Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion crypto/ecsm/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
//!
//! This crate is shared by the executor (which needs `k·G`'s x-coordinate to write back
//! to guest memory) and the prover (which replays the full double-and-add sequence to
//! fill the ECSM / ECDAS / EC_SCALAR trace witnesses). Both entry points compute the same
//! fill the ECSM / ECDAS trace witnesses). Both entry points compute the same
//! `k·G` over the audited `k256` curve arithmetic — the executor via `k256`'s scalar
//! multiplication, the prover via a projective double-and-add replay — so the x-coordinate
//! they write/prove agrees. It is also independent of the `yG` root: both recover the same
Expand Down
4 changes: 4 additions & 0 deletions crypto/ecsm/src/witness.rs
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ pub struct EcsmWitness {
pub q1: [u8; 33],
/// carries for the `yG` relation
pub c1: [i64; 64],
/// `(xG - p) mod 2^256`
pub x_g_sub_p: [u8; 32],
/// `(k - N) mod 2^256`
pub k_sub_n: [u8; 32],
/// `(xR - p) mod 2^256`
Expand Down Expand Up @@ -314,6 +316,7 @@ pub fn compute_witness(k_le: &[u8; 32], xg_le: &[u8; 32]) -> Result<EcsmWitness,
// --- scalar range data ---
let len_k = crate::curve::msb_position(&k) as u8;
let two_256 = BigUint::from(1u8) << 256u32;
let x_g_sub_p = to_le_32(&((&two_256 + &g.x) - p())); // xG < p
let k_sub_n = to_le_32(&((&two_256 + &k) - n())); // k < N

// --- double/add replay ---
Expand All @@ -336,6 +339,7 @@ pub fn compute_witness(k_le: &[u8; 32], xg_le: &[u8; 32]) -> Result<EcsmWitness,
c0,
q1: q1_b,
c1,
x_g_sub_p,
k_sub_n,
x_r_sub_p,
len_k,
Expand Down
9 changes: 4 additions & 5 deletions executor/src/vm/instruction/execution.rs
Original file line number Diff line number Diff line change
Expand Up @@ -412,11 +412,10 @@ impl Instruction {
{
return Err(ExecutionError::EcsmAddressOverflow);
}
// xG and k are both read at the same proof timestamp, so their
// 32-byte ranges must be disjoint or the trace is unprovable
// (MEMW orders accesses per address by strictly increasing
// timestamp). xR may alias either: its accesses are offset to
// later timestamps.
// xG and k must occupy disjoint 32-byte regions: overlapping
// addresses would cause the same memory byte to serve as both
// an xG limb and a k bit, corrupting the scalar multiplication.
// xR may alias either: its accesses are at a later timestamp.
if addr_xg.abs_diff(addr_k) < 32 {
return Err(ExecutionError::EcsmOperandOverlap);
}
Expand Down
15 changes: 5 additions & 10 deletions prover/src/lib.rs
Original file line number Diff line number Diff line change
Expand Up @@ -51,9 +51,9 @@ use crate::tables::trace_builder::count_table_lengths;
use crate::tables::types::BusId;
use crate::test_utils::{
E, F, VmAir, create_bitwise_air, create_branch_air, create_bytewise_air, create_commit_air,
create_cpu_air, create_cpu32_air, create_decode_air, create_dvrm_air, create_ec_scalar_air,
create_ecdas_air, create_ecsm_air, create_eq_air, create_halt_air, create_keccak_air,
create_keccak_rc_air, create_keccak_rnd_air, create_load_air, create_lt_air, create_memw_air,
create_cpu_air, create_cpu32_air, create_decode_air, create_dvrm_air, create_ecdas_air,
create_ecsm_air, create_eq_air, create_halt_air, create_keccak_air, create_keccak_rc_air,
create_keccak_rnd_air, create_load_air, create_lt_air, create_memw_air,
create_memw_aligned_air, create_memw_register_air, create_mul_air, create_page_air,
create_register_air, create_shift_air, create_store_air,
};
Expand All @@ -77,8 +77,8 @@ pub struct RuntimePageRange {

/// Number of tables that always contribute exactly one sub-proof, regardless
/// of `TableCounts`: bitwise, decode, halt, commit, keccak, keccak_rnd,
/// keccak_rc, register, ecsm, ec_scalar, ecdas.
pub const FIXED_TABLE_COUNT: usize = 11;
/// keccak_rc, register, ecsm, ecdas.
pub const FIXED_TABLE_COUNT: usize = 10;

/// Number of chunks for each split table.
/// The verifier needs this to reconstruct matching AIRs.
Expand Down Expand Up @@ -252,7 +252,6 @@ pub(crate) struct VmAirs {
pub keccak_rnd: VmAir,
pub keccak_rc: VmAir,
pub ecsm: VmAir,
pub ec_scalar: VmAir,
pub ecdas: VmAir,
pub register: VmAir,
pub pages: Vec<VmAir>,
Expand All @@ -278,7 +277,6 @@ impl VmAirs {
(&self.keccak_rnd, &mut traces.keccak_rnd, &()),
(&self.keccak_rc, &mut traces.keccak_rc, &()),
(&self.ecsm, &mut traces.ecsm, &()),
(&self.ec_scalar, &mut traces.ec_scalar, &()),
(&self.ecdas, &mut traces.ecdas, &()),
(&self.register, &mut traces.register, &()),
];
Expand Down Expand Up @@ -353,7 +351,6 @@ impl VmAirs {
&self.keccak_rnd,
&self.keccak_rc,
&self.ecsm,
&self.ec_scalar,
&self.ecdas,
&self.register,
];
Expand Down Expand Up @@ -503,7 +500,6 @@ impl VmAirs {
tables::keccak_rc::NUM_PRECOMPUTED_COLS,
);
let ecsm = create_ecsm_air(proof_options);
let ec_scalar = create_ec_scalar_air(proof_options);
let ecdas = create_ecdas_air(proof_options);
let register = if let Some((commitment, num_preprocessed_cols)) = register_preprocessed {
create_register_air(proof_options).with_preprocessed(commitment, num_preprocessed_cols)
Expand Down Expand Up @@ -589,7 +585,6 @@ impl VmAirs {
keccak_rnd,
keccak_rc,
ecsm,
ec_scalar,
ecdas,
register,
pages,
Expand Down
Loading
Loading