This repository was archived by the owner on Apr 18, 2025. It is now read-only.
forked from privacy-ethereum/zkevm-circuits
-
Notifications
You must be signed in to change notification settings - Fork 387
[FEAT] precompile-sha256 #1032
Merged
Merged
[FEAT] precompile-sha256 #1032
Changes from 42 commits
Commits
Show all changes
51 commits
Select commit
Hold shift + click to select a range
7320dc5
init table16 with generic refactoring
noel2004 944cf7c
update cargo
noel2004 215a1a2
add required cfgs
noel2004 55eec01
add benchmarking
noel2004 c1ea6b8
customable bench
noel2004 ab5b2fa
fmt
noel2004 fe5a433
config gates for sha256 circuit
noel2004 d0b63a6
Merge remote-tracking branch 'origin/develop' into feat/sha256
noel2004 70ceb47
complete sha256 circuit
noel2004 4795760
induce SHA256 in bus mapping
noel2004 152c567
better challenge spec
noel2004 b8379ea
integrate sha256 circuit into super
noel2004 bef157b
readme (wip)
noel2004 4adf228
complete precompile and sha256 table
noel2004 89505b0
clippies
noel2004 85732d2
fmt
noel2004 8d90619
better tests
noel2004 a51e117
fix issues and better printing for circuit layout
noel2004 1c14779
refine and fix issues
noel2004 8b125f1
fix digest in table16
noel2004 edef428
fix layout, clippy and fmt
noel2004 635beae
complete sha256 table
noel2004 c8a3f6d
fix rw
noel2004 08d3039
fix rlc on padding
noel2004 4af8e0e
Merge remote-tracking branch 'origin/develop' into feat/sha256
noel2004 5db7d69
clippy and fmt
noel2004 2b43069
more tests
noel2004 7992f8d
test added
noel2004 f11f6cc
sha256: update row cost per block
noel2004 ac0d3fb
update readme (wip)
noel2004 c4b1898
lookup input len
noel2004 41298f7
enable sha256
noel2004 f7740de
Merge remote-tracking branch 'origin/develop' into feat/sha256
noel2004 da3027c
more tests cases
noel2004 8fb408e
refactoring aux data
noel2004 abeb61a
fmt
noel2004 e8e2c71
fix precompile call test
noel2004 e600ff5
fix another callop test
noel2004 a748453
Merge remote-tracking branch 'origin/develop' into feat/sha256
noel2004 fc94e67
+ update bench to circuit-sha256,
noel2004 f3f497d
Merge remote-tracking branch 'origin/develop' into feat/sha256
noel2004 0a4c056
fix vk issue, add more test
noel2004 e3d1333
trivial fixs
noel2004 9649214
Merge remote-tracking branch 'origin/develop' into feat/sha256
noel2004 ff0bf52
Merge remote-tracking branch 'origin/develop' into feat/sha256
noel2004 88e419c
move sha256 circuit into zkevm-circuits
noel2004 2d9914e
purge unused sha256 dir
noel2004 5af254a
Merge remote-tracking branch 'origin/develop' into feat/sha256
noel2004 c526f09
bump halo2 version
noel2004 05d3747
fix blank comment
noel2004 9d5661c
Merge remote-tracking branch 'origin/develop' into feat/sha256
noel2004 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| [package] | ||
| name = "sha256" | ||
| version.workspace = true | ||
| edition.workspace = true | ||
| license.workspace = true | ||
|
|
||
| [features] | ||
| dev-graph = ["halo2_proofs/dev-graph", "halo2_gadgets/dev-graph", "plotters"] | ||
|
|
||
| [dependencies] | ||
| halo2curves = { git = "https://github.com/scroll-tech/halo2curves.git", branch = "0.3.1-derive-serde" } | ||
| halo2_gadgets = { git = "https://github.com/scroll-tech/halo2.git", branch = "develop", features = ["unstable"] } | ||
| halo2_proofs.workspace = true | ||
| itertools.workspace = true | ||
| num-bigint.workspace = true | ||
| num-traits.workspace = true | ||
| plotters = { version = "0.3.0", optional = true } | ||
| eth-types = { path = "../eth-types" } | ||
| lazy_static.workspace = true | ||
| log.workspace = true | ||
| env_logger.workspace = true | ||
|
|
||
| [dev-dependencies] | ||
| pretty_assertions.workspace = true | ||
| rand.workspace = true | ||
| criterion = "0.3" | ||
|
|
||
| [[bench]] | ||
| name = "sha256" | ||
| harness = false |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| # SHA256 Circuit with lookup table | ||
|
|
||
| This circuit use a forking of `table16` in `halo2-gadget`, with some patches: | ||
|
|
||
| + Make all code generic for the `Field` trait so that it also work with the `bn254` curve | ||
| + Fix the digest exporting part, output correct digest (the final state ⊕ init state) with correct constraint (rows for 512-bit block increased from **2102** -> **2114**) | ||
|
|
||
| The witness in table16 is then exported to an extra region so that the RLC of input and digest can be calculated and form the lookup table for the SHA256 precompile in zkevm-circuit. To achieve this, we have introduced several cols and assigned them to two regions: `input` and `digest`. The following table illustrates: | ||
|
|
||
| input region (example for input 'abc'): | ||
| | | s_final | s_u16 | counter | bytes_rlc | trans_byte | copied_data | s_output| padding |padding_size| | ||
| |----------|------------------|-----------|-----------|-----------|------------|-------------|---------|-----------------|------------| | ||
| |(inherit) | *1* | | *42* |*inherit_rlc*| | | | *1* | | | ||
| |s_begin | 1 | | 0 | 0 | | | | 0 | | | ||
| |s_enable | 1 | 1 | 1 | 0x61 | b'0x61' | *0x6162* | | 0 | | | ||
| |s_enable | 1 | 0 | 2 | 0x61062 | b'0x62' | | | 0 | | | ||
| |s_enable | 1 | 1 | 3 | 0x61062063| b'0x63' | *0x6380* | | 0 | | | ||
