Halo2 学习笔记——Gadgets 之 SHA-256

Posted 2021-10-21 mutourend

1. 引言

SHA-256详细说明参见 NIST FIPS PUB 180-4。

与该说明书不同之处在于，Halo2中使用 $⊞$ 来表示addition modulo $2^{32}$，$+$ 来表示field addition，$\oplus$ 来表示 XOR。

2. Gadget interface

SHA-256用8个32-bit变量来维护state，其输入为512-bit blocks，内部会将这些blocks切分为32-bit chunks，因此设计了SHA-256 gadget来consume input in 32-bit chunks。

3. Chip instructions

SHA-256 gadget需要具有如下指令的chip：

# extern crate halo2;
# use halo2::plonk::Error;
# use std::fmt;
#
# trait Chip: Sized {}
# trait Layouter<C: Chip> {}
const BLOCK_SIZE: usize = 16;
const DIGEST_SIZE: usize = 8;

pub trait Sha256Instructions: Chip {
    /// Variable representing the SHA-256 internal state.
    type State: Clone + fmt::Debug;
    /// Variable representing a 32-bit word of the input block to the SHA-256 compression
    /// function.
    type BlockWord: Copy + fmt::Debug;

    /// Places the SHA-256 IV in the circuit, returning the initial state variable.
    fn initialization_vector(layouter: &mut impl Layouter<Self>) -> Result<Self::State, Error>;

    /// Starting from the given initial state, processes a block of input and returns the
    /// final state.
    fn compress(
        layouter: &mut impl Layouter<Self>,
        initial_state: &Self::State,
        input: [Self::BlockWord; BLOCK_SIZE],
    ) -> Result<Self::State, Error>;

    /// Converts the given state into a message digest.
    fn digest(
        layouter: &mut impl Layouter<Self>,
        state: &Self::State,
    ) -> Result<[Self::BlockWord; DIGEST_SIZE], Error>;
}

这些指令用于strike a balance between the reusability of the instructions and the scope for chips to internally optimise them。特别地，考虑将compression function 按其组成部分切分为 Ch, Maj等等，并提供a compression function gadget 来实现the round logic。但是，这将阻止chips from using relative references between the various parts of a compression round。采用一个指令来实现所有的compression rounds则类似于the Intel SHA extensions——提供了一个指令来运行多个compression rounds。

4. 16-bit table chip for SHA-256

Halo2中的chip for SHA-256实现是基于a single 16-bit lookup table的。其最少需要$2^{16}$ circuit rows，从而也适合用于larger circuits中。

Halo2中定义的最大constraint degree为$9$，将支持进行constraining carries 和 “small pieces” to a range of up to { 0..7 } \\{0..7\\} {0..7} in one row。

4.1 Compression round

一共有64 compression rounds。每一轮的输入为32-bit values $A,B,C,D,E,F,G,H$，并执行如下操作：
$$\begin{array}{rcl}Ch(E,F,G)& =& (E\wedge F)\oplus (\neg E\wedge G)\\ Maj(A,B,C)& =& (A\wedge B)\oplus (A\wedge C)\oplus (B\wedge C)\\ & =& count(A,B,C)\ge 2\\ {\Sigma }_0(A)& =& (A⋙2)\oplus (A⋙13)\oplus (A⋙22)\\ {\Sigma }_1(E)& =& (E⋙6)\oplus (E⋙11)\oplus (E⋙25)\\ H^{\prime }& =& H+Ch(E,F,G)+{\Sigma }_1(E)+K_t+W_t\\ E_{new}& =& reduc{e}_6(H^{\prime }+D)\\ A_{new}& =& reduc{e}_7(H^{\prime }+Maj(A,B,C)+{\Sigma }_0(A))\end{array}$$
其中 $reduc{e}_i$ 必须handle a carry $0\le carry<i$。

定义$\mathtt{s}\mathtt{p}\mathtt{r}\mathtt{e}\mathtt{a}\mathtt{d}$ 为 a table mapping a $16$-bit input to an output interleaved with zero bits。不需要一个单独的table来进行 range checks 因为可复用 $\mathtt{s}\mathtt{p}\mathtt{r}\mathtt{e}\mathtt{a}\mathtt{d}$。

4.2 Modular addition

对于addition modulo $2^{32}$：
$$a⊞b=c$$
将其切分为$16$-bit chunks表示为：
$$(a_L:{\mathbb{Z}}_{2^{16}},a_H:{\mathbb{Z}}_{2^{16}})⊞(b_L:{\mathbb{Z}}_{2^{16}},b_H:{\mathbb{Z}}_{2^{16}})=(c_L:{\mathbb{Z}}_{2^{16}},c_H:{\mathbb{Z}}_{2^{16}})$$
使用field addition重组表示为：
$$\mathsf{c}\mathsf{a}Halo2\; 学习笔记——设计之Proving\; system之Lookup\; argument$$

Halo2学习笔记——设计之Proof和Field实现

Halo2学习笔记——设计之Proving system

Halo2 学习笔记——设计之Proving system之Permutation argument

Halo2学习笔记——设计之Protocol Description

Halo2 学习笔记——设计之Proving system之Circuit commitments