feat(prover): Memory-mapped private input for guest programs (#512)

* fix executor bugs

* add private inputs feature

* merge

* change page size

* fmt

* fix_tests

* fix

* fix_merge

* fmt

* fix_comments

* change verifier privete_inputs handle

* fmt

* add max private input size

* fmt

* fmt

* fmt

* test: add security tests for private input tamper scenarios

Verify the verifier rejects proofs with tampered num_private_input_pages
(zeroed, inflated, exceeds max) and tampered public_output when private
input is present. Also confirm the proof struct does not carry raw
private input bytes.

* clippy + fmt

* clippy + fmt

---------

Co-authored-by: Diego K <43053772+diegokingston@users.noreply.github.com>
Co-authored-by: MauroFab <maurotoscano2@gmail.com>

Author: 3 people

executor/programs/asm/test_private_input_xpage.s

@@ -0,0 +1,32 @@
+	.attribute	5, "rv64i2p1"
+	.globl	main
+main:
+	# Read private input directly from 0xFF000000 (memory-mapped).
+	# Layout: [len:u32 LE] [data...]
+	# Commits 8 bytes of data.
+	#
+	# Note: lui in RV64 sign-extends to 64 bits. lui with 0xFF000 would give
+	# 0xFFFFFFFFFF000000. To get 0xFF000000 we need to construct it differently:
+	# lui x, 0x100000 gives 0x100000000 (53 upper bits), too high.
+	# Instead: load 0x0FF00000 and shift left by 4 bits, OR similar tricks.
+	# Simplest: use li macro and let the assembler handle it.
+
+	li	t0, 0xFF000000		# 1: t0 = 0xFF000000 (private input base)
+
+	# Read length at 0xFF000000
+	lw	t3, 0(t0)		# 2: t3 = length
+
+	# Load 8 bytes of data at 0xFF000008 (aligned, 4 bytes into data region)
+	ld	t1, 8(t0)		# 3
+
+	# Commit 8 bytes from 0xFF000008
+	addi	a1, t0, 8		# 4: buf_addr = 0xFF000008
+	li	a0, 1			# 5: fd = 1
+	li	a2, 8			# 6: count = 8
+	li	a7, 64			# 7: syscall = Commit
+	ecall				# 8: commit
+
+	# Halt
+	li	a0, 0			# 9: exit_code = 0
+	li	a7, 93			# 10: syscall = Halt
+	ecall				# 11: halt

executor/programs/rust/commit/src/main.rs

@@ -1,7 +1,7 @@
 use lambda_vm_syscalls as syscalls;
 
 pub fn main() {
-    let input: Vec<u8> = syscalls::syscalls::get_private_input().unwrap();
+    let input: Vec<u8> = syscalls::syscalls::get_private_input();
     syscalls::syscalls::print_string(format!("Private input received: {:?}\n", input).as_str());
     syscalls::syscalls::commit(&input);
 }

executor/programs/rust/commit_sum/src/main.rs

@@ -1,7 +1,7 @@
 use lambda_vm_syscalls as syscalls;
 
 pub fn main() {
-    let input: Vec<u8> = syscalls::syscalls::get_private_input().unwrap();
+    let input: Vec<u8> = syscalls::syscalls::get_private_input();
     let a = input[0];
     let b = input[1];
     syscalls::syscalls::commit((a + b).to_le_bytes().as_ref());

executor/programs/rust/ethrex/src/main.rs

@@ -2,7 +2,7 @@ use guest_program::{execution::execution_program, input::ProgramInput};
 use rkyv::rancor::Error;
 use lambda_vm_syscalls as syscalls;
 pub fn main() {
-    let input = syscalls::syscalls::get_private_input().unwrap();
+    let input = syscalls::syscalls::get_private_input();
     let input = rkyv::from_bytes::<ProgramInput, Error>(&input).unwrap();
     let output = execution_program(input).unwrap();
     let output_bytes = output.encode();

executor/programs/rust/memory/src/main.rs

@@ -1,7 +1,7 @@
 use lambda_vm_syscalls as syscalls;
 
 pub fn main() {
-    let input = syscalls::syscalls::get_private_input().unwrap();
+    let input = syscalls::syscalls::get_private_input();
     let size = u32::from_be_bytes(input.try_into().unwrap());
     let mut vector = vec![];
     for i in 0..size {

