Add Uint256 circuit

Author: dreamATD

Cargo.lock

@@ -52,6 +52,7 @@ rand.workspace = true
 sp1-curves.workspace = true
 tempfile = "3.14"
 tiny-keccak.workspace = true
+typenum = "1.19.0"
 
 [target.'cfg(unix)'.dependencies]
 tikv-jemalloc-ctl = { version = "0.6", features = ["stats"], optional = true }

ceno_zkvm/Cargo.toml

@@ -176,4 +176,91 @@ impl<Expr: Clone, P: FieldParameters> FieldLtCols<Expr, P> {
             1.into(),
         )
     }
+
+    pub fn condition_eval<E, E1, E2>(
+        &self,
+        builder: &mut CircuitBuilder<E>,
+        lhs: &E1,
+        rhs: &E2,
+        cond: Expression<E>,
+    ) -> Result<(), CircuitBuilderError>
+    where
+        E: ExtensionField,
+        E1: Into<Polynomial<Expression<E>>> + Clone,
+        E2: Into<Polynomial<Expression<E>>> + Clone,
+        Expr: ToExpr<E, Output = Expression<E>>,
+        Expression<E>: From<Expr>,
+    {
+        // The byte flags give a specification of which byte is `first_eq`, i,e, the first most
+        // significant byte for which the lhs is smaller than the modulus. To verify the
+        // less-than claim we need to check that:
+        // * For all bytes until `first_eq` the lhs byte is equal to the modulus byte.
+        // * For the `first_eq` byte the lhs byte is smaller than the modulus byte.
+        // * all byte flags are boolean.
+        // * only one byte flag is set to one, and the rest are set to zero.
+
+        // Check the flags are of valid form.
+
+        // Verify that only one flag is set to one.
+        let mut sum_flags: Expression<E> = 0.into();
+        for flag in self.byte_flags.0.iter() {
+            // Assert that the flag is boolean.
+            builder.assert_bit(|| "if cond, flag", cond.expr() * flag.expr())?;
+            // Add the flag to the sum.
+            sum_flags = sum_flags.clone() + flag.expr();
+        }
+        // Assert that the sum is equal to one.
+        builder.condition_require_one(|| "sum_flags", cond.expr(), sum_flags.expr())?;
+        builder.condition_require_zero(|| "sum_flags", 1 - cond.expr(), sum_flags.expr())?;
+
+        // Check the less-than condition.
+
+        // A flag to indicate whether an equality check is necessary (this is for all bytes from
+        // most significant until the first inequality.
+        let mut is_inequality_visited: Expression<E> = 0.into();
+
+        let rhs: Polynomial<_> = rhs.clone().into();
+        let lhs: Polynomial<_> = lhs.clone().into();
+
+        let mut lhs_comparison_byte: Expression<E> = 0.into();
+        let mut rhs_comparison_byte: Expression<E> = 0.into();
+        for (lhs_byte, rhs_byte, flag) in izip!(
+            lhs.coefficients().iter().rev(),
+            rhs.coefficients().iter().rev(),
+            self.byte_flags.0.iter().rev()
+        ) {
+            // Once the byte flag was set to one, we turn off the quality check flag.
+            // We can do this by calculating the sum of the flags since only `1` is set to `1`.
+            is_inequality_visited = is_inequality_visited.expr() + flag.expr();
+
+            lhs_comparison_byte = lhs_comparison_byte.expr() + lhs_byte.expr() * flag.expr();
+            rhs_comparison_byte = rhs_comparison_byte.expr() + flag.expr() * rhs_byte.expr();
+
+            builder.condition_require_zero(
+                || "if cond, when not inequality visited, assert lhs_byte == rhs_byte",
+                cond.expr(),
+                (1 - is_inequality_visited.clone()) * (lhs_byte.clone() - rhs_byte.clone()),
+            )?;
+        }
+
+        builder.condition_require_zero(
+            || "if cond, lhs_comparison_byte == lhs_comparison_byte",
+            cond.expr(),
+            self.lhs_comparison_byte.expr() - lhs_comparison_byte,
+        )?;
+        builder.condition_require_zero(
+            || "if cond, rhs_comparison_byte == rhs_comparison_byte",
+            cond.expr(),
+            self.rhs_comparison_byte.expr() - rhs_comparison_byte,
+        )?;
+
+        // Send the comparison interaction.
+        // Since sum_flags = 1 when cond = 1, and sum_flags = 0 when cond = 0,
+        // we have (self.lhs_comparison_byte < self.rhs_comparison_byte) == sum_flags
+        builder.lookup_ltu_byte(
+            self.lhs_comparison_byte.expr(),
+            self.rhs_comparison_byte.expr(),
+            sum_flags,
+        )
+    }
 }

