Skip to content

Update spec#613

Open
ColoCarletti wants to merge 9 commits into
mainfrom
spec/main
Open

Update spec#613
ColoCarletti wants to merge 9 commits into
mainfrom
spec/main

Conversation

@ColoCarletti
Copy link
Copy Markdown
Collaborator

@ColoCarletti ColoCarletti commented May 22, 2026

No description provided.

RobinJadoul and others added 8 commits April 10, 2026 17:28
@RobinJadoul @erik-3milabs
spec: SHA256 accelerator (#372)
caa053c 
* spec: First sha256 accelerator draft

* Types checked

* Update typst description

* HWSLC -> HWSL

* Apply suggestions from code review

Co-authored-by: Erik <159244975+erik-3milabs@users.noreply.github.com>
Co-authored-by: Robin Jadoul <robin.jadoul@gmail.com>

* preliminary changes after review

* fix out_e carry check

* rotxor with 2 fewer columns

* Correct count of bytes for out range checks

* Explicit tables for SHA256_K

* whoops

* cosmetic + explanation

* Apply suggestions from code review

Co-authored-by: Erik <159244975+erik-3milabs@users.noreply.github.com>

* Update spec/sha256.typ

* Replace base_addr by entry in addr

* review comments

* structure

* Apply suggestions from code review

Co-authored-by: Erik <159244975+erik-3milabs@users.noreply.github.com>

* Update spec/sha256.typ

Co-authored-by: Erik <159244975+erik-3milabs@users.noreply.github.com>

* spec/sha256: rebase fixes

---------

Co-authored-by: Erik <159244975+erik-3milabs@users.noreply.github.com>
Co-authored-by: Erik Takke <erik.takke@3milabs.tech>
@erik-3milabs @claude @RobinJadoul
spec: KECCAK accelerator (#474)
d23f806 
* spec: math/code render mod expr

* spec/type_check: add ModExpr

* spec: add multi-dimensional array support

* spec/KECCAK: introduce v0

* spec/keccak: define padding

* spec: support multidimensional array in signatures

* spec/keccak: add signatures

* spec/keccak: update core chip

* spec/keccak: update keccak_rnd description

* spec/keccak: define round constant lookup

* Apply suggestions from code review

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>

* spec/keccak: clarify "optimizations" header

* spec/keccak: list `state_ptr` simplification optimization

* spec/keccak: fix C3

* spec/keccak: fix missing EOF

* spec/keccak: list interaction counts

* spec/keccak: list three-way XOR optimization idea

* spec/tooling: fix mod_expr default

* spec: add spaces round `%` rendering

* spec: reuse `type_to_code` in `signatures.typ`

* Apply suggestions from code review

Co-authored-by: Robin Jadoul <robin.jadoul@gmail.com>

* spec/keccak: update three-way XOR optimization benefits

* spec/ecall: reintroduce ecall-number overview

* spec/keccak: ref to sections in FIPS202 on state endianness

* spec/keccak: fix typo

---------

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
Co-authored-by: Robin Jadoul <robin.jadoul@gmail.com>
@RobinJadoul @claude @erik-3milabs
spec: Inline PC memory access into CPU (#501)
0f90155 
* spec: Inline PC memory access into CPU

* Apply suggestions from code review

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
Co-authored-by: Robin Jadoul <robin.jadoul@gmail.com>

* Apply review suggestion

Co-authored-by: Erik <159244975+erik-3milabs@users.noreply.github.com>

* Remove `pc_double_read` constraints and clarify why in cpu.typ

* Potential optimization -> subsubsection

* Address review comments

* Clarifying remark on register initialization

---------

Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
Co-authored-by: Erik <159244975+erik-3milabs@users.noreply.github.com>
@RobinJadoul @erik-3milabs
spec: shiroa fixes (#533)
6363f3e 
* Fix shiroa build

- Strip raw blocks from chapter titles for `project` argument
- Add an explicit description (based on chapter title) to chapters
  to avoid compilation issues when context appears early in the chapter
- Export interaction counts from the pdf version to use in shiroa,
  since otherwise we run into convergence issues that are hard to debug

* cd into script directory and harden against stale interaction counts

* Update spec/book.typ

Co-authored-by: Erik <159244975+erik-3milabs@users.noreply.github.com>

* Fall back to single-threaded shiroa when insufficient memory

---------

Co-authored-by: Erik <159244975+erik-3milabs@users.noreply.github.com>
@RobinJadoul
spec: Enable heading numbering for section references in shiroa (#534)
b6478d6 
* spec: Enable heading numbering for section references in shiroa

