Barretenberg: src/barretenberg/stdlib/hash/sha256/sha256.hpp Source File

// === AUDIT STATUS ===

// internal:    { status: Complete, auditors: [Luke], commit: }

// external_1:  { status: not started, auditors: [], commit: }

// external_2:  { status: not started, auditors: [], commit: }

// =====================


#pragma once

#include "barretenberg/stdlib_circuit_builders/plookup_tables/plookup_tables.hpp"

#include <array>


#include "barretenberg/numeric/bitop/sparse_form.hpp"

#include "barretenberg/stdlib/primitives/circuit_builders/circuit_builders_fwd.hpp"


#include "../../primitives/field/field.hpp"


namespace bb::stdlib {


template <typename Builder> class SHA256 {


    using field_ct = field_t<Builder>;


    static constexpr fr base{ 16 };


    static constexpr std::array<fr, 4> left_multipliers{

        base.pow(32 - 7) + base.pow(32 - 18),                         // limb 0: rot7 + rot18

        base.pow(32 - 18 + 3) + fr(1),                                // limb 1: rot18 + shift3

        base.pow(10 - 7) + base.pow(32 - 18 + 10) + base.pow(10 - 3), // limb 2: rot7 + rot18 + shift3

        base.pow(18 - 7) + fr(1) + base.pow(18 - 3),                  // limb 3: rot7 + rot18 + shift3

    };


    static constexpr std::array<fr, 4> right_multipliers{

        base.pow(32 - 17) + base.pow(32 - 19),         // limb 0: rot17 + rot19

        base.pow(32 - 17 + 3) + base.pow(32 - 19 + 3), // limb 1: rot17 + rot19

        base.pow(32 - 19 + 10) + fr(1),                // limb 2: rot19 + shift10

        base.pow(18 - 17) + base.pow(18 - 10),         // limb 3: rot17 + shift10

    };


    static constexpr std::array<uint64_t, 64> round_constants{

        0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,

        0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3, 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174,

        0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,

        0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967,

        0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13, 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85,

        0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,

        0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3,

        0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208, 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2

    };


    struct sparse_witness_limbs {


        sparse_witness_limbs(const field_ct& in = 0)

            : normal(in)

        {}


        sparse_witness_limbs(const sparse_witness_limbs& other) = default;

        sparse_witness_limbs(sparse_witness_limbs&& other) = default;

        sparse_witness_limbs& operator=(const sparse_witness_limbs& other) = default;

        sparse_witness_limbs& operator=(sparse_witness_limbs&& other) = default;

        ~sparse_witness_limbs() = default;


        field_ct normal;


        std::array<field_ct, 4> sparse_limbs;


        std::array<field_ct, 4> rotated_limb_corrections;


        bool has_sparse_limbs = false;

    };


    struct sparse_value {


        sparse_value(const field_ct& in = 0)

            : normal(in)

        {

            if (normal.is_constant()) {

                sparse = field_ct(in.get_context(),

                                  bb::fr(numeric::map_into_sparse_form<16>(uint256_t(in.get_value()).data[0])));

            }

        }


        sparse_value(const sparse_value& other) = default;

        sparse_value(sparse_value&& other) = default;

        sparse_value& operator=(const sparse_value& other) = default;

        sparse_value& operator=(sparse_value&& other) = default;

        ~sparse_value() = default;


        field_ct normal;

        field_ct sparse;

    };


    static sparse_witness_limbs convert_witness(const field_ct& input);


    static field_ct choose_with_sigma1(sparse_value& e, const sparse_value& f, const sparse_value& g);


    static field_ct majority_with_sigma0(sparse_value& a, const sparse_value& b, const sparse_value& c);

    static sparse_value map_into_choose_sparse_form(const field_ct& input);

    static sparse_value map_into_maj_sparse_form(const field_ct& input);


    static field_ct add_normalize(const field_ct& a, const field_ct& b);


  public:

    static std::array<field_ct, 8> sha256_block(const std::array<field_ct, 8>& h_init,

                                                const std::array<field_ct, 16>& input);


    static std::array<field_ct, 64> extend_witness(const std::array<field_ct, 16>& w_in);

};


} // namespace bb::stdlib

circuit_builders_fwd.hpp

bb::numeric::uint256_t
Definition uint256.hpp:32

bb::numeric::uint256_t::data
uint64_t data[4]
Definition uint256.hpp:207

bb::stdlib::SHA256
Definition sha256.hpp:18

bb::stdlib::SHA256::map_into_maj_sparse_form
static sparse_value map_into_maj_sparse_form(const field_ct &input)
Convert a field element to sparse form for use in the Majority function.
Definition sha256.cpp:219

bb::stdlib::SHA256::add_normalize
static field_ct add_normalize(const field_ct &a, const field_ct &b)
Compute (a + b) mod 2^32 with circuit constraints.
Definition sha256.cpp:329

bb::stdlib::SHA256::extend_witness
static std::array< field_ct, 64 > extend_witness(const std::array< field_ct, 16 > &w_in)
Extend the 16-word message block to 64 words per SHA-256 specification.
Definition sha256.cpp:82

bb::stdlib::SHA256::right_multipliers
static constexpr std::array< fr, 4 > right_multipliers
Multipliers for computing σ₁ during message schedule extension.
Definition sha256.hpp:84

