From 212f29cfb9ba968757ea6bafd6039820b84f5a16 Mon Sep 17 00:00:00 2001
From: Robin Salen <30937548+Nashtare@users.noreply.github.com>
Date: Mon, 5 Feb 2024 17:56:49 -0500
Subject: [PATCH] Add missing constraints mentioned by auditors (#1499)

---
 evm/src/arithmetic/arithmetic_stark.rs |  9 +++++++++
 evm/src/logic.rs                       | 22 ++++++++++++++++++++--
 2 files changed, 29 insertions(+), 2 deletions(-)

diff --git a/evm/src/arithmetic/arithmetic_stark.rs b/evm/src/arithmetic/arithmetic_stark.rs
index dcf966ee59..5e3f039cdf 100644
--- a/evm/src/arithmetic/arithmetic_stark.rs
+++ b/evm/src/arithmetic/arithmetic_stark.rs
@@ -214,6 +214,10 @@ impl<F: RichField + Extendable<D>, const D: usize> Stark<F, D> for ArithmeticSta
             yield_constr.constraint(flag * (flag - P::ONES));
         }
 
+        // Only a single flag must be activated at once.
+        let all_flags = op_flags().map(|i| lv[i]).sum::<P>();
+        yield_constr.constraint(all_flags * (all_flags - P::ONES));
+
         // Check that `OPCODE_COL` holds 0 if the operation is not a range_check.
         let opcode_constraint = (P::ONES - lv[columns::IS_RANGE_CHECK]) * lv[columns::OPCODE_COL];
         yield_constr.constraint(opcode_constraint);
@@ -261,6 +265,11 @@ impl<F: RichField + Extendable<D>, const D: usize> Stark<F, D> for ArithmeticSta
             yield_constr.constraint(builder, constraint);
         }
 
+        // Only a single flag must be activated at once.
+        let all_flags = builder.add_many_extension(op_flags().map(|i| lv[i]));
+        let constraint = builder.mul_sub_extension(all_flags, all_flags, all_flags);
+        yield_constr.constraint(builder, constraint);
+
         // Check that `OPCODE_COL` holds 0 if the operation is not a range_check.
         let opcode_constraint = builder.arithmetic_extension(
             F::NEG_ONE,
diff --git a/evm/src/logic.rs b/evm/src/logic.rs
index fa83fa94c1..7300c6af65 100644
--- a/evm/src/logic.rs
+++ b/evm/src/logic.rs
@@ -227,11 +227,19 @@ impl<F: RichField + Extendable<D>, const D: usize> Stark<F, D> for LogicStark<F,
     {
         let lv = vars.get_local_values();
 
-        // IS_AND, IS_OR, and IS_XOR come from the CPU table, so we assume they're valid.
         let is_and = lv[columns::IS_AND];
         let is_or = lv[columns::IS_OR];
         let is_xor = lv[columns::IS_XOR];
 
+        // Flags must be boolean.
+        for &flag in &[is_and, is_or, is_xor] {
+            yield_constr.constraint(flag * (flag - P::ONES));
+        }
+
+        // Only a single flag must be activated at once.
+        let all_flags = is_and + is_or + is_xor;
+        yield_constr.constraint(all_flags * (all_flags - P::ONES));
+
         // The result will be `in0 OP in1 = sum_coeff * (in0 + in1) + and_coeff * (in0 AND in1)`.
         // `AND => sum_coeff = 0, and_coeff = 1`
         // `OR  => sum_coeff = 1, and_coeff = -1`
@@ -276,11 +284,21 @@ impl<F: RichField + Extendable<D>, const D: usize> Stark<F, D> for LogicStark<F,
     ) {
         let lv = vars.get_local_values();
 
-        // IS_AND, IS_OR, and IS_XOR come from the CPU table, so we assume they're valid.
         let is_and = lv[columns::IS_AND];
         let is_or = lv[columns::IS_OR];
         let is_xor = lv[columns::IS_XOR];
 
+        // Flags must be boolean.
+        for &flag in &[is_and, is_or, is_xor] {
+            let constraint = builder.mul_sub_extension(flag, flag, flag);
+            yield_constr.constraint(builder, constraint);
+        }
+
+        // Only a single flag must be activated at once.
+        let all_flags = builder.add_many_extension([is_and, is_or, is_xor]);
+        let constraint = builder.mul_sub_extension(all_flags, all_flags, all_flags);
+        yield_constr.constraint(builder, constraint);
+
         // The result will be `in0 OP in1 = sum_coeff * (in0 + in1) + and_coeff * (in0 AND in1)`.
         // `AND => sum_coeff = 0, and_coeff = 1`
         // `OR  => sum_coeff = 1, and_coeff = -1`