* Remove explicit heading numbering from logup chapter
@erik-3milabs
spec: ARE_BYTES (#532)
6872537 
* spec/ARE_BYTES: introduce ARE_BYTES signature

* spec/ARE_BYTES: introduce ARE_BYTES lookup

* spec/ARE_BYTES: introduce IS_BYTE template

* spec/ARE_BYTES: switch IS_BYTE lookup to IS_BYTE template

* spec/ARE_BYTES: drop IS_BYTE interaction

* spec/ARE_BYTES: drop IS_BYTE lookup signature

* spec/ARE_BYTES: turn multiplicity into cond

* spec/ARE_BYTES: remove as potential optimization

* spec/ARE_BYTES: update assumptions using IS_BYTE
@erik-3milabs
spec: Fix KECCAK (#554)
2e05a25 
* spec/keccak: fix cyclic-shift indexing mistakes

* spec/ecall: fix negative ECALL numbering

* spec/keccak: optimize Cxz_right from Byte to Bit

* spec/KECCAK: add potential optimization

rot_left and rot_right contain 96 constant zero-columns, which can be dropped. Additionally, those zeroes do not have to be byte-checked.

* spec/KECCAK: fix typo

* spec/KECCAK: list another potential optimization

* spec/keccak: fix index division problems

* spec/keccak: remove condition from IS_BIT
@ColoCarletti
Merge branch 'main' into spec/main
d386a30
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 22, 2026

Codex Code Review

Found two issues in the PR diff:

  1. [High] SHA-256 ROTXOR leaves upper half unconstrained
    In spec/src/rotxor.toml:157, the second a2 limb constraint is documented as constraining a2[1], but the polynomial subtracts a2[0] again. This means a2[1] is not tied to the shifted/rotated input, so the upper 16 bits of the third ROTXOR term can be chosen arbitrarily and then flow into SHA-256 round/message-schedule values. Change the first indexed limb in that polynomial from 0 to 1.

  2. [High] SHA-256 x11 read emits the wrong old register value
    In spec/src/sha256.toml:59, the MEMW output for reading m_addr from x11 uses limb 0 twice. It should mirror the input value’s low and high limbs, like the h_addr read below does. As written, the accelerator consumes an old x11 token [lo, lo] and emits [lo, hi], so the “read” mutates the register and rejects normal cases where hi != lo.

I also ran the spec typechecker command:

python3 spec/tooling/chip.py spec/src/config.toml spec/src/signatures.toml spec/src/*.toml

It reports no issues, so these are semantic bugs the current checker does not catch.

claude[bot]
claude Bot reviewed May 22, 2026
View reviewed changes
Comment thread spec/src/rotxor.toml
claude[bot]
claude Bot reviewed May 22, 2026
View reviewed changes
Comment thread spec/src/sha256.toml
claude[bot]
claude Bot reviewed May 22, 2026
View reviewed changes
Comment thread spec/src/signatures.toml
@claude
Copy link
Copy Markdown

claude Bot commented May 22, 2026

Review: Update spec (SHA256 + KECCAK accelerators)

Summary

This PR adds formal specification for two cryptographic accelerators (SHA256 and KECCAK permutation), introduces the IS_BYTE template (wrapping the renamed ARE_BYTES interaction), extends the expression language with mod, and supports nested array types. The bulk of the new material is correct and well-structured.

Bugs

1. [High] rotxor.tomla2[1] constraint uses wrong index (see inline)

The polynomial for the second a2 constraint has ["idx", ["cast", "a2", "WordHL"], 0] where it should be 1. This means a2[0] is constrained twice and a2[1] is unconstrained — a prover can freely set it, breaking the shift decomposition for SHA256's s0/s1 computations.

2. [Medium] sha256.tomlm_addr MEMW output duplicates index 0 (see inline)

The MEMW output for reading register x11 (chunk address) uses ["idx", ..., 0] twice instead of 0 then 1. The high word of m_addr[0] is left unconstrained; the analogous h_addr read on line 106 is correct.

Nit

  • signatures.toml line 8: comment says IS_BIT<X, μ> — should be IS_BYTE<X, μ> (copy-paste from the entry above).

No issues found in

  • Keccak theta/rho/chi/iota constraint structure (range checks on Cxz_left, rot_left, rot_right are correctly noted as necessary and present)
  • mod expression addition in expr.typ / chip.py
  • IS_BYTE → template + ARE_BYTES interaction split
  • Nested array type support
  • CPU pc_double_read / prev_pc_timestamp_borrow inline optimization
  • Build script (build_shiroa.sh)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@jotabulacios jotabulacios jotabulacios approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ColoCarletti @jotabulacios @RobinJadoul @erik-3milabs