Merge pull request #277 from 0xPolygonZero/develop

Bring `v0.4.0` into `main`

.github/CODEOWNERS

@@ -1,2 +1,2 @@
-* @muursh @Nashtare
-/evm_arithmetization/ @wborgeaud @muursh @Nashtare
+* @muursh @Nashtare @cpubot
+/evm_arithmetization/ @wborgeaud @muursh @Nashtare @cpubot

.github/workflows/audit.yml

@@ -0,0 +1,13 @@
+name: Security audit
+on:
+  push:
+    paths: 
+      - '**/Cargo.toml'
+jobs:
+  security_audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: rustsec/audit-check@v1.4.1
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci.yml

@@ -15,7 +15,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-    CARGO_TERM_COLOR: always
+  CARGO_TERM_COLOR: always
 
 jobs:
   test_mpt_trie:
@@ -33,7 +33,7 @@ jobs:
       - name: Set up rust cache
         uses: Swatinem/rust-cache@v2
         with:
-            cache-on-failure: true
+          cache-on-failure: true
 
       - name: Test in mpt_trie subdirectory
         run: cargo test --manifest-path mpt_trie/Cargo.toml
@@ -58,7 +58,7 @@ jobs:
       - name: Set up rust cache
         uses: Swatinem/rust-cache@v2
         with:
-            cache-on-failure: true
+          cache-on-failure: true
 
       - name: Test in trace_decoder subdirectory
         run: cargo test --manifest-path trace_decoder/Cargo.toml
@@ -83,7 +83,7 @@ jobs:
       - name: Set up rust cache
         uses: Swatinem/rust-cache@v2
         with:
-            cache-on-failure: true
+          cache-on-failure: true
 
       - name: Test in proof_gen subdirectory
         run: cargo test --manifest-path proof_gen/Cargo.toml
@@ -108,7 +108,7 @@ jobs:
       - name: Set up rust cache
         uses: Swatinem/rust-cache@v2
         with:
-            cache-on-failure: true
+          cache-on-failure: true
 
       - name: Test in evm_arithmetization subdirectory
         run: cargo test --manifest-path evm_arithmetization/Cargo.toml
@@ -119,7 +119,7 @@ jobs:
           RUST_BACKTRACE: 1
 
   lints:
-    name: Formatting and Clippy
+    name: Rustdoc, Formatting and Clippy
     runs-on: ubuntu-latest
     timeout-minutes: 10
     if: "! contains(toJSON(github.event.commits.*.message), '[skip-ci]')"
@@ -130,15 +130,18 @@ jobs:
       - name: Install nightly toolchain
         uses: dtolnay/rust-toolchain@nightly
         with:
-            components: rustfmt, clippy
+          components: rustfmt, clippy
 
       - name: Set up rust cache
         uses: Swatinem/rust-cache@v2
         with:
-            cache-on-failure: true
+          cache-on-failure: true
 
       - name: Run cargo fmt
         run: cargo fmt --all --check
 
       - name: Run cargo clippy
         run: cargo clippy --all-features --all-targets -- -D warnings -A incomplete-features
+
+      - name: Rustdoc
+        run: cargo doc --all

CHANGELOG.md

@@ -8,7 +8,28 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.4.0] - 2024-06-12
+
 ### Changed
+- Some cleanup ([#190](https://github.com/0xPolygonZero/zk_evm/pull/190))
+- Silence jumpdest analysis logs ([#193](https://github.com/0xPolygonZero/zk_evm/pull/193))
+- Charge call value gas prior to call ([#199](https://github.com/0xPolygonZero/zk_evm/pull/199))
+- refactor: fix todos ([#162](https://github.com/0xPolygonZero/zk_evm/pull/162))
+- Remove print call in trace_decoder ([#208](https://github.com/0xPolygonZero/zk_evm/pull/208))
+- Update CODEOWNERS ([#224](https://github.com/0xPolygonZero/zk_evm/pull/224))
+- Fix access lists pointers check ([#217](https://github.com/0xPolygonZero/zk_evm/pull/217))
+- Add a few QoL useability functions to the interface ([#169](https://github.com/0xPolygonZero/zk_evm/pull/169))
+- Amortize `sha2` compression loop ([#231](https://github.com/0xPolygonZero/zk_evm/pull/231))
+- ci: add cargo audit job ([#236](https://github.com/0xPolygonZero/zk_evm/pull/236))
+- fix: Revert interpreter stack display ([#238](https://github.com/0xPolygonZero/zk_evm/pull/238))
+- Fix clippy `doc_lazy_continuation` ([#247](https://github.com/0xPolygonZero/zk_evm/pull/247))
+- perf: Improve `blake2` precompile ([#239](https://github.com/0xPolygonZero/zk_evm/pull/239))
+- fix: rustdoc and tests ([#255](https://github.com/0xPolygonZero/zk_evm/pull/255))
+- Native trace processing support ([#246](https://github.com/0xPolygonZero/zk_evm/pull/246))
+- Added `Clone` to a few error types in `mpt_trie` ([#259](https://github.com/0xPolygonZero/zk_evm/pull/259))
+- cleanup: remove outdated segment ([#262](https://github.com/0xPolygonZero/zk_evm/pull/262))
+- fix: add G2 subgroup check for `ECPAIRING` ([#268](https://github.com/0xPolygonZero/zk_evm/pull/268))
+- add partial trie builder ([#258](https://github.com/0xPolygonZero/zk_evm/pull/258))
 
