- Generated by
1.9.8
|
Barretenberg
The ZK-SNARK library at the core of Aztec
|
#include <sha256.hpp>
Classes | |
| struct | sparse_value |
| struct | sparse_witness_limbs |
Static Public Member Functions | |
| static std::array< field_ct, 8 > | sha256_block (const std::array< field_ct, 8 > &h_init, const std::array< field_ct, 16 > &input) |
| Apply the SHA-256 compression function to a single 512-bit message block. | |
| static std::array< field_ct, 64 > | extend_witness (const std::array< field_ct, 16 > &w_in) |
| Extend the 16-word message block to 64 words per SHA-256 specification. | |
Private Types | |
| using | field_ct = field_t< Builder > |
Static Private Member Functions | |
| static sparse_witness_limbs | convert_witness (const field_ct &input) |
| Convert a 32-bit value to sparse limbs form for message schedule extension. | |
| static field_ct | choose_with_sigma1 (sparse_value &e, const sparse_value &f, const sparse_value &g) |
| Compute Σ₁(e) + Ch(e,f,g) for SHA-256 compression rounds. | |
| static field_ct | majority_with_sigma0 (sparse_value &a, const sparse_value &b, const sparse_value &c) |
| Compute Σ₀(a) + Maj(a,b,c) for SHA-256 compression rounds. | |
| static sparse_value | map_into_choose_sparse_form (const field_ct &input) |
| Convert a field element to sparse form for use in the Choose function. | |
| static sparse_value | map_into_maj_sparse_form (const field_ct &input) |
| Convert a field element to sparse form for use in the Majority function. | |
| static field_ct | add_normalize (const field_ct &a, const field_ct &b) |
| Compute (a + b) mod 2^32 with circuit constraints. | |
Static Private Attributes | |
| static constexpr fr | base { 16 } |
| static constexpr std::array< fr, 4 > | left_multipliers |
| Multipliers for computing σ₀ during message schedule extension. | |
| static constexpr std::array< fr, 4 > | right_multipliers |
| Multipliers for computing σ₁ during message schedule extension. | |
| static constexpr std::array< uint64_t, 64 > | round_constants |
Definition at line 18 of file sha256.hpp.
|
private |
Definition at line 20 of file sha256.hpp.
|
staticprivate |
Compute (a + b) mod 2^32 with circuit constraints.
Used throughout SHA-256 to add 32-bit values and reduce modulo 2^32. Constrains: result = a + b - overflow * 2^32, where overflow is range-checked.
Definition at line 329 of file sha256.cpp.
|
staticprivate |
Compute Σ₁(e) + Ch(e,f,g) for SHA-256 compression rounds.
Combines two operations efficiently using base-28 sparse form:
Sparse encoding: 7*[rotations] + [e + 2f + 3g], where factor 7 separates rotation contributions (0-3) from Choose encoding (0-6) within each base-28 digit.
See get_choose_input_table() in plookup_tables/sha256.hpp for the mathematical derivation.
| e | Input/output: e.normal read, e.sparse populated as side effect |
| f | Input: must have .sparse already populated |
| g | Input: must have .sparse already populated |
Definition at line 246 of file sha256.cpp.
|
staticprivate |
Convert a 32-bit value to sparse limbs form for message schedule extension.
Uses SHA256_WITNESS_INPUT lookup table to decompose input into sparse limbs and pre-rotated correction terms needed for σ₀/σ₁ computation.
See get_witness_extension_input_table() in plookup_tables/sha256.hpp for table structure.
Definition at line 45 of file sha256.cpp.
|
static |
Extend the 16-word message block to 64 words per SHA-256 specification.
SHA-256 Spec (FIPS 180-4, Section 6.2.2): W[i] = σ₁(W[i-2]) + W[i-7] + σ₀(W[i-15]) + W[i-16] (mod 2³²) for i = 16..63
Uses base-16 sparse form to compute σ₀ + σ₁ efficiently via lookup tables, then adds W[i-7] and W[i-16] and reduces mod 2³².
| w_in | The 16 input message words (512 bits total) |
Definition at line 82 of file sha256.cpp.
|
staticprivate |
Compute Σ₀(a) + Maj(a,b,c) for SHA-256 compression rounds.
Combines two operations efficiently using base-16 sparse form:
Sparse encoding: 4*[rotations] + [a + b + c], where factor 4 separates rotation contributions (0-3) from Majority encoding (0-3) within each base-16 digit.
See get_majority_input_table() in plookup_tables/sha256.hpp for the mathematical derivation.
| a | Input/output: a.normal read, a.sparse populated as side effect |
| b | Input: must have .sparse already populated |
| c | Input: must have .sparse already populated |
Definition at line 291 of file sha256.cpp.
|
staticprivate |
Convert a field element to sparse form for use in the Choose function.
Performs a lookup to convert a normal 32-bit value to its base-28 sparse representation. Base 28 is required because the Choose lookup table index formula is 7 × rotation_sum + (e + 2f + 3g), where rotation_sum ranges 0-3 and the weighted sum (e + 2f + 3g) ranges 0-6, giving max index 27.
| input | The field element to convert (expected to be a 32-bit value) |
Definition at line 199 of file sha256.cpp.
|
staticprivate |
Convert a field element to sparse form for use in the Majority function.
Performs a lookup to convert a normal 32-bit value to its base-16 sparse representation. Base 16 is required because the Majority lookup table index formula is 4 × rotation_sum + (a + b + c), where rotation_sum ranges 0-3 and (a + b + c) ranges 0-3, giving max index 15.
| input | The field element to convert (expected to be a 32-bit value) |
Definition at line 219 of file sha256.cpp.
|
static |
Apply the SHA-256 compression function to a single 512-bit message block.
This is the only public entry point for the stdlib SHA-256 implementation. We implement only the compression function (rather than a full hash) because this is all that is required in DSL.
| h_init | The 8-word (256-bit) initial hash state. For the first block of a message, this should be the standard SHA-256 IV. For subsequent blocks, this is the output of the previous compression. |
| input | The 16-word (512-bit) message block to compress. |
Initialize round variables with previous block output. Note: We delay converting a and e into their respective sparse forms because it's done as part of the majority and choose functions in the first round.
Apply SHA-256 compression function to the message schedule.
Standard SHA-256 round: T1 = h + Σ1(e) + Ch(e,f,g) + K[i] + W[i] T2 = Σ0(a) + Maj(a,b,c) h,g,f,e,d,c,b,a = g,f,e,d+T1,c,b,a,T1+T2
NOTE: Order-dependent side effects below. choose_with_sigma1() populates e.sparse (subsequently copied to f). majority_with_sigma0() populates a.sparse (subsequently copied to b). Do not reorder relative to f=e or b=a.
Definition at line 379 of file sha256.cpp.
|
staticconstexprprivate |
Definition at line 22 of file sha256.hpp.
|
staticconstexprprivate |
Multipliers for computing σ₀ during message schedule extension.
σ₀(x) = (x >>> 7) ⊕ (x >>> 18) ⊕ (x >> 3)
These multipliers handle rotations that keep the limb within the 32-bit word boundary. Rotations that split a limb across the wrap boundary (i.e., rot7 for limb 1) cannot be represented as a simple scalar and are instead handled via rotated_limb_corrections from the lookup table.
limb 0) bits [0..2]; pos_0 = 0
rotation by 7: 16^(-7 + pos_3) = 16^(18 - 7)
Definition at line 50 of file sha256.hpp.
|
staticconstexprprivate |
Multipliers for computing σ₁ during message schedule extension.
σ₁(x) = (x >>> 17) ⊕ (x >>> 19) ⊕ (x >> 10)
These multipliers handle rotations that keep the limb within the 32-bit word boundary. Rotations that split a limb across the wrap boundary (i.e., rot17 for limb 2, rot19 for limb 3) cannot be represented as a simple scalar and are instead handled via rotated_limb_corrections from the lookup table.
limb 0) bits [0..2]; pos_0 = 0
Definition at line 84 of file sha256.hpp.
|
staticconstexprprivate |
Definition at line 91 of file sha256.hpp.
1.9.8