executor/programs/rust/pure_commit/Cargo.lock

@@ -10,7 +10,6 @@ const REGULAR_PC_UPDATE: u64 = 4;
 pub enum SyscallNumbers {
     Print = 1,
     Panic = 2,
-    GetPrivateInputs = 4,
     Commit = 64,
     Halt = 93,
 }
@@ -21,7 +20,6 @@ impl TryFrom<u64> for SyscallNumbers {
         match value {
             1 => Ok(SyscallNumbers::Print),
             2 => Ok(SyscallNumbers::Panic),
-            4 => Ok(SyscallNumbers::GetPrivateInputs),
             64 => Ok(SyscallNumbers::Commit),
             93 => Ok(SyscallNumbers::Halt),
             _ => Err(()),
@@ -326,14 +324,6 @@ impl Instruction {
                         src2_val = buf_addr;
                         dst_val = count;
                     }
-                    SyscallNumbers::GetPrivateInputs => {
-                        // get private inputs
-                        let pointer = registers.read(10)?;
-                        let private_inputs = memory.load_private_inputs()?;
-                        for (i, byte) in private_inputs.iter().enumerate() {
-                            memory.store_byte(pointer + i as u64, *byte);
-                        }
-                    }
                     SyscallNumbers::Halt => {
                         // halt
                         return Ok(Log {

executor/src/vm/instruction/execution.rs

@@ -41,10 +41,13 @@ pub type U64HashMap<V> = HashMap<u64, V, U64BuildHasher>;
 // TODO: Correctly define this
 const MAX_PUBLIC_OUTPUT_COMMIT_SIZE: u64 = 1024;
 const PUBLIC_OUTPUT_START_INDEX: u64 = 0;
-// Ported from main: increased from 1024 to support larger inputs (ethrex)
-const MAX_PRIVATE_INPUT_SIZE: u64 = 6700000;
-// Ported from main: fixed high address to avoid overlap with program memory
-const PRIVATE_INPUT_START_INDEX: u64 = 0xFF000000;
+/// Maximum size of the private input memory region (in bytes).
+pub const MAX_PRIVATE_INPUT_SIZE: u64 = 6700000;
+/// Fixed high address where private input is mapped. Guest programs can read
+/// directly from this address (ZisK-style memory-mapped input).
+/// Layout: 4-byte LE length prefix at `PRIVATE_INPUT_START_INDEX`, then data at +4.
+/// Must match `PRIVATE_INPUT_START` in `syscalls/src/syscalls.rs`.
+pub const PRIVATE_INPUT_START_INDEX: u64 = 0xFF000000;
 
 #[derive(Default, Debug)]
 pub struct Memory(U64HashMap<[u8; 4]>);
@@ -151,7 +154,13 @@ impl Memory {
         Ok(self.load_bytes(PUBLIC_OUTPUT_START_INDEX + 4, size as u64))
     }
 
+    /// Pre-loads private input bytes at `PRIVATE_INPUT_START_INDEX` as a
+    /// 4-byte LE length prefix followed by the raw data. The guest reads these
+    /// bytes directly via normal RISC-V loads (ZisK-style memory-mapped input).
     pub fn store_private_inputs(&mut self, inputs: Vec<u8>) -> Result<(), MemoryError> {
+        if inputs.is_empty() {
+            return Ok(());
+        }
         if inputs.len() as u64 > MAX_PRIVATE_INPUT_SIZE {
             return Err(MemoryError::PrivateInputSizeExceeded);
         }
@@ -160,13 +169,6 @@ impl Memory {
         Ok(())
     }
 
-    pub fn load_private_inputs(&self) -> Result<Vec<u8>, MemoryError> {
-        let size = self.load_word(PRIVATE_INPUT_START_INDEX)?;
-        let mut inputs = size.to_le_bytes().to_vec();
-        inputs.extend_from_slice(&self.load_bytes(PRIVATE_INPUT_START_INDEX + 4, size as u64));
-        Ok(inputs)
-    }
-
     pub fn load_bytes(&self, mut addr: u64, len: u64) -> Vec<u8> {
         let mut result = Vec::with_capacity(len as usize);
         let end = addr + len;

executor/src/vm/memory.rs

@@ -21,6 +21,19 @@ fn run_program(elf_path: &str) {
     );
 }
 
+/// Test that the memory-mapped private input region is readable by guest programs.
+/// The ASM program reads from 0xFF000000 and commits 8 bytes of data.
+#[test]
+fn test_private_input_memory_mapped() {
+    let elf_data = std::fs::read("./program_artifacts/asm/test_private_input_xpage.elf").unwrap();
+    let program = Elf::load(&elf_data).unwrap();
+    let input: Vec<u8> = (0u8..16).collect();
+    let executor = Executor::new(&program, input.clone()).unwrap();
+    let result = executor.run().unwrap();
+    // Committed bytes are at 0xFF000008 = data bytes [4..12]
+    assert_eq!(result.return_values.memory_values, input[4..12].to_vec());
+}
+
 #[test]
 fn test_basic_program() {
     run_program("./program_artifacts/asm/basic_program.elf");