added example of custom mask #84 NilFoundation/crypto3-zk-marshalling#53

NilFoundation/zkllvm-transpiler#49
NilFoundation · Nov 8, 2023 · 0ccfe55 · 0ccfe55
1 parent a51e6a6
commit 0ccfe55
Show file tree

Hide file tree

Showing 43 changed files with 520 additions and 628 deletions.
diff --git a/contracts/zkllvm/circuit1/commitment.sol b/contracts/zkllvm/circuit1/commitment.sol
@@ -37,7 +37,7 @@ library modular_commitment_scheme_circuit1 {
     uint256 constant unique_points = 4;
     uint256 constant permutation_point = 2;
     uint256 constant quotient_point = 0;
-    uint256 constant lookup_point = 94325795984320;
+    uint256 constant lookup_point = 140731511355664;
     bytes constant   points_ids = hex"01010101010101010303010100000000";
     uint256 constant omega = 14450201850503471296781915119640920297985789873634237091629829669980153907901;
     uint256 constant _etha = 14062721881273474090606415031361994540585550571695842571456013353340629726555;
@@ -247,8 +247,8 @@ library modular_commitment_scheme_circuit1 {
     }
 
     function compute_combined_Q(bytes calldata blob,commitment_state memory state) internal view returns(uint256[2] memory y){
-        for(uint256 p = 0; p < unique_points; ){
-            uint256[2] memory tmp;
+        uint256[2][unique_points] memory values;
+        {
             uint256 offset = state.initial_data_offset - state.poly_num * 0x40; // Save initial data offset for future use;
             uint256 cur = 0;
             for(uint256 b = 0; b < batches_num;){
@@ -260,17 +260,21 @@ library modular_commitment_scheme_circuit1 {
                     else if(b == 4) cur_point = lookup_point;
                     else console.log("Wrong index");
 
-                    tmp[0] = mulmod(tmp[0], state.theta, modulus);
-                    tmp[1] = mulmod(tmp[1], state.theta, modulus);
-
-                    if(cur_point == p){
-                        tmp[0] = addmod(tmp[0], basic_marshalling.get_uint256_be(blob, offset), modulus);
-                        tmp[1] = addmod(tmp[1], basic_marshalling.get_uint256_be(blob, offset + 0x20), modulus);
+                    for(uint256 k = 0; k < unique_points; ){
+                        values[k][0] = mulmod(values[k][0], state.theta, modulus);
+                        values[k][1] = mulmod(values[k][1], state.theta, modulus);
+                        unchecked{k++;}
                     }
+
+                    values[cur_point][0] = addmod(values[cur_point][0], basic_marshalling.get_uint256_be(blob, offset), modulus);
+                    values[cur_point][1] = addmod(values[cur_point][1], basic_marshalling.get_uint256_be(blob, offset + 0x20), modulus);
                     unchecked{offset += 0x40;j++; cur++;}
                 }
                 unchecked{b++;}
             }
+        }
+        for(uint256 p = 0; p < unique_points; ){
+            uint256[2] memory tmp = values[p];
             tmp[0] = mulmod(tmp[0], state.factors[p], modulus);
             tmp[1] = mulmod(tmp[1], state.factors[p], modulus);
             uint256 s = state.x;
@@ -454,7 +458,7 @@ library modular_commitment_scheme_circuit1 {
         bytes calldata proof_of_work = blob[blob.length - 4:];
         transcript.update_transcript(tr_state, proof_of_work);
         uint256 p_o_w = transcript.get_integral_challenge_be(tr_state, 4);
-        if (p_o_w & 4294901760 != 0) return false;
+        if (p_o_w & 0xffff8000 != 0) return false;
 
 
             unchecked{
@@ -587,4 +591,4 @@ library modular_commitment_scheme_circuit1 {
         return true;
     }
 }        
-
+
diff --git a/contracts/zkllvm/circuit1/gate_0.sol b/contracts/zkllvm/circuit1/gate_0.sol
diff --git a/contracts/zkllvm/circuit1/gate_1.sol b/contracts/zkllvm/circuit1/gate_1.sol
diff --git a/contracts/zkllvm/circuit1/gate_argument.sol b/contracts/zkllvm/circuit1/gate_argument.sol
@@ -21,8 +21,6 @@ import "../../types.sol";
 import "../../basic_marshalling.sol";
 import "../../interfaces/modular_gate_argument.sol";
 import "hardhat/console.sol";
-import "./gate_0.sol"; 
-import "./gate_1.sol"; 
 
 
 contract modular_gate_argument_circuit1 is IGateArgument{
@@ -35,9 +33,42 @@ contract modular_gate_argument_circuit1 is IGateArgument{
     ) external view returns (uint256 F){
         uint256 theta_acc = 1;
         uint256 eval;
+        uint256 x;
 
