debug

Author: mcalancea

ceno_zkvm/src/instructions.rs

@@ -97,7 +97,14 @@ where
         num_witin: usize,
         steps: Vec<StepRecord>,
         gkr_layout: &mut Self::Layout,
-    ) -> Result<(RowMajorMatrix<E::BaseField>, LkMultiplicity), ZKVMError> {
+    ) -> Result<
+        (
+            RowMajorMatrix<E::BaseField>,
+            GKRCircuitWitness<E>,
+            LkMultiplicity,
+        ),
+        ZKVMError,
+    > {
         let nthreads = max_usable_threads();
         let num_instance_per_batch = if steps.len() > 256 {
             steps.len().div_ceil(nthreads)
@@ -163,6 +170,6 @@ where
             .collect::<Result<(), ZKVMError>>()?;
 
         raw_witin.padding_by_strategy();
-        Ok((raw_witin, lk_multiplicity))
+        Ok((raw_witin, gkr_witness, lk_multiplicity))
     }
 }

ceno_zkvm/src/instructions/riscv/dummy/dummy_ecall.rs

@@ -79,7 +79,7 @@ impl<E: ExtensionField, S: SyscallSpec> Instruction<E> for LargeEcallDummy<E, S>
             .collect::<Result<Vec<_>, _>>()?;
 
         // Temporarily set this to < 24 to avoid cb.num_witin overflow
-        let active_rounds = 0;
+        let active_rounds = 12;
 
         let mut lookups = Vec::with_capacity(
             active_rounds
@@ -187,7 +187,7 @@ impl<E: ExtensionField> GKRIOPInstruction<E> for LargeEcallDummy<E, KeccakSpec>
     ) -> Result<(), ZKVMError> {
         Self::assign_instance(config, instance, lk_multiplicity, step)?;
 
-        let active_rounds = 0;
+        let active_rounds = 12;
         let mut wit_iter = lookups.iter().map(|f| f.to_canonical_u64());
         let mut var_iter = config.lookups.iter();
 
@@ -197,28 +197,29 @@ impl<E: ExtensionField> GKRIOPInstruction<E> for LargeEcallDummy<E, KeccakSpec>
         let mut pop_arg = || -> u64 {
             let wit = wit_iter.next().unwrap();
             let var = var_iter.next().unwrap();
-            // set_val!(instance, var, wit);
-            set_val!(instance, var, 0);
+            set_val!(instance, var, wit);
+            // set_val!(instance, var, 0);
             wit
         };
 
         for _round in 0..active_rounds {
             for _i in 0..AND_LOOKUPS_PER_ROUND {
-                // lk_multiplicity.lookup_and_byte(pop_arg(), pop_arg());
-                lk_multiplicity.lookup_and_byte(0, 0);
-                pop_arg();
-                pop_arg();
+                lk_multiplicity.lookup_and_byte(pop_arg(), pop_arg());
+                // lk_multiplicity.lookup_and_byte(0, 0);
+                // pop_arg();
+                // pop_arg();
                 pop_arg();
             }
             for _i in 0..XOR_LOOKUPS_PER_ROUND {
-                lk_multiplicity.lookup_xor_byte(0, 0);
-                pop_arg();
-                pop_arg();
+                lk_multiplicity.lookup_xor_byte(pop_arg(), pop_arg());
+                // lk_multiplicity.lookup_xor_byte(0, 0);
+                // pop_arg();
+                // pop_arg();
                 pop_arg();
             }
             for _i in 0..RANGE_LOOKUPS_PER_ROUND {
-                lk_multiplicity.assert_ux::<16>(0);
-                pop_arg();
+                lk_multiplicity.assert_ux::<16>(pop_arg());
+                // pop_arg();
             }
         }
 

