feat(sol): sign_gadget

stuarttimwhite · stuarttimwhite · commit b273aebff9ad · 2025-05-22T16:59:56.000-04:00
diff --git a/solidity/src/base/Constants.sol b/solidity/src/base/Constants.sol
@@ -4,6 +4,8 @@ pragma solidity ^0.8.28;
 
 /// @dev The modulus of the bn254 scalar field.
 uint256 constant MODULUS = 0x30644e72_e131a029_b85045b6_8181585d_2833e848_79b97091_43e1f593_f0000001;
+/// @dev The max number of bits a sign expr supports. This is the floor of log base 2 of the max value of bn254.
+uint8 constant MAX_BITS = 253;
 /// @dev The largest mask that can be applied to a 256-bit number in order to enforce that it is less than the modulus.
 uint256 constant MODULUS_MASK = 0x1FFFFFFF_FFFFFFFF_FFFFFFFF_FFFFFFFF_FFFFFFFF_FFFFFFFF_FFFFFFFF_FFFFFFFF;
 /// @dev MODULUS + 1. Needs to be explicit for Yul usage.
diff --git a/solidity/src/base/Errors.sol b/solidity/src/base/Errors.sol
@@ -55,6 +55,10 @@ uint32 constant ERR_UNSUPPORTED_PROOF_PLAN_VARIANT = 0xe5503cfa;
 uint32 constant ERR_UNSUPPORTED_DATA_TYPE_VARIANT = 0xbd12560e;
 /// @dev Error code for when the evaluation length is too large.
 uint32 constant ERR_EVALUATION_LENGTH_TOO_LARGE = 0xb65e7142;
+/// @dev Error code for when a bit decomposition is invalid.
+uint32 constant ERR_BIT_DECOMPOSITION_INVALID = 0xda443b2b;
+/// @dev Error code for when bits that shouldn't vary do vary.
+uint32 constant ERR_INVALID_VARYING_BITS = 0x76d56a3d;
 
 library Errors {
     /// @notice Error thrown when the inputs to the ECADD precompile are invalid.
@@ -110,6 +114,10 @@ library Errors {
     error UnsupportedDataTypeVariant();
     /// @notice Error thrown when the evaluation length is too large.
     error EvaluationLengthTooLarge();
+    /// @notice Error thrown when a bit decomposition is invalid.
+    error BitDecompositionInvalid();
+    /// @notice Error thrown when bits that shouldn't vary do vary.
+    error InvalidVaryingBits();
 
     function __err(uint32 __code) internal pure {
         assembly {
diff --git a/solidity/src/proof_gadgets/SignExpr.pre.sol b/solidity/src/proof_gadgets/SignExpr.pre.sol
@@ -0,0 +1,132 @@
+// SPDX-License-Identifier: UNLICENSED
+// This is licensed under the Cryptographic Open Software License 1.0
+pragma solidity ^0.8.28;
+
+import "../base/Constants.sol";
+import "../base/Errors.sol";
+import {VerificationBuilder} from "../builder/VerificationBuilder.pre.sol";
+
+/// @title SignExpr
+/// @dev Library for handling the sign of an evaluation
+library SignExpr {
+    /// @notice Evaluates a sign expression by finding the sign of an expression evaluation
+    /// @custom:as-yul-wrapper
+    /// #### Wrapped Yul Function
+    /// ##### Signature
+    /// ```yul
+    /// sign_expr_evaluate(expr_eval, builder_ptr, chi_eval) -> eval
+    /// ```
+    /// ##### Parameters
+    /// * `expr_eval` - the expression evaluation
+    /// * `builder_ptr` - memory pointer to the verification builder
+    /// * `chi_eval` - the chi value for evaluation
+    /// ##### Return Values
+    /// * `eval` - the evaluation result from the builder's final round MLE (or bit distribution)
+    /// @notice Evaluates the sign of an expression
+    /// ##### Proof Plan Encoding
+    /// The sign expression is encoded as follows:
+    /// The expression
+    /// @param __exprEval The expression evaluation
+    /// @param __builder The verification builder
+    /// @param __chiEval The chi value for evaluation
+    /// @return __builderOut The verification builder result
+    /// @return __eval The evaluated result
+    function __signExprEvaluate( // solhint-disable-line gas-calldata-parameters
+    uint256 __exprEval, VerificationBuilder.Builder memory __builder, uint256 __chiEval)
+        internal
+        pure
+        returns (VerificationBuilder.Builder memory __builderOut, uint256 __eval)
+    {
+        assembly {
+            // IMPORT-YUL ../base/Errors.sol