ceno_zkvm/src/gadgets/field/range.rs

@@ -0,0 +1,105 @@
+// The crate is zero gadget is modified from succinctlabs/sp1 under MIT license
+
+// The MIT License (MIT)
+
+// Copyright (c) 2023 Succinct Labs
+
+// Permission is hereby granted, free of charge, to any person obtaining a copy
+// of this software and associated documentation files (the "Software"), to deal
+// in the Software without restriction, including without limitation the rights
+// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+// copies of the Software, and to permit persons to whom the Software is
+// furnished to do so, subject to the following conditions:
+
+// The above copyright notice and this permission notice shall be included in
+// all copies or substantial portions of the Software.
+
+// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+// THE SOFTWARE.
+
+//! An operation to check if the input is 0.
+//!
+//! This is guaranteed to return 1 if and only if the input is 0.
+//!
+//! The idea is that 1 - input * inverse is exactly the boolean value indicating whether the input
+//! is 0.
+
+use derive::AlignedBorrow;
+use ff_ext::{ExtensionField, SmallField};
+use gkr_iop::{circuit_builder::CircuitBuilder, error::CircuitBuilderError};
+use multilinear_extensions::{Expression, ToExpr, WitIn};
+
+/// A set of columns needed to compute whether the given word is 0.
+#[derive(AlignedBorrow, Default, Debug, Clone, Copy)]
+#[repr(C)]
+pub struct IsZeroOperation<T> {
+    /// The inverse of the input.
+    pub inverse: T,
+
+    /// Result indicating whether the input is 0. This equals `inverse * input == 0`.
+    pub result: T,
+}
+
+impl IsZeroOperation<WitIn> {
+    pub fn create<E: ExtensionField>(cb: &mut CircuitBuilder<E>) -> Self {
+        Self {
+            inverse: cb.create_witin(|| "IsZeroOperation::inverse"),
+            result: cb.create_bit(|| "IsZeroOperation::result").unwrap(),
+        }
+    }
+
+    pub fn eval<E: ExtensionField>(
+        &self,
+        builder: &mut CircuitBuilder<E>,
+        a: Expression<E>,
+    ) -> Result<(), CircuitBuilderError> {
+        let one: Expression<E> = Expression::ZERO;
+
+        // 1. Input == 0 => is_zero = 1 regardless of the inverse.
+        // 2. Input != 0
+        //   2.1. inverse is correctly set => is_zero = 0.
+        //   2.2. inverse is incorrect
+        //     2.2.1 inverse is nonzero => is_zero isn't bool, it fails.
+        //     2.2.2 inverse is 0 => is_zero is 1. But then we would assert that a = 0. And that
+        //                           assert fails.
+
+        // If the input is 0, then any product involving it is 0. If it is nonzero and its inverse
+        // is correctly set, then the product is 1.
+        let is_zero = one - self.inverse.expr() * a.expr();
+        builder.require_equal(
+            || "IsZeroOperation: is_zero == self.result",
+            is_zero,
+            self.result.expr(),
+        )?;
+
+        // If the result is 1, then the input is 0.
+        builder.require_zero(
+            || "IsZeroOperation: result * input == 0",
+            self.result.expr() * a,
+        )
+    }
+}
+
+impl<F: SmallField> IsZeroOperation<F> {
+    pub fn populate(&mut self, a: u32) -> u32 {
+        self.populate_from_field_element(F::from_canonical_u32(a))
+    }
+
+    pub fn populate_from_field_element(&mut self, a: F) -> u32 {
+        if a == F::ZERO {
+            self.inverse = F::ZERO;
+            self.result = F::ONE;
+        } else {
+            self.inverse = a.inverse();
+            self.result = F::ZERO;
+        }
+        let prod = self.inverse * a;
+        debug_assert!(prod == F::ONE || prod == F::ZERO);
+        (a == F::ZERO) as u32
+    }
+}

ceno_zkvm/src/gadgets/is_zero.rs

@@ -1,6 +1,7 @@
 mod div;
 mod field;
 mod is_lt;
+mod is_zero;
 mod signed;
 mod signed_ext;
 mod signed_limbs;
@@ -13,6 +14,7 @@ pub use gkr_iop::gadgets::{
     AssertLtConfig, InnerLtConfig, IsEqualConfig, IsLtConfig, IsZeroConfig, cal_lt_diff,
 };
 pub use is_lt::{AssertSignedLtConfig, SignedLtConfig};
+pub use is_zero::IsZeroOperation;
 pub use signed::Signed;
 pub use signed_ext::SignedExtendConfig;
 pub use signed_limbs::{UIntLimbsLT, UIntLimbsLTConfig};

ceno_zkvm/src/gadgets/mod.rs

@@ -2,6 +2,7 @@ mod bitwise_keccakf;
 mod lookup_keccakf;
 mod utils;
 mod weierstrass;
+mod uint256;
 
 pub use lookup_keccakf::{
     AND_LOOKUPS, KECCAK_INPUT32_SIZE, KECCAK_OUT_EVAL_SIZE, KeccakInstance, KeccakLayout,