ceno_zkvm/src/instructions/riscv/rv32im.rs

@@ -466,6 +466,7 @@ pub struct DummyExtraConfig<E: ExtensionField> {
 impl<E: ExtensionField> DummyExtraConfig<E> {
     pub fn construct_circuits(cs: &mut ZKVMConstraintSystem<E>) -> Self {
         let ecall_config = cs.register_opcode_circuit::<EcallDummy<E>>();
+        // let keccak_config = cs.register_opcode_circuit::<LargeEcallDummy<E, KeccakSpec>>();
         let keccak_config = cs.register_keccakf_circuit();
         let secp256k1_add_config =
             cs.register_opcode_circuit::<LargeEcallDummy<E, Secp256k1AddSpec>>();
@@ -510,9 +511,10 @@ impl<E: ExtensionField> DummyExtraConfig<E> {
     ) {
         fixed.register_opcode_circuit::<EcallDummy<E>>(cs);
         fixed.register_keccakf_circuit(cs);
+        // fixed.register_opcode_circuit::<LargeEcallDummy<E, KeccakSpec>>(cs);
         fixed.register_opcode_circuit::<LargeEcallDummy<E, Secp256k1AddSpec>>(cs);
-        fixed.register_opcode_circuit::<LargeEcallDummy<E, Secp256k1DoubleSpec>>(cs);
         fixed.register_opcode_circuit::<LargeEcallDummy<E, Secp256k1DecompressSpec>>(cs);
+        fixed.register_opcode_circuit::<LargeEcallDummy<E, Secp256k1DoubleSpec>>(cs);
         fixed.register_opcode_circuit::<LargeEcallDummy<E, Sha256ExtendSpec>>(cs);
         fixed.register_opcode_circuit::<LargeEcallDummy<E, Bn254AddSpec>>(cs);
         fixed.register_opcode_circuit::<LargeEcallDummy<E, Bn254DoubleSpec>>(cs);
@@ -564,6 +566,12 @@ impl<E: ExtensionField> DummyExtraConfig<E> {
 
         witness.assign_keccakf_circuit(cs, &self.keccak_config, keccak_steps)?;
 
+        // witness.assign_opcode_circuit::<LargeEcallDummy<E, KeccakSpec>>(
+        //    cs,
+        //    &self.keccak_config,
+        //    keccak_steps,
+        //)?;
+
         witness.assign_opcode_circuit::<LargeEcallDummy<E, Secp256k1AddSpec>>(
             cs,
             &self.secp256k1_add_config,

ceno_zkvm/src/scheme/prover.rs

@@ -1,5 +1,6 @@
 use ceno_emul::KeccakSpec;
 use ff_ext::ExtensionField;
+use gkr_iop::gkr::GKRCircuitWitness;
 use std::{
     collections::{BTreeMap, BTreeSet, HashMap},
     sync::Arc,
@@ -99,6 +100,7 @@ impl<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> ZKVMProver<E, PCS> {
         let mut commitments = BTreeMap::new();
         let mut wits = BTreeMap::new();
         let mut structural_wits = BTreeMap::new();
+        let mut keccak_gkr_wit = Some(witnesses.keccak_gkr_wit.clone());
 
         let commit_to_traces_span = entered_span!("commit_to_traces", profiling_1 = true);
         // commit to opcode circuits first and then commit to table circuits, sorted by name
@@ -180,10 +182,7 @@ impl<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> ZKVMProver<E, PCS> {
                 && cs.r_table_expressions.is_empty()
                 && cs.w_table_expressions.is_empty();
 
-            if *circuit_name == <LargeEcallDummy<E, KeccakSpec> as Instruction<E>>::name() {
-                // unimplemented!("keccak impl wip");
-                ()
-            } else if is_opcode_circuit {
+            if is_opcode_circuit {
                 tracing::debug!(
                     "opcode circuit {} has {} witnesses, {} reads, {} writes, {} lookups",
                     circuit_name,
@@ -197,7 +196,7 @@ impl<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> ZKVMProver<E, PCS> {
                 let gkr_iop_pk = if *circuit_name
                     == <LargeEcallDummy<E, KeccakSpec> as Instruction<E>>::name()
                 {
-                    Some(self.pk.keccak_pk.clone())
+                    Some((self.pk.keccak_pk.clone(), keccak_gkr_wit.take().unwrap()))
                 } else {
                     None
                 };
@@ -266,7 +265,10 @@ impl<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> ZKVMProver<E, PCS> {
         name: &str,
         pp: &PCS::ProverParam,
         circuit_pk: &ProvingKey<E, PCS>,
-        gkr_iop_pk: &Option<GKRIOPProvingKey<E, PCS, KeccakGKRIOP<E>>>,
+        gkr_iop_pk: &Option<(
+            GKRIOPProvingKey<E, PCS, KeccakGKRIOP<E>>,
+            GKRCircuitWitness<E>,
+        )>,
         witnesses: Vec<ArcMultilinearExtension<'_, E>>,
         wits_commit: PCS::CommitmentWithWitness,
         pi: &[ArcMultilinearExtension<'_, E>],
@@ -279,11 +281,6 @@ impl<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> ZKVMProver<E, PCS> {
         let log2_num_instances = ceil_log2(next_pow2_instances);
         let (chip_record_alpha, _) = (challenges[0], challenges[1]);
 