+            function err(code) {
+                revert(0, 0)
+            }
+            // IMPORT-YUL ../base/Queue.pre.sol
+            function dequeue(queue_ptr) -> value {
+                revert(0, 0)
+            }
+            // IMPORT-YUL ../base/SwitchUtil.pre.sol
+            function case_const(lhs, rhs) {
+                revert(0, 0)
+            }
+            // IMPORT-YUL ../builder/VerificationBuilder.pre.sol
+            function builder_consume_final_round_mle(builder_ptr) -> value {
+                revert(0, 0)
+            }
+            // IMPORT-YUL ../base/Array.pre.sol
+            function get_array_element(arr_ptr, index) -> value {
+                revert(0, 0)
+            }
+            // IMPORT-YUL ../builder/VerificationBuilder.pre.sol
+            function builder_consume_bit_distribution(builder_ptr) -> vary_mask, leading_bit_mask {
+                revert(0, 0)
+            }
+            // IMPORT-YUL ../builder/VerificationBuilder.pre.sol
+            function builder_produce_identity_constraint(builder_ptr, evaluation, degree) {
+                revert(0, 0)
+            }
+            // IMPORT-YUL ../base/DataType.pre.sol
+            function read_entry(result_ptr, data_type_variant) -> result_ptr_out, entry {
+                revert(0, 0)
+            }
+            // IMPORT-YUL ../base/DataType.pre.sol
+            function read_binary(result_ptr) -> result_ptr_out, entry {
+                revert(0, 0)
+            }
+            // IMPORT-YUL ../base/DataType.pre.sol
+            function read_data_type(ptr) -> ptr_out, data_type {
+                revert(0, 0)
+            }
+
+            function sign_expr_evaluate(expr_eval, builder_ptr, chi_eval) -> result_eval {
+                let vary_mask
+                let leading_bit_mask
+                vary_mask, leading_bit_mask := builder_consume_bit_distribution(builder_ptr)
+                let leading_bit_inverse_mask := shr(1, shl(1, xor(not(vary_mask), leading_bit_mask)))
+                let sign_eval := shr(255, leading_bit_mask)
+                let rhs_eval := 0
+
+                for { let i := 0 } lt(i, 256) { i := add(i, 1) } {
+                    if eq(and(vary_mask, shl(i, 1)), shl(i, 1)) {
+                        // For any varying bits...
+                        let bit_eval := builder_consume_final_round_mle(builder_ptr)
+                        builder_produce_identity_constraint(
+                            builder_ptr,
+                            addmod(
+                                bit_eval,
+                                mulmod(MODULUS_MINUS_ONE, mulmod(bit_eval, bit_eval, MODULUS), MODULUS),
+                                MODULUS
+                            ),
+                            2
+                        )
+
+                        if eq(i, 255) { sign_eval := bit_eval }
+                        if iszero(eq(i, 255)) {
+                            if gt(i, MAX_BITS) { err(ERR_INVALID_VARYING_BITS) }
+                            rhs_eval := addmod(rhs_eval, mulmod(bit_eval, shl(i, 1), MODULUS), MODULUS)
+                        }
+                    }
+                }
+                rhs_eval := addmod(rhs_eval, mulmod(sign_eval, leading_bit_mask, MODULUS), MODULUS)
+                rhs_eval :=
+                    addmod(
+                        rhs_eval,
+                        mulmod(
+                            addmod(chi_eval, mulmod(MODULUS_MINUS_ONE, sign_eval, MODULUS), MODULUS),
+                            leading_bit_inverse_mask,
+                            MODULUS
+                        ),
+                        MODULUS
+                    )
+                rhs_eval :=
+                    addmod(rhs_eval, mulmod(mulmod(MODULUS_MINUS_ONE, chi_eval, MODULUS), shl(255, 1), MODULUS), MODULUS)
+                if iszero(eq(rhs_eval, expr_eval)) { err(ERR_BIT_DECOMPOSITION_INVALID) }
