - ensure!(permutation_zs.is_none()); - ensure!(permutation_zs_next.is_none()); - } + stark.num_quotient_polys(config) == 0 + }); + + check_lookup_options::( + stark, + auxiliary_polys_cap, + auxiliary_polys, + auxiliary_polys_next, + num_ctl_helpers, + num_ctl_zs, + ctl_zs_first, + config, + )?; Ok(()) } @@ -216,30 +286,50 @@ fn eval_l_0_and_l_last(log_n: usize, x: F) -> (F, F) { (z_x * invs[0], z_x * invs[1]) } -/// Utility function to check that all permutation data wrapped in `Option`s are `Some` iff -/// the Stark uses a permutation argument. -fn check_permutation_options< +/// Utility function to check that all lookups data wrapped in `Option`s are `Some` iff +/// the STARK uses a permutation argument. +fn check_lookup_options( + stark: &S, + auxiliary_polys_cap: &Option>::Hasher>>, + auxiliary_polys: &Option>::Extension>>, + auxiliary_polys_next: &Option>::Extension>>, + num_ctl_helpers: usize, + num_ctl_zs: usize, + ctl_zs_first: &Option>, + config: &StarkConfig, +) -> Result<()> +where F: RichField + Extendable, C: GenericConfig, S: Stark, - const D: usize, ->( - stark: &S, - proof_with_pis: &StarkProofWithPublicInputs, - challenges: &StarkProofChallenges, -) -> Result<()> { - let options_is_some = [ - proof_with_pis.proof.permutation_zs_cap.is_some(), - proof_with_pis.proof.openings.permutation_zs.is_some(), - proof_with_pis.proof.openings.permutation_zs_next.is_some(), - challenges.permutation_challenge_sets.is_some(), - ]; - ensure!( - options_is_some - .into_iter() - .all(|b| b == stark.uses_permutation_args()), - "Permutation data doesn't match with Stark configuration." - ); +{ + if stark.uses_lookups() || stark.requires_ctls() { + let num_auxiliary = stark.num_lookup_helper_columns(config) + num_ctl_helpers + num_ctl_zs; + let cap_height = config.fri_config.cap_height; + + let auxiliary_polys_cap = auxiliary_polys_cap + .as_ref() + .ok_or_else(|| anyhow!("Missing auxiliary_polys_cap"))?; + let auxiliary_polys = auxiliary_polys + .as_ref() + .ok_or_else(|| anyhow!("Missing auxiliary_polys"))?; + let auxiliary_polys_next = auxiliary_polys_next + .as_ref() + .ok_or_else(|| anyhow!("Missing auxiliary_polys_next"))?; + + if let Some(ctl_zs_first) = ctl_zs_first { + ensure!(ctl_zs_first.len() == num_ctl_zs); + } + + ensure!(auxiliary_polys_cap.height() == cap_height); + ensure!(auxiliary_polys.len() == num_auxiliary); + ensure!(auxiliary_polys_next.len() == num_auxiliary); + } else { + ensure!(auxiliary_polys_cap.is_none()); + ensure!(auxiliary_polys.is_none()); + ensure!(auxiliary_polys_next.is_none()); + } + Ok(()) } diff --git a/util/Cargo.toml b/util/Cargo.toml index 758391c3b9..441111afe6 100644 --- a/util/Cargo.toml +++ b/util/Cargo.toml @@ -1,7 +1,7 @@ [package] name = "plonky2_util" description = "Utilities used by Plonky2" -version = "0.1.1" +version = "0.2.0" license = "MIT OR Apache-2.0" edition = "2021"