| |s_enable | 1 | 0 | 3 | 0x61062063| b'0x80' | | | 1 | | | ||
| |.... | | ||
| |s_enable | 1 | 1 | 3 | 0x61062063| b'0x00 | *0x0018* | | 1 | 0 | | ||
| |s_last | 1 | 0 | 3 | 0x61062063| b'0x18 | | | 1 | 24 | | ||
|
|
||
|
|
||
| digest region (example for the hash of 'abc'): | ||
| | | s_final | s_u16 | counter | bytes_rlc | trans_byte | copied_data | s_output| padding | | ||
| |----------|------------------|-----------|-----------|-----------|------------|-------------|---------|-----------| | ||
| | | *1* | | | **0** | | | | **0** | | ||
| |s_enable | 1 | 1 | | 0xba | b'0xba' | *0xba78* | 0x6a09 | 0 | | ||
| |s_enable | 1 | 0 | | 0xba078 | b'0x78 | *0x6a09* | | | ||
| |.... | | ||
| |s_enable | 1 | 1 | | | b'0x15 | *0x15ad* | 0xcd19 | 0 | | ||
| |s_enable | 1 | 0 | | hash_rlc | b'0xad | *0xcd19* | | **0** | | ||
| | | | |*input_counter*|*hash_rlc*| | *input_rlc* | 1 | | | ||
|
|
||
| Note: | ||
| + *Italic* indicate the cell is equality constrainted whie **bold** indicate the cell is constarinted with constant | ||
| + We suppose the `random` value for rlc is `0x1000` | ||
|
|
||
| ### Defination of the cols | ||
|
|
||
| + `copied_data` col is used to copy the cells with `u16` values from `table16`. | ||
| + `trans_byte` expands each `u16` value copied from `table16` into two bytes across two adjacent rows, with the help of the selector `s_u16` | ||
| + `padding` col marks whether the byte in current row is padding or input byte. | ||
| + `bytes_rlc` accumulates bytes in `trans_byte` col to its RLC expression only if the byte in current row is not padding. Otherwise, it continues the value from the previous row if the current row is marked as padding. | ||
| + `counter` counts the total input bytes if byte in current row is not padding, Otherwise it continues the value from previous row if the current row is marked as padding. | ||
| + `s_final` is a boolean advice col that identifies in each row of an input region, marking wether the current block is the last block | ||
| + `padding_size` calculates the accumulation of the last 8 bytes in input region and obtains the bit counts recorded in the tail of the padding, which is specified by SHA2. | ||
|
|
||
| ### Defination in regions: | ||
|
|
||
| Each input region captures a 512-bit block and copies the 16 x 32-bit integers (in the form of a pair of assigned cells for their lo and hi 16-bit parts) inside of the `message schedule` region of table16. The region consists of 66 rows: 64 rows for 64 bytes representing the 512-bit block and 2 extra rows at the beginning. For the `s_final`, `counter`, `padding` and `bytes_rlc` cols, the cells in last row (enabled by `s_last` selector) are connected by equality constraints to the first row of next input region for the subsequent 512-bit block. Additionally the `s_final` cells is also connected with the corresponding digest reion. | ||
|
|
||
| The second row at the top of the region determines how the `counter`, `padding` and `bytes_rlc` cols begin: if the inherited `s_final` cell (at the first row at the top of the region) is 1, these cols will start with an initial value (i.e., 0); else they will start with the "inherited" value of the previous 512-bit block. | ||
|
|
||
| Note that it is free to specify `s_final` in each block as either 0 or 1. If `s_final` is set to 1, the last row must satisfy the "final" constraint, that is the cell in `counter` col has to equal the calculated bit size in `padding_size` cell. | ||
|
|
||
| There is exactly one digest region corresponding to each input region. This region captures the 256-bit digest of the 512-bit block and copies it from the `digest` region of table16. The region consists of 34 rows: 32 rows for bytes of digests, 1 extra row at the beginning, and 1 row at the bottom. The `s_final` is inherited from the input region, and the first row for `counter`, `padding` and `bytes_rlc` cols are specified with 0 by constraints to a constant. The last row for digest bytes is also constarint the `padding` cell as 0, which also ensure there is no padding row existed in digest region. | ||
|
|
||
| Like input region, digest region calculated the RLC of digest bytes. The final row in digest copied `s_final` and `counter` value inheirted from input region into the corresponding cols; `bytes_rlc` of the cell in previous cell (i.e. the RLC of digest); and the RLC of input into `copied_data` col. This row represents a row in SHA256 table used for looking up from evm circuit. | ||
|
|
||
| ## Performance | ||
|
|
||
| Currently the SHA256 circuit can calculate SHA256 for 1k bytes within 4.891s (`k=17`), ~26% overhead to its `table16` core (3.854s), and verfication is 6.601ms, 6% overhead to `table16` (6.207ms). | ||
|
|
||
| We have a [detailed performance for table16 and Brecht's sha256](https://www.notion.so/scrollzkp/Precompile-SHA256-7a0f519d5bbe4f52a9fa08ebff9a8118) (accessing priviledge required). | ||
|
|
||
| With `k=21`, SHA256-circuit can calculate the hashes for as much as 16KB bytes, which should be enough for the txs in mainnet. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| sha256_assets |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.