+                result_eval := sign_eval
+            }
+
+            __eval := sign_expr_evaluate(__exprEval, __builder, __chiEval)
+        }
+        __builderOut = __builder;
+    }
+}
diff --git a/solidity/test/proof_gadgets/SignExpr.t.pre.sol b/solidity/test/proof_gadgets/SignExpr.t.pre.sol
@@ -0,0 +1,177 @@
+// SPDX-License-Identifier: UNLICENSED
+// This is licensed under the Cryptographic Open Software License 1.0
+pragma solidity ^0.8.28;
+
+import {Test} from "forge-std/Test.sol";
+import "../../src/base/Constants.sol";
+import {Errors} from "../../src/base/Errors.sol";
+import {VerificationBuilder} from "../../src/builder/VerificationBuilder.pre.sol";
+import {SignExpr} from "../../src/proof_gadgets/SignExpr.pre.sol";
+import {F} from "../base/FieldUtil.sol";
+
+contract SignExprTest is Test {
+    function testSimpleAndExpr() public pure {
+        VerificationBuilder.Builder memory builder;
+        uint256[] memory bitDistribution = new uint256[](2);
+        bitDistribution[0] = 0x800000000000000000000000000000000000000000000000000000000000007D;
+        bitDistribution[1] = 0x8000000000000000000000000000000000000000000000000000000000000002;
+        VerificationBuilder.__setBitDistributions(builder, bitDistribution);
+        builder.maxDegree = 3;
+        builder.constraintMultipliers = new uint256[](7);
+        builder.constraintMultipliers[0] = 5;
+        builder.constraintMultipliers[1] = 5;
+        builder.constraintMultipliers[2] = 5;
+        builder.constraintMultipliers[3] = 5;
+        builder.constraintMultipliers[4] = 5;
+        builder.constraintMultipliers[5] = 5;
+        builder.constraintMultipliers[6] = 5;
+        builder.aggregateEvaluation = 0;
+        builder.rowMultipliersEvaluation = addmod(MODULUS, mulmod(MODULUS_MINUS_ONE, 2, MODULUS), MODULUS);
+
+        int64[4] memory evaluationVector = [int64(700), -6, 3007, 134562844];
+
+        int64[4][10] memory vectorsToEvaluate = [
+            [int64(106), 23, -60, -76],
+            [int64(1), 1, 1, 1],
+            [int64(0), 1, 0, 0],
+            [int64(0), 1, 1, 1],
+            [int64(1), 0, 0, 0],
+            [int64(0), 1, 0, 1],
+            [int64(1), 0, 0, 1],
+            [int64(1), 0, 1, 0],
+            [int64(1), 1, 0, 0],
+            [int64(1), 1, 0, 0]
+        ];
+
+        uint256[] memory evaluations = new uint256[](10);
+
+        for (uint8 i = 0; i < 10; ++i) {
+            int64 evaluation = 0;
+            for (uint8 j = 0; j < 4; ++j) {
+                evaluation += evaluationVector[j] * vectorsToEvaluate[i][j];
+            }
+            evaluations[i] = F.from(evaluation).into();
+        }
+
+        uint256[] memory finalRoundMles = new uint256[](7);
+        for (uint8 i = 2; i < 9; ++i) {
+            finalRoundMles[i - 2] = evaluations[i];
+        }
+
+        VerificationBuilder.__setFinalRoundMLEs(builder, finalRoundMles);
+
+        uint256 signEval;
+        (builder, signEval) = SignExpr.__signExprEvaluate(evaluations[0], builder, evaluations[1]);
+        assert(signEval == evaluations[9]);
+    }
+
+    /// forge-config: default.allow_internal_expect_revert = true
+    function testIncorrectBitDecomposition() public {
+        VerificationBuilder.Builder memory builder;
+        uint256[] memory bitDistribution = new uint256[](2);
+        bitDistribution[0] = 0x800000000000000000000000000000000000000000000000000000000000007D;
+        bitDistribution[1] = 0x8000000000000000000000000000000000000000000000000000000000000002;
+        VerificationBuilder.__setBitDistributions(builder, bitDistribution);
+        builder.maxDegree = 3;
+        builder.constraintMultipliers = new uint256[](7);
+        builder.constraintMultipliers[0] = 5;
+        builder.constraintMultipliers[1] = 5;
+        builder.constraintMultipliers[2] = 5;