-		(eval, theta_acc) = gate_circuit1_0.evaluate_gate_be( blob, theta, theta_acc ); F = addmod(F, eval, modulus);
-		(eval, theta_acc) = gate_circuit1_1.evaluate_gate_be( blob, theta, theta_acc ); F = addmod(F, eval, modulus);
+		uint256 prod;
+		uint256 sum;
+		uint256 gate;
+// gate === 0 ===
+		gate = 0;
+// constraint 0
+		sum = 0;
+		prod = basic_marshalling.get_uint256_be(blob, 192);
+		prod = mulmod(prod, 28948022309329048855892746252171976963363056481941560715954676764349967630336, modulus);
+		sum = addmod(sum, prod, modulus);
+		prod = basic_marshalling.get_uint256_be(blob, 160);
+		sum = addmod(sum, prod, modulus);
+		prod = basic_marshalling.get_uint256_be(blob, 128);
+		sum = addmod(sum, prod, modulus);
+		sum = mulmod(sum, theta_acc, modulus);
+		theta_acc = mulmod(theta, theta_acc, modulus);
+		gate = addmod(gate, sum, modulus);
+		gate = mulmod(gate, basic_marshalling.get_uint256_be(blob, 0), modulus);
+		F = addmod(F, gate, modulus);
+// gate === 1 ===
+		gate = 0;
+// constraint 0
+		sum = 0;
+		prod = basic_marshalling.get_uint256_be(blob, 192);
+		prod = mulmod(prod, 28948022309329048855892746252171976963363056481941560715954676764349967630336, modulus);
+		sum = addmod(sum, prod, modulus);
+		prod = basic_marshalling.get_uint256_be(blob, 128);
+		prod = mulmod(prod, basic_marshalling.get_uint256_be(blob, 160), modulus);
+		sum = addmod(sum, prod, modulus);
+		sum = mulmod(sum, theta_acc, modulus);
+		theta_acc = mulmod(theta, theta_acc, modulus);
+		gate = addmod(gate, sum, modulus);
+		gate = mulmod(gate, basic_marshalling.get_uint256_be(blob, 64), modulus);
+		F = addmod(F, gate, modulus);
 
     }
 }        
diff --git a/contracts/zkllvm/circuit1/gate_libs_list.json b/contracts/zkllvm/circuit1/gate_libs_list.json
diff --git a/contracts/zkllvm/circuit1/lookup_argument.sol b/contracts/zkllvm/circuit1/lookup_argument.sol
@@ -19,5 +19,4 @@
 pragma solidity >=0.8.4;
 
 library modular_lookup_argument_circuit1{
-}            
-
+}
diff --git a/contracts/zkllvm/circuit1/modular_verifier.sol b/contracts/zkllvm/circuit1/modular_verifier.sol
@@ -39,21 +39,19 @@ contract modular_verifier_circuit1 is IModularVerifier{
     address _permutation_argument_address;
     address _lookup_argument_address;
     address _commitment_contract_address;
-    uint64  constant sorted_columns = 0;
-    uint64  constant f_parts = 9;
+    uint64 constant sorted_columns = 0;
+    uint64   constant f_parts = 8;   // Individually on parts
     uint64  constant z_offset = 0xa1;
     uint64  constant table_offset = z_offset + 0x80 * 4 + 0xc0;
     uint64  constant table_end_offset = table_offset + 256;
     uint64  constant quotient_offset = 320;
     uint64  constant rows_amount = 16;
     uint256 constant omega = 14450201850503471296781915119640920297985789873634237091629829669980153907901;
     uint256 constant special_selectors_offset = z_offset + 4 * 0x80;
-
-
 
     function initialize(
 //        address permutation_argument_address,
-        address lookup_argument_address, 
+        address lookup_argument_address,
         address gate_argument_address,
         address commitment_contract_address
     ) public{
@@ -82,7 +80,8 @@ contract modular_verifier_circuit1 is IModularVerifier{
         bool b;
     }
 
-function public_input_direct(bytes calldata blob, uint256[] calldata public_input, verifier_state memory state) internal view 
+    // Public input columns
+    function public_input_direct(bytes calldata blob, uint256[] calldata public_input, verifier_state memory state) internal view
     returns (bool check){
         check = true;
 
@@ -99,24 +98,28 @@ function public_input_direct(bytes calldata blob, uint256[] calldata public_inpu
                     ),
                     modulus
                 );
-                    
+
                 result = addmod(
-                    result, 
+                    result,
                     mulmod(
                         public_input[i], L, modulus
-                    ), 
+                    ),
                     modulus
                 );
             }
             Omega = mulmod(Omega, omega, modulus);
             unchecked{i++;}
         }
-        result = mulmod(result, state.Z_at_xi, modulus);
+        result = mulmod(
+            result, addmod(field.pow_small(state.xi, rows_amount, modulus), modulus - 1, modulus), modulus
+        );
+        result = mulmod(result, field.inverse_static(rows_amount, modulus), modulus);
 