bb::stdlib::SHA256::choose_with_sigma1
static field_ct choose_with_sigma1(sparse_value &e, const sparse_value &f, const sparse_value &g)
Compute Σ₁(e) + Ch(e,f,g) for SHA-256 compression rounds.
Definition sha256.cpp:246

bb::stdlib::SHA256::round_constants
static constexpr std::array< uint64_t, 64 > round_constants
Definition sha256.hpp:91

bb::stdlib::SHA256::convert_witness
static sparse_witness_limbs convert_witness(const field_ct &input)
Convert a 32-bit value to sparse limbs form for message schedule extension.
Definition sha256.cpp:45

bb::stdlib::SHA256::majority_with_sigma0
static field_ct majority_with_sigma0(sparse_value &a, const sparse_value &b, const sparse_value &c)
Compute Σ₀(a) + Maj(a,b,c) for SHA-256 compression rounds.
Definition sha256.cpp:291

bb::stdlib::SHA256::field_ct
field_t< Builder > field_ct
Definition sha256.hpp:20

bb::stdlib::SHA256::left_multipliers
static constexpr std::array< fr, 4 > left_multipliers
Multipliers for computing σ₀ during message schedule extension.
Definition sha256.hpp:50

bb::stdlib::SHA256::map_into_choose_sparse_form
static sparse_value map_into_choose_sparse_form(const field_ct &input)
Convert a field element to sparse form for use in the Choose function.
Definition sha256.cpp:199

bb::stdlib::SHA256::sha256_block
static std::array< field_ct, 8 > sha256_block(const std::array< field_ct, 8 > &h_init, const std::array< field_ct, 16 > &input)
Apply the SHA-256 compression function to a single 512-bit message block.
Definition sha256.cpp:379

bb::stdlib::SHA256::base
static constexpr fr base
Definition sha256.hpp:22

bb::stdlib::field_t< Builder >

bb::stdlib::field_t::is_constant
bool is_constant() const
Definition field.hpp:429

a
FF a
Definition field_gt.test.cpp:52

b
FF b
Definition field_gt.test.cpp:53

bb::stdlib::blake_util::g
void g(field_t< Builder > state[BLAKE_STATE_SIZE], size_t a, size_t b, size_t c, size_t d, field_t< Builder > x, field_t< Builder > y)
Definition blake_util.hpp:112

bb::stdlib
Definition graph_description_goblin.test.cpp:13

bb::fr
field< Bn254FrParams > fr
Definition fr.hpp:174

std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13

plookup_tables.hpp

sparse_form.hpp

bb::field< Bn254FrParams >

bb::field::pow
BB_INLINE constexpr field pow(const uint256_t &exponent) const noexcept
Definition field_impl.hpp:352

bb::stdlib::SHA256::sparse_value
Definition sha256.hpp:119

bb::stdlib::SHA256::sparse_value::normal
field_ct normal
Definition sha256.hpp:135

bb::stdlib::SHA256::sparse_value::sparse_value
sparse_value(const sparse_value &other)=default

bb::stdlib::SHA256::sparse_value::operator=
sparse_value & operator=(const sparse_value &other)=default

bb::stdlib::SHA256::sparse_value::sparse_value
sparse_value(sparse_value &&other)=default

bb::stdlib::SHA256::sparse_value::sparse_value
sparse_value(const field_ct &in=0)
Definition sha256.hpp:120

bb::stdlib::SHA256::sparse_value::operator=
sparse_value & operator=(sparse_value &&other)=default

bb::stdlib::SHA256::sparse_value::sparse
field_ct sparse
Definition sha256.hpp:136

bb::stdlib::SHA256::sparse_value::~sparse_value
~sparse_value()=default

bb::stdlib::SHA256::sparse_witness_limbs
Definition sha256.hpp:101

bb::stdlib::SHA256::sparse_witness_limbs::sparse_witness_limbs
sparse_witness_limbs(sparse_witness_limbs &&other)=default

bb::stdlib::SHA256::sparse_witness_limbs::normal
field_ct normal
Definition sha256.hpp:111

bb::stdlib::SHA256::sparse_witness_limbs::~sparse_witness_limbs
~sparse_witness_limbs()=default

bb::stdlib::SHA256::sparse_witness_limbs::operator=
sparse_witness_limbs & operator=(const sparse_witness_limbs &other)=default

bb::stdlib::SHA256::sparse_witness_limbs::sparse_witness_limbs
sparse_witness_limbs(const sparse_witness_limbs &other)=default

bb::stdlib::SHA256::sparse_witness_limbs::has_sparse_limbs
bool has_sparse_limbs
Definition sha256.hpp:117

bb::stdlib::SHA256::sparse_witness_limbs::rotated_limb_corrections
std::array< field_ct, 4 > rotated_limb_corrections
Definition sha256.hpp:115

bb::stdlib::SHA256::sparse_witness_limbs::operator=
sparse_witness_limbs & operator=(sparse_witness_limbs &&other)=default

bb::stdlib::SHA256::sparse_witness_limbs::sparse_limbs
std::array< field_ct, 4 > sparse_limbs
Definition sha256.hpp:113

bb::stdlib::SHA256::sparse_witness_limbs::sparse_witness_limbs
sparse_witness_limbs(const field_ct &in=0)
Definition sha256.hpp:102