+        builder.constraintMultipliers[3] = 5;
+        builder.constraintMultipliers[4] = 5;
+        builder.constraintMultipliers[5] = 5;
+        builder.constraintMultipliers[6] = 5;
+        builder.aggregateEvaluation = 0;
+        builder.rowMultipliersEvaluation = addmod(MODULUS, mulmod(MODULUS_MINUS_ONE, 2, MODULUS), MODULUS);
+
+        int64[4] memory evaluationVector = [int64(700), -6, 3007, 134562844];
+
+        int64[4][10] memory vectorsToEvaluate = [
+            [int64(106), 23, -60, -76],
+            [int64(1), 1, 1, 1],
+            [int64(0), 2, 0, 0],
+            [int64(0), 1, 1, 1],
+            [int64(1), 0, 0, 0],
+            [int64(0), 1, 0, 1],
+            [int64(1), 0, 0, 1],
+            [int64(1), 0, 1, 0],
+            [int64(1), 1, 0, 0],
+            [int64(1), 1, 0, 0]
+        ];
+
+        uint256[] memory evaluations = new uint256[](10);
+
+        for (uint8 i = 0; i < 10; ++i) {
+            int64 evaluation = 0;
+            for (uint8 j = 0; j < 4; ++j) {
+                evaluation += evaluationVector[j] * vectorsToEvaluate[i][j];
+            }
+            evaluations[i] = F.from(evaluation).into();
+        }
+
+        uint256[] memory finalRoundMles = new uint256[](7);
+        for (uint8 i = 2; i < 9; ++i) {
+            finalRoundMles[i - 2] = evaluations[i];
+        }
+
+        VerificationBuilder.__setFinalRoundMLEs(builder, finalRoundMles);
+
+        vm.expectRevert(Errors.BitDecompositionInvalid.selector);
+        SignExpr.__signExprEvaluate(evaluations[0], builder, evaluations[1]);
+    }
+
+    /// forge-config: default.allow_internal_expect_revert = true
+    function testBitDecompositionWithInvalidBits() public {
+        VerificationBuilder.Builder memory builder;
+        uint256[] memory bitDistribution = new uint256[](2);
+        bitDistribution[0] = 0xFF00000000000000000000000000000000000000000000000000000000000000;
+        bitDistribution[1] = 0x8000000000000000000000000000000000000000000000000000000000000002;
+        VerificationBuilder.__setBitDistributions(builder, bitDistribution);
+        builder.maxDegree = 3;
+        builder.constraintMultipliers = new uint256[](7);
+        builder.constraintMultipliers[0] = 5;
+        builder.constraintMultipliers[1] = 5;
+        builder.constraintMultipliers[2] = 5;
+        builder.constraintMultipliers[3] = 5;
+        builder.constraintMultipliers[4] = 5;
+        builder.constraintMultipliers[5] = 5;
+        builder.constraintMultipliers[6] = 5;
+        builder.aggregateEvaluation = 0;
+        builder.rowMultipliersEvaluation = addmod(MODULUS, mulmod(MODULUS_MINUS_ONE, 2, MODULUS), MODULUS);
+
+        int64[4] memory evaluationVector = [int64(700), -6, 3007, 134562844];
+
+        int64[4][10] memory vectorsToEvaluate = [
+            [int64(106), 23, -60, -76],
+            [int64(1), 1, 1, 1],
+            [int64(0), 2, 0, 0],
+            [int64(0), 1, 1, 1],
+            [int64(1), 0, 0, 0],
+            [int64(0), 1, 0, 1],
+            [int64(1), 0, 0, 1],
+            [int64(1), 0, 1, 0],
+            [int64(1), 1, 0, 0],
+            [int64(1), 1, 0, 0]
+        ];
+
+        uint256[] memory evaluations = new uint256[](10);
+
+        for (uint8 i = 0; i < 10; ++i) {
+            int64 evaluation = 0;
+            for (uint8 j = 0; j < 4; ++j) {
+                evaluation += evaluationVector[j] * vectorsToEvaluate[i][j];
+            }
+            evaluations[i] = F.from(evaluation).into();
+        }
+
+        uint256[] memory finalRoundMles = new uint256[](7);
+        for (uint8 i = 2; i < 9; ++i) {
+            finalRoundMles[i - 2] = evaluations[i];
+        }
+
+        VerificationBuilder.__setFinalRoundMLEs(builder, finalRoundMles);
+
+        vm.expectRevert(Errors.InvalidVaryingBits.selector);
+        SignExpr.__signExprEvaluate(evaluations[0], builder, evaluations[1]);
+    }
+}