         // Input is proof_map.eval_proof_combined_value_offset
-        if( result != mulmod(basic_marshalling.get_uint256_be(blob, 224), rows_amount, modulus)) check = false;
+        if( result != basic_marshalling.get_uint256_be(
+            blob, 224
+        )) check = false;
     }
-
 
     function verify(
         bytes calldata blob,
@@ -128,22 +131,20 @@ function public_input_direct(bytes calldata blob, uint256[] calldata public_inpu
         state.xi = basic_marshalling.get_uint256_be(blob, 0x79);
         state.Z_at_xi = addmod(field.pow_small(state.xi, rows_amount, modulus), modulus-1, modulus);
         state.l0 = mulmod(
-            state.Z_at_xi, 
-            field.inverse_static(mulmod(addmod(state.xi, modulus - 1, modulus), rows_amount, modulus), modulus), 
+            state.Z_at_xi,
+            field.inverse_static(mulmod(addmod(state.xi, modulus - 1, modulus), rows_amount, modulus), modulus),
             modulus
         );
 
-
-        //Direct public input check
+        //0. Direct public input check
         if(public_input.length > 0) {
             if (!public_input_direct(blob[865:865+320], public_input, state)) {
                 console.log("Wrong public input!");
                 state.b = false;
             }
         }
-
 
-        //1. Init transcript        
+        //1. Init transcript
         types.transcript_data memory tr_state;
         tr_state.current_challenge = transcript_state;
 
@@ -153,8 +154,8 @@ function public_input_direct(bytes calldata blob, uint256[] calldata public_inpu
 
             //3. Permutation argument
             uint256[3] memory permutation_argument = modular_permutation_argument_circuit1.verify(
-                blob[0xa1:865+320], 
-                transcript.get_field_challenge(tr_state, modulus), 
+                blob[0xa1:865+320],
+                transcript.get_field_challenge(tr_state, modulus),
                 transcript.get_field_challenge(tr_state, modulus),
                 state.l0
             );
@@ -172,13 +173,28 @@ function public_input_direct(bytes calldata blob, uint256[] calldata public_inpu
             //6. Gate argument
             IGateArgument modular_gate_argument = IGateArgument(_gate_argument_address);
             state.F[7] = modular_gate_argument.verify(blob[table_offset:table_end_offset], transcript.get_field_challenge(tr_state, modulus));
+            state.F[7] = mulmod(
+                state.F[7],
+                addmod(
+                    1,
+                    modulus - addmod(
+                        basic_marshalling.get_uint256_be(blob, special_selectors_offset),
+                        basic_marshalling.get_uint256_be(blob, special_selectors_offset + 0x60),
+                        modulus
+                    ),
+                    modulus
+                ),
+                modulus
+            );
         }
-		//No public input gate
+
+        // No public input gate
+
         uint256 F_consolidated;
         {
             //7. Push quotient to transcript
             for( uint8 i = 0; i < f_parts;){
-                F_consolidated = addmod(F_consolidated, mulmod(state.F[i], transcript.get_field_challenge(tr_state, modulus), modulus), modulus);
+                F_consolidated = addmod(F_consolidated, mulmod(state.F[i],transcript.get_field_challenge(tr_state, modulus), modulus), modulus);
                 unchecked{i++;}
             }
             uint256 points_num = basic_marshalling.get_length(blob, 0x79 + 0x20);
@@ -208,8 +224,8 @@ function public_input_direct(bytes calldata blob, uint256[] calldata public_inpu
             uint256 factor = 1;
             for(uint64 i = 0; i < uint64(uint8(blob[z_offset + basic_marshalling.get_length(blob, z_offset - 0x8) *0x20 + 0xf]));){
                 T_consolidated = addmod(
-                    T_consolidated, 
-                    mulmod(basic_marshalling.get_uint256_be(blob, table_offset + quotient_offset + i *0x20), factor, modulus), 
+                    T_consolidated,
+                    mulmod(basic_marshalling.get_uint256_be(blob, table_offset + quotient_offset + i *0x20), factor, modulus),
                     modulus
                 );
                 factor = mulmod(factor, state.Z_at_xi + 1, modulus);
@@ -224,5 +240,5 @@ function public_input_direct(bytes calldata blob, uint256[] calldata public_inpu
 
         console.log("Gas for verification:", state.gas-gasleft());
     }
-}            
+}