-        // if let Some(gkr_iop_pk) = gkr_iop_pk {
-        //     let mut gkr_iop_pk = gkr_iop_pk.clone();
-        //     unimplemented!("cannot fully handle GKRIOP component yet")
-        // }
-
         // sanity check
         assert_eq!(witnesses.len(), cs.num_witin as usize);
         assert!(
@@ -609,6 +606,18 @@ impl<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> ZKVMProver<E, PCS> {
             }
         }
 
+        if let Some((gkr_iop_pk, gkr_wit)) = gkr_iop_pk {
+            let mut gkr_iop_pk = gkr_iop_pk.clone();
+            let gkr_circuit = gkr_iop_pk.vk.get_state().chip.gkr_circuit();
+
+            let mut prover_transcript = transcript::BasicTranscript::<E>::new(b"protocol");
+
+            let gkr_iop::gkr::GKRProverOutput { gkr_proof, .. } = gkr_circuit
+                .prove(wit, &out_evals, &vec![], &mut prover_transcript)
+                .expect("Failed to prove phase");
+            // unimplemented!("cannot fully handle GKRIOP component yet")
+        }
+
         tracing::debug!("main sel sumcheck start");
         let (main_sel_sumcheck_proofs, state) = IOPProverState::prove_batch_polys(
             num_threads,
@@ -653,6 +662,12 @@ impl<E: ExtensionField, PCS: PolynomialCommitmentScheme<E>> ZKVMProver<E, PCS> {
                     distrinct_zerocheck_terms_set.len() + 1
                 }
         );
+
+        // if let Some(gkr_iop_pk) = gkr_iop_pk {
+        //     let mut gkr_iop_pk = gkr_iop_pk.clone();
+        //     unimplemented!("cannot fully handle GKRIOP component yet")
+        // }
+
         let input_open_point = main_sel_sumcheck_proofs.point.clone();
         assert!(input_open_point.len() == log2_num_instances);
         exit_span!(main_sel_span);

ceno_zkvm/src/structs.rs

@@ -11,6 +11,7 @@ use ceno_emul::{CENO_PLATFORM, KeccakSpec, Platform, StepRecord};
 use ff_ext::ExtensionField;
 use gkr_iop::{
     ProtocolWitnessGenerator,
+    gkr::GKRCircuitWitness,
     precompiles::{KeccakLayout, KeccakTrace},
 };
 use itertools::{Itertools, chain};
@@ -343,7 +344,7 @@ impl<E: ExtensionField> ZKVMFixedTraces<E> {
 
 #[derive(Default, Clone)]
 pub struct ZKVMWitnesses<E: ExtensionField> {
-    keccak_phase1wit: Vec<Vec<E::BaseField>>,
+    pub keccak_gkr_wit: GKRCircuitWitness<E>,
     witnesses_opcodes: BTreeMap<String, RowMajorMatrix<E::BaseField>>,
     witnesses_tables: BTreeMap<String, RMMCollections<E::BaseField>>,
     lk_mlts: BTreeMap<String, LkMultiplicity>,
@@ -374,13 +375,14 @@ impl<E: ExtensionField> ZKVMWitnesses<E> {
         let cs = css
             .get_cs(&LargeEcallDummy::<E, KeccakSpec>::name())
             .unwrap();
-        let (witness, logup_multiplicity) =
+        let (witness, gkr_witness, logup_multiplicity) =
             LargeEcallDummy::<E, KeccakSpec>::assign_instances_with_gkr_iop(
                 config,
                 cs.num_witin as usize,
                 records,
                 &mut css.keccak_gkr_iop.layout,
             )?;
+        self.keccak_gkr_wit = gkr_witness;
 
         // // Intercept row-major matrix, convert into KeccakTrace and obtain phase1_wit
         // self.keccak_phase1wit = css

gkr_iop/src/gkr.rs

@@ -22,7 +22,7 @@ pub struct GKRCircuit {
     pub ext_openings: Vec<(usize, EvalExpression)>,
 }
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Default)]
 pub struct GKRCircuitWitness<E: ExtensionField> {
     pub layers: Vec<LayerWitness<E>>,
 }
@@ -85,7 +85,7 @@ impl GKRCircuit {
         let mut challenges = challenges.to_vec();
         let mut evaluations = out_evals.to_vec();
         evaluations.resize(self.n_evaluations, PointAndEval::default());
-        for (layer, layer_proof) in izip!(self.layers.clone(), sumcheck_proofs) {
+        for (layer, layer_proof) in izip!(&self.layers, sumcheck_proofs) {
             layer.verify(layer_proof, &mut evaluations, &mut challenges, transcript)?;
         }
 

gkr_iop/src/gkr/layer.rs

@@ -53,7 +53,7 @@ pub struct Layer {
     pub expr_names: Vec<String>,
 }
 
-#[derive(Clone, Debug)]
