Start VM with initialized Sponge state #296
Conversation
jan-ferdinand
changed the title
jan-ferdinand
force-pushed
the
start_with_init_sponge
branch
3 times, most recently
from
09521e3 to
9a79cfd
Compare
Previously, it was necessary to initialize Triton VM's Sponge state manually before any other Sponge instruction could be used. Now, instructions `sponge_absorb`, `sponge_absorb_mem`, and `sponge_squeeze` can be executed without first executing instruction `sponge_init`.
jan-ferdinand
force-pushed
the
start_with_init_sponge
branch
from
9a79cfd to
5f54e1e
Compare
triton-vm/src/table/hash_table.rs
Outdated
| @@ -435,6 +436,7 @@ impl ExtHashTable { | |||
| let if_ci_is_sponge_init_then_round_number_is_0 = | |||
| if_ci_is_sponge_init_then_.clone() * round_number.clone(); | |||
|
|
|||
| // the capacity being zero is guaranteed by the evaluation argument | |||
There was a problem hiding this comment.
| // the capacity being zero is guaranteed by the evaluation argument | |
| // the capacity-elements being zero is guaranteed by the evaluation argument |
| // If the next round number is 0, then | ||
| // - the next mode is either `Hash` or `Pad`, or | ||
| // - the next instruction is `sponge_init`, or | ||
| // - the capacity does not change, or | ||
| // - the current mode is `ProgramHashing` and (!) the next mode is `sponge`. | ||
| // | ||
| // The “and” marked with an exclamation mark requires above constraint to be | ||
| // expressed through two polynomials. | ||
| let capacity_doesnt_change_at_section_start_when_program_hashing_or_ = |
There was a problem hiding this comment.
I think section_start is a poor choice of words. What is a section? Are there at most four sections, one for each mode? I gather (perhaps incorrectly) that section means the same as round. Why not use that word instead? Or even better: new_round.
There was a problem hiding this comment.
If it does mean "contiguous region of constant mode" I would suggest using instead mode_switch instead.
There was a problem hiding this comment.
This (pair of) constraints is very confusing. Is it because it is trying to achieve several features at once? If so, consider separating it into more constraints. If mode switches from A to B then enforce C; if mode switches from X to Y then enforce Z; etc.
| capacity_doesnt_change_at_section_start_when_program_hashing_or_ | ||
| * Self::select_mode(circuit_builder, &mode_next, HashTableMode::Sponge); | ||
|
|
||
| let randomized_sum_of_state_differences = |
There was a problem hiding this comment.
Consider renaming to state_doesnt_change.
| Self::round_number_deselector(circuit_builder, &round_number_next, 0) | ||
| * Self::select_mode(circuit_builder, &mode, HashTableMode::ProgramHashing) |
There was a problem hiding this comment.
I would expect there to be a deselector for mode Sponge. Can't you transition from something other than ProgramHashing to Sponge?
There was a problem hiding this comment.
The four separate modes are
program_hashing,sponge,hash, andpad, and they evolve in that order.
Got it!
| @@ -189,8 +157,12 @@ define `state_i_hi_limbs_minus_2_pow_32 := 2^32 - 1 - 2^16·state_i_highest_lk_i | |||
| 1. If the `round_no` in the next row is 0 | |||
| and the `Mode` in the next row is either `program_hashing` or `sponge` | |||
| and the instruction in the next row is either `sponge_absorb` or `sponge_init`, | |||
| then the capacity's state registers don't change. | |||
| 1. If the `round_no` in the next row is 0 and the current instruction in the next row is `sponge_squeeze`, then none of the state registers change. | |||
| then the capacity's state registers don't change, | |||
There was a problem hiding this comment.
The capacity elements do not change if the next instruction is sponge_init? That doesn't sound right. I would expect them to be set to zero.
| then the capacity's state registers don't change, | ||
| or the `Mode` in the current row is `program_hashing` and the `Mode` in the next row is `sponge`. | ||
| 1. If the `round_no` in the next row is 0 | ||
| and the current instruction in the next row is `sponge_squeeze`, |
There was a problem hiding this comment.
"current instruction in the next row" is confusing; consider abbreviating to "CI".
| 1. If the `round_no` in the next row is 0 | ||
| and the current instruction in the next row is `sponge_squeeze`, | ||
| then none of the state registers change, | ||
| or the `Mode` in the current row is `program_hashing`. |
There was a problem hiding this comment.
So if the current mode is program_hashing and the next instruction is sponge_squeeze then the state registers can change? Very counter-intuitive.
jan-ferdinand
force-pushed
the
master
branch
2 times, most recently
from
1c2ccef to
dd496f7
Compare
jan-ferdinand
force-pushed
the
master
branch
2 times, most recently
from
358c67f to
6271c3d
Compare
jan-ferdinand
force-pushed
the
master
branch
from
d2fd1ed to
52b5057
Compare
Previously, it was necessary to initialize Triton VM's Sponge state manually before any other Sponge instruction could be used. Now, instructions
sponge_absorb,sponge_absorb_mem, andsponge_squeezecan be executed without first executing instructionsponge_init.This is a breaking change because the
VMState's fieldspongeis both public and changes type fromOption<Tip5>toTip5.Specific reasons I have flagged you for review:
Apart from these specific questions, I'm happy to receive general ∧/∨ other feedback, of course.