Barretenberg
The ZK-SNARK library at the core of Aztec
Loading...
Searching...
No Matches
keccak.test.cpp
Go to the documentation of this file.
1#include "barretenberg/crypto/keccak/keccak.hpp"
2#include "../../primitives/plookup/plookup.hpp"
3#include "barretenberg/circuit_checker/circuit_checker.hpp"
4#include "barretenberg/numeric/random/engine.hpp"
5#include "keccak.hpp"
6#include <gtest/gtest.h>
7
8using namespace bb;
9
10using Builder = UltraCircuitBuilder;
11using byte_array = stdlib::byte_array<Builder>;
12using public_witness_t = stdlib::public_witness_t<Builder>;
13using field_ct = stdlib::field_t<Builder>;
14using witness_ct = stdlib::witness_t<Builder>;
15
16namespace {
17auto& engine = numeric::get_debug_randomness();
18}
19
20TEST(stdlib_keccak, keccak_format_input_table)
21{
22 Builder builder = Builder();
23
24 for (size_t i = 0; i < 25; ++i) {
25 uint64_t limb_native = engine.get_random_uint64();
26 field_ct limb(witness_ct(&builder, limb_native));
27 stdlib::plookup_read<Builder>::read_from_1_to_2_table(plookup::KECCAK_FORMAT_INPUT, limb);
28 }
29
30 bool proof_result = CircuitChecker::check(builder);
31 EXPECT_EQ(proof_result, true);
32}
33
34TEST(stdlib_keccak, keccak_format_output_table)
35{
36 Builder builder = Builder();
37
38 for (size_t i = 0; i < 25; ++i) {
39 uint64_t limb_native = engine.get_random_uint64();
40 uint256_t extended_native = stdlib::keccak<Builder>::convert_to_sparse(limb_native);
41 field_ct limb(witness_ct(&builder, extended_native));
42 stdlib::plookup_read<Builder>::read_from_1_to_2_table(plookup::KECCAK_FORMAT_OUTPUT, limb);
43 }
44 bool proof_result = CircuitChecker::check(builder);
45 EXPECT_EQ(proof_result, true);
46}
47
48TEST(stdlib_keccak, keccak_theta_output_table)
49{
50 Builder builder = Builder();
51
52 for (size_t i = 0; i < 25; ++i) {
53 uint256_t extended_native = 0;
54 for (size_t j = 0; j < 8; ++j) {
55 extended_native *= 11;
56 uint64_t base_value = (engine.get_random_uint64() % 11);
57 extended_native += base_value;
58 }
59 field_ct limb(witness_ct(&builder, extended_native));
60 stdlib::plookup_read<Builder>::read_from_1_to_2_table(plookup::KECCAK_THETA_OUTPUT, limb);
61 }
62 bool proof_result = CircuitChecker::check(builder);
63 EXPECT_EQ(proof_result, true);
64}
65
66TEST(stdlib_keccak, keccak_rho_output_table)
67{
68 // TODO(https://github.com/AztecProtocol/barretenberg/issues/662)
69 GTEST_SKIP() << "Bug in constant case?";
70 Builder builder = Builder();
71
72 constexpr_for<0, 25, 1>([&]<size_t i> {
73 uint256_t extended_native = 0;
74 uint256_t binary_native = 0;
75 for (size_t j = 0; j < 64; ++j) {
76 extended_native *= 11;
77 binary_native = binary_native << 1;
78 uint64_t base_value = (engine.get_random_uint64() % 3);
79 extended_native += base_value;
80 binary_native += (base_value & 1);
81 }
82 const size_t left_bits = stdlib::keccak<Builder>::ROTATIONS[i];
83 const size_t right_bits = 64 - left_bits;
84 const uint256_t left = binary_native >> right_bits;
85 const uint256_t right = binary_native - (left << right_bits);
86 const uint256_t binary_rotated = left + (right << left_bits);
87
88 const uint256_t expected_limb = stdlib::keccak<Builder>::convert_to_sparse(binary_rotated);
89 // msb only is correct iff rotation == 0 (no need to get msb for rotated lookups)
90 const uint256_t expected_msb = (binary_native >> 63);
91 field_ct limb(witness_ct(&builder, extended_native));
92 field_ct result_msb;
93 field_ct result_limb = stdlib::keccak<Builder>::normalize_and_rotate<i>(limb, result_msb);
94 EXPECT_EQ(static_cast<uint256_t>(result_limb.get_value()), expected_limb);
95 EXPECT_EQ(static_cast<uint256_t>(result_msb.get_value()), expected_msb);
96 });
97
98 info("num gates = ", builder.get_num_finalized_gates_inefficient());
99 bool proof_result = CircuitChecker::check(builder);
100 EXPECT_EQ(proof_result, true);
101}
102
103TEST(stdlib_keccak, keccak_chi_output_table)
104{
105 static constexpr uint64_t chi_normalization_table[5]{
106 0, // 1 + 2a - b + c => a xor (~b & c)
107 0, 1, 1, 0,
108 };
109 Builder builder = Builder();
110
111 for (size_t i = 0; i < 25; ++i) {
112 uint256_t normalized_native = 0;
113 uint256_t extended_native = 0;
114 uint256_t binary_native = 0;
115 for (size_t j = 0; j < 8; ++j) {
116 extended_native *= 11;
117 normalized_native *= 11;
118 binary_native = binary_native << 1;
119 uint64_t base_value = (engine.get_random_uint64() % 5);
120 extended_native += base_value;
121 normalized_native += chi_normalization_table[base_value];
122 binary_native += chi_normalization_table[base_value];
123 }
124 field_ct limb(witness_ct(&builder, extended_native));
125 const auto accumulators =