 ## [0.3.1] - 2024-04-22
 

evm_arithmetization/Cargo.toml

@@ -1,7 +1,7 @@
 [package]
 name = "evm_arithmetization"
 description = "Implementation of STARKs for the Ethereum Virtual Machine"
-version = "0.1.3"
+version = "0.2.0"
 authors = ["Daniel Lubarov <daniel@lubarov.com>", "William Borgeaud <williamborgeaud@gmail.com>"]
 readme = "README.md"
 categories = ["cryptography"]
@@ -41,7 +41,7 @@ tiny-keccak = "2.0.2"
 serde_json = { workspace = true }
 
 # Local dependencies
-mpt_trie = { version = "0.2.1", path = "../mpt_trie" }
+mpt_trie = { version = "0.3.0", path = "../mpt_trie" }
 
 [target.'cfg(not(target_env = "msvc"))'.dependencies]
 jemallocator = "0.5.0"

evm_arithmetization/src/arithmetic/addcy.rs

@@ -84,8 +84,9 @@ const GOLDILOCKS_INVERSE_65536: u64 = 18446462594437939201;
 ///
 /// If `N_LIMBS = 1`, then this amounts to verifying that either `x_0
 /// + y_0 = z_0` or `x_0 + y_0 == z_0 + cy*2^16` (this is `t` on line
-/// 127ff). Ok. Now assume the constraints are valid for `N_LIMBS =
-/// n-1`. Then by induction,
+/// 127ff). Ok. Now assume the constraints are valid for `N_LIMBS = n-1`.
+///
+/// Then by induction,
 ///
 /// \sum_{i=0}^{n-1} (x_i + y_i) * 2^(16*i) + (x_n + y_n)*2^(16*n) ==
 /// \sum_{i=0}^{n-1} z_i * 2^(16*i) + cy_{n-1}*2^(16*n) + z_n*2^(16*n)

evm_arithmetization/src/byte_packing/byte_packing_stark.rs

@@ -9,9 +9,9 @@
 //!
 //! The length of a sequence can be retrieved for CTLs as:
 //!
-//!    sequence_length = \sum_{i=0}^31 b[i] * (i + 1)
+//! `sequence_length = \sum_{i=0}^31 b[i] * (i + 1)`
 //!
-//! where b[i] is the `i`-th byte flag.
+//! where `b[i]` is the `i`-th byte flag.
 //!
 //! Because of the discrepancy in endianness between the different tables, the
 //! byte sequences are actually written in the trace in reverse order from the

evm_arithmetization/src/cpu/cpu_stark.rs

@@ -17,15 +17,15 @@ use starky::stark::Stark;
 use super::columns::CpuColumnsView;
 use super::halt;
 use super::kernel::constants::context_metadata::ContextMetadata;
-use super::membus::NUM_GP_CHANNELS;
+use super::membus::{NUM_CHANNELS, NUM_GP_CHANNELS};
 use crate::all_stark::{EvmStarkFrame, Table};
 use crate::cpu::columns::{COL_MAP, NUM_CPU_COLUMNS};
 use crate::cpu::{
     byte_unpacking, clock, contextops, control_flow, decode, dup_swap, gas, jumps, membus, memio,
     modfp254, pc, push0, shift, simple_logic, stack, syscalls_exceptions,
 };
 use crate::memory::segments::Segment;
-use crate::memory::{NUM_CHANNELS, VALUE_LIMBS};
+use crate::memory::VALUE_LIMBS;
 
 /// Creates the vector of `Columns` corresponding to the General Purpose
 /// channels when calling the Keccak sponge: the CPU reads the output of the

evm_arithmetization/src/cpu/decode.rs

@@ -8,20 +8,24 @@ use starky::constraint_consumer::{ConstraintConsumer, RecursiveConstraintConsume
 use crate::cpu::columns::{CpuColumnsView, COL_MAP};
 
