Barretenberg: src/barretenberg/dsl/acir_format/sha256_constraint.cpp Source File

// === AUDIT STATUS ===

// internal:    { status: Complete, auditors: [Luke], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#include "sha256_constraint.hpp"

#include "barretenberg/common/zip_view.hpp"

#include "barretenberg/stdlib/hash/sha256/sha256.hpp"


namespace acir_format {


template <typename Builder>


void create_sha256_compression_constraints(Builder& builder, const Sha256Compression& constraint)

{

    using field_ct = bb::stdlib::field_t<Builder>;


    std::array<field_ct, 8> hash_inputs; // previous  (or initial) hash state

    std::array<field_ct, 16> inputs;     // message block to compress


    // Get the witness assignment for each witness index

    // AUDITTODO: We do not range-check the inputs here, assuming lookup tables in sha256_block

    // provide implicit 32-bit constraints. However, analysis shows this assumption is incomplete:

    // - inputs[0] is NEVER lookup-constrained

    // - hash_values[3] and hash_values[7] are used in arithmetic before being lookup-constrained

    // These values are only weakly bounded (~35 bits) by add_normalize overflow constraints.

    // See AUDITTODO in stdlib/hash/sha256/sha256.cpp for details and recommended fix.

    for (auto [input, witness_or_constant] : zip_view(inputs, constraint.inputs)) {

        input = to_field_ct(witness_or_constant, builder);

    }

    for (auto [hash_input, witness_or_constant] : zip_view(hash_inputs, constraint.hash_values)) {

        hash_input = to_field_ct(witness_or_constant, builder);

    }


    // Compute sha256 compression

    std::array<field_ct, 8> output_state = bb::stdlib::SHA256<Builder>::sha256_block(hash_inputs, inputs);


    // Constrain outputs to match expected witness indices

    for (auto [output, result_idx] : zip_view(output_state, constraint.result)) {

        field_ct result_witness = field_ct::from_witness_index(&builder, result_idx);

        output.assert_equal(result_witness);

    }

}


template void create_sha256_compression_constraints<bb::UltraCircuitBuilder>(bb::UltraCircuitBuilder& builder,

                                                                             const Sha256Compression& constraint);

template void create_sha256_compression_constraints<bb::MegaCircuitBuilder>(bb::MegaCircuitBuilder& builder,

                                                                            const Sha256Compression& constraint);


} // namespace acir_format

bb::ECCVMCircuitBuilder
Definition eccvm_circuit_builder.hpp:24

bb::MegaCircuitBuilder_
Definition mega_circuit_builder.hpp:19

bb::UltraCircuitBuilder_
Definition ultra_circuit_builder.hpp:41

bb::stdlib::SHA256::sha256_block
static std::array< field_ct, 8 > sha256_block(const std::array< field_ct, 8 > &h_init, const std::array< field_ct, 16 > &input)
Apply the SHA-256 compression function to a single 512-bit message block.
Definition sha256.cpp:379

bb::stdlib::field_t< Builder >

bb::stdlib::field_t< Builder >::from_witness_index
static field_t from_witness_index(Builder *ctx, uint32_t witness_index)
Definition field.cpp:62

zip_view
Definition zip_view.hpp:166

builder
AluTraceBuilder builder
Definition alu.test.cpp:124

inputs
AvmProvingInputs inputs
Definition hinting_dbs.test.cpp:45

acir_format
Definition acir_format.cpp:30

acir_format::create_sha256_compression_constraints< bb::MegaCircuitBuilder >
template void create_sha256_compression_constraints< bb::MegaCircuitBuilder >(bb::MegaCircuitBuilder &builder, const Sha256Compression &constraint)

acir_format::create_sha256_compression_constraints
void create_sha256_compression_constraints(Builder &builder, const Sha256Compression &constraint)
Definition sha256_constraint.cpp:14

acir_format::create_sha256_compression_constraints< bb::UltraCircuitBuilder >
template void create_sha256_compression_constraints< bb::UltraCircuitBuilder >(bb::UltraCircuitBuilder &builder, const Sha256Compression &constraint)

acir_format::to_field_ct
bb::stdlib::field_t< Builder > to_field_ct(const WitnessOrConstant< typename Builder::FF > &input, Builder &builder)
Definition witness_constant.hpp:39

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

sha256_constraint.hpp

sha256.hpp

acir_format::Sha256Compression
Definition sha256_constraint.hpp:14

acir_format::Sha256Compression::hash_values
std::array< WitnessOrConstant< bb::fr >, 8 > hash_values
Definition sha256_constraint.hpp:16

acir_format::Sha256Compression::result
std::array< uint32_t, 8 > result
Definition sha256_constraint.hpp:17

acir_format::Sha256Compression::inputs
std::array< WitnessOrConstant< bb::fr >, 16 > inputs
Definition sha256_constraint.hpp:15

zip_view.hpp