126 stdlib::plookup_read<Builder>::get_lookup_accumulators(plookup::KECCAK_CHI_OUTPUT, limb);
127
128 field_ct normalized = accumulators[plookup::ColumnIdx::C2][0];
129 field_ct msb = accumulators[plookup::ColumnIdx::C3][accumulators[plookup::ColumnIdx::C3].size() - 1];
130
131 EXPECT_EQ(static_cast<uint256_t>(normalized.get_value()), normalized_native);
132 EXPECT_EQ(static_cast<uint256_t>(msb.get_value()), binary_native >> 63);
133 }
134 info("num gates = n", builder.get_num_finalized_gates_inefficient());
135 bool proof_result = CircuitChecker::check(builder);
136 EXPECT_EQ(proof_result, true);
137}
138
139// Matches the fuzzer logic
140TEST(stdlib_keccak, permutation_opcode)
141{
142 Builder builder = Builder();
143
144 // Create a random state (25 lanes of 64 bits)
145 std::array<uint64_t, 25> native_state;
146 for (size_t i = 0; i < 25; ++i) {
147 native_state[i] = engine.get_random_uint64();
148 }
149
150 // Run native permutation
151 std::array<uint64_t, 25> expected_state = native_state;
152 ethash_keccakf1600(expected_state.data());
153
154 // Convert state to circuit field elements
155 std::array<field_ct, 25> circuit_state;
156 for (size_t i = 0; i < 25; i++) {
157 circuit_state[i] = witness_ct(&builder, native_state[i]);
158 }
159
160 // Run circuit permutation
161 auto circuit_output = stdlib::keccak<Builder>::permutation_opcode(circuit_state, &builder);
162
163 // Verify circuit correctness
164 bool proof_result = CircuitChecker::check(builder);
165 EXPECT_EQ(proof_result, true);
166
167 // Compare outputs
168 for (size_t i = 0; i < 25; i++) {
169 uint64_t circuit_value = static_cast<uint64_t>(circuit_output[i].get_value());
170 EXPECT_EQ(circuit_value, expected_state[i]);
171 }
172
173 info("num gates = ", builder.get_num_finalized_gates_inefficient());
174}
circuit_checker.hpp
bb::TranslatorCircuitChecker::check
static bool check(const Builder &circuit)
Check the witness satisifies the circuit.
Definition translator_circuit_checker.cpp:20
bb::numeric::RNG::get_random_uint64
virtual uint64_t get_random_uint64()=0
bb::numeric::uint256_t
Definition uint256.hpp:32
bb::stdlib::byte_array
Represents a dynamic array of bytes in-circuit.
Definition byte_array.hpp:28
bb::stdlib::field_t< Builder >
bb::stdlib::field_t::get_value
bb::fr get_value() const
Given a := *this, compute its value given by a.v * a.mul + a.add.
Definition field.cpp:828
bb::stdlib::keccak
KECCAAAAAAAAAAK.
Definition keccak.hpp:25
bb::stdlib::keccak::permutation_opcode
static std::array< field_ct, NUM_KECCAK_LANES > permutation_opcode(std::array< field_ct, NUM_KECCAK_LANES > state, Builder *context)
Definition keccak.cpp:498
bb::stdlib::keccak::convert_to_sparse
static constexpr uint256_t convert_to_sparse(uint256_t input)
Convert a binary integer into a base11 integer.
Definition keccak.hpp:64
bb::stdlib::plookup_read::get_lookup_accumulators
static plookup::ReadData< field_pt > get_lookup_accumulators(const plookup::MultiTableId id, const field_pt &key_a, const field_pt &key_b=0, const bool is_2_to_1_lookup=false)
Definition plookup.cpp:19
bb::stdlib::plookup_read::read_from_1_to_2_table
static field_pt read_from_1_to_2_table(const plookup::MultiTableId id, const field_pt &key_a)
Definition plookup.cpp:89
bb::stdlib::public_witness_t
Definition witness.hpp:59
bb::stdlib::witness_t
Definition witness.hpp:16
info
void info(Args... args)
Definition log.hpp:75
builder
AluTraceBuilder builder
Definition alu.test.cpp:124
ethash_keccakf1600
void ethash_keccakf1600(uint64_t state[25]) NOEXCEPT
Definition keccakf1600.cpp:28
engine
numeric::RNG & engine
Definition eccvm_transcript.test.cpp:295
witness_ct
stdlib::witness_t< Builder > witness_ct
Definition keccak.test.cpp:14
Builder
UltraCircuitBuilder Builder
Definition keccak.test.cpp:10
bb::numeric::get_debug_randomness
RNG & get_debug_randomness(bool reset, std::uint_fast64_t seed)
Definition engine.cpp:190
bb::plookup::KECCAK_FORMAT_INPUT
@ KECCAK_FORMAT_INPUT
Definition types.hpp:119
bb::plookup::KECCAK_FORMAT_OUTPUT
@ KECCAK_FORMAT_OUTPUT
Definition types.hpp:120
bb::plookup::KECCAK_CHI_OUTPUT
@ KECCAK_CHI_OUTPUT
Definition types.hpp:118
bb::plookup::KECCAK_THETA_OUTPUT
@ KECCAK_THETA_OUTPUT
Definition types.hpp:117
bb
Entry point for Barretenberg command-line interface.
Definition api.hpp:5
bb::UltraCircuitBuilder
UltraCircuitBuilder_< UltraExecutionTraceBlocks > UltraCircuitBuilder
Definition circuit_builders_fwd.hpp:24
bb::TEST
TEST(BoomerangMegaCircuitBuilder, BasicCircuit)
Definition graph_description_megacircuitbuilder.test.cpp:22
std::get
constexpr decltype(auto) get(::tuplet::tuple< T... > &&t) noexcept
Definition tuple.hpp:13