 /// List of opcode blocks
-///  Each block corresponds to exactly one flag, and each flag corresponds to
+/// Each block corresponds to exactly one flag, and each flag corresponds to
 /// exactly one block.  Each block of opcodes:
+///
 /// - is contiguous,
 /// - has a length that is a power of 2, and
 /// - its start index is a multiple of its length (it is aligned).
-///  These properties permit us to check if an opcode belongs to a block of
+///
+/// These properties permit us to check if an opcode belongs to a block of
 /// length 2^n by checking its top 8-n bits.
-///  Additionally, each block can be made available only to the user, only to
+///
+/// Additionally, each block can be made available only to the user, only to
 /// the kernel, or to both. This is mainly useful for making some instructions
 /// kernel-only, while still decoding to invalid for the user. We do this by
 /// making one kernel-only block and another user-only block. The exception is
 /// the PANIC instruction which is user-only without a corresponding kernel
 /// block. This makes the proof unverifiable when PANIC is executed in kernel
 /// mode, which is the intended behavior.
+///
 /// Note: invalid opcodes are not represented here. _Any_ opcode is permitted to
 /// decode to `is_invalid`. The kernel then verifies that the opcode was
 /// _actually_ invalid.

evm_arithmetization/src/cpu/kernel/aggregator.rs

@@ -64,7 +64,10 @@ pub(crate) fn combined_kernel() -> Kernel {
         include_str!("asm/curve/bn254/curve_arithmetic/msm.asm"),
         include_str!("asm/curve/bn254/curve_arithmetic/pairing.asm"),
         include_str!("asm/curve/bn254/curve_arithmetic/precomputation.asm"),
-        include_str!("asm/curve/bn254/curve_arithmetic/twisted_curve.asm"),
+        include_str!("asm/curve/bn254/curve_arithmetic/twisted_curve_add.asm"),
+        include_str!("asm/curve/bn254/curve_arithmetic/twisted_curve_checks.asm"),
+        include_str!("asm/curve/bn254/curve_arithmetic/twisted_curve_endomorphism.asm"),
+        include_str!("asm/curve/bn254/curve_arithmetic/twisted_curve_mul.asm"),
         include_str!("asm/curve/bn254/field_arithmetic/degree_6_mul.asm"),
         include_str!("asm/curve/bn254/field_arithmetic/degree_12_mul.asm"),
         include_str!("asm/curve/bn254/field_arithmetic/frobenius.asm"),

evm_arithmetization/src/cpu/kernel/asm/core/access_lists.asm

@@ -63,17 +63,22 @@ global init_access_lists:
     POP
 %endmacro
 
-// Multiply the ptr at the top of the stack by 2
-// and abort if 2*ptr - @SEGMENT_ACCESSED_ADDRESSES >= @GLOBAL_METADATA_ACCESSED_ADDRESSES_LEN
-// In this way ptr must be pointing to the begining of a node.
+// Multiply the value at the top of the stack, denoted by ptr/2, by 2
+// and abort if ptr/2 >= mem[@GLOBAL_METADATA_ACCESSED_ADDRESSES_LEN]/2
+// In this way 2*ptr/2 must be pointing to the begining of a node.
 %macro get_valid_addr_ptr
-    // stack: ptr
+    // stack: ptr/2
+    DUP1
+    // stack: ptr/2, ptr/2
+    %mload_global_metadata(@GLOBAL_METADATA_ACCESSED_ADDRESSES_LEN)
+    // @GLOBAL_METADATA_ACCESSED_ADDRESSES_LEN must be an even number because
+    // both @SEGMENT_ACCESSED_ADDRESSES and the unscaled access addresses list len
+    // must be even numbers
+    %div_const(2)
+    // stack: scaled_len/2, ptr/2, ptr/2
+    %assert_gt
     %mul_const(2)
-    PUSH @SEGMENT_ACCESSED_ADDRESSES
-    DUP2
-    SUB
-    %assert_lt_const(@GLOBAL_METADATA_ACCESSED_ADDRESSES_LEN)
-    // stack: 2*ptr
+    // stack: ptr
 %endmacro
 
 
@@ -205,17 +210,20 @@ global remove_accessed_addresses:
     // stack: cold_access, value_ptr
 %endmacro
 
-// Multiply the ptr at the top of the stack by 4
-// and abort if 4*ptr - SEGMENT_ACCESSED_STORAGE_KEYS >= @GLOBAL_METADATA_ACCESSED_STORAGE_KEYS_LEN
-// In this way ptr must be pointing to the beginning of a node.
+// Multiply the ptr at the top of the stack, denoted by ptr/4, by 4
+// and abort if ptr/4 >= @GLOBAL_METADATA_ACCESSED_STORAGE_KEYS_LEN/4
+// In this way 4*ptr/4 be pointing to the beginning of a node.
 %macro get_valid_storage_ptr
-    // stack: ptr
+    // stack: ptr/4
+    DUP1
+    %mload_global_metadata(@GLOBAL_METADATA_ACCESSED_STORAGE_KEYS_LEN)
+    // By construction, both @SEGMENT_ACCESSED_STORAGE_KEYS and the unscaled list len
+    // must be multiples of 4
+    %div_const(4)
+    // stack: scaled_len/4, ptr/4, ptr/4
+    %assert_gt
     %mul_const(4)
-    PUSH @SEGMENT_ACCESSED_STORAGE_KEYS
-    DUP2
-    SUB
-    %assert_lt_const(@GLOBAL_METADATA_ACCESSED_STORAGE_KEYS_LEN)
-    // stack: 2*ptr
+    // stack: ptr
 %endmacro
 
 /// Inserts the storage key into the access list if it is not already present.

evm_arithmetization/src/cpu/kernel/asm/core/call_gas.asm

@@ -71,7 +71,13 @@ global xfer_cost:
     %jump(after_xfer_cost)
 xfer_cost_nonzero:
     // stack: cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest
-    %add_const(@GAS_CALLVALUE)
+    SWAP5
+    // stack: kexit_info, is_call_or_staticcall, is_call_or_callcode, address, gas, cost, value, retdest
+    PUSH @GAS_CALLVALUE
+    // stack: call_value_gas, kexit_info, is_call_or_staticcall, is_call_or_callcode, address, gas, cost, value, retdest
+    %charge_gas
+    // stack: kexit_info, is_call_or_staticcall, is_call_or_callcode, address, gas, cost, value, retdest
+    SWAP5
     // stack: cost, is_call_or_staticcall, is_call_or_callcode, address, gas, kexit_info, value, retdest
     %jump(after_xfer_cost)
 

evm_arithmetization/src/cpu/kernel/asm/core/precompiles/blake2_f.asm

@@ -141,5 +141,5 @@ blake2_f_contd:
         // stack: addr_(i+1), h_(i+1)', ..., h_7', kexit_info
     %endrep
 
-    // stack: kexit_info    
+    // stack: kexit_info
     %jump(pop_and_return_success)

evm_arithmetization/src/cpu/kernel/asm/core/process_txn.asm

@@ -1,8 +1,6 @@
 // After the transaction data has been parsed into a normalized set of fields
 // (see NormalizedTxnField), this routine processes the transaction.
 
-// TODO: Save checkpoints in @CTX_METADATA_STATE_TRIE_CHECKPOINT_PTR and @SEGMENT_STORAGE_TRIE_CHECKPOINT_PTRS.
-
 // Pre stack: retdest
 // Post stack: success, leftover_gas
 global process_normalized_txn:

evm_arithmetization/src/cpu/kernel/asm/core/touched_addresses.asm

@@ -47,7 +47,6 @@ insert_touched_addresses_found:
 
 /// Remove the address from the list.
 /// Panics if the address is not in the list.
-/// TODO: Unused?
 global remove_touched_addresses:
     // stack: addr, retdest
     %mload_global_metadata(@GLOBAL_METADATA_TOUCHED_ADDRESSES_LEN)

evm_arithmetization/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/curve_add.asm

@@ -10,12 +10,12 @@ global bn_add:
     %bn_check
     // stack: isValid(x0, y0), x0, y0, x1, y1, retdest
     DUP5
-    // stack: x1, isValid(x0, y0), x0, y0, x1, y1, retdest
+    // stack: y1, isValid(x0, y0), x0, y0, x1, y1, retdest
     DUP5
     // stack: x1, y1, isValid(x0, y0), x0, y0, x1, y1, retdest
     %bn_check
     // stack: isValid(x1, y1), isValid(x0, y0), x0, y0, x1, y1, retdest
-    AND
+    MUL // Cheaper than AND
     // stack: isValid(x1, y1) & isValid(x0, y0), x0, y0, x1, y1, retdest
     %jumpi(bn_add_valid_points)
     // stack: x0, y0, x1, y1, retdest

evm_arithmetization/src/cpu/kernel/asm/curve/bn254/curve_arithmetic/pairing.asm

@@ -68,9 +68,16 @@ bn254_input_check:
     // stack: inp_j', inp_j, j, k, inp
     %load_fp254_4
     // stack:    Q_j, inp_j, j, k, inp
+    %dup_bn_g2
+    // stack: Q_j, Q_j, inp_j, j, k, inp
     %bn_check_twisted
-    // stack: valid?, inp_j, j, k, inp
     ISZERO
+    // stack: valid_1?, Q_j, inp_j, j, k, inp
+    %stack (b, Q: 4) -> (Q, b)
+    %bn_check_twisted_subgroup
+    ISZERO
+    // stack: valid_2?, valid_1?, inp_j, j, k, inp
+    ADD // Cheaper than OR
     %jumpi(bn_pairing_invalid_input)
     // stack:         inp_j, j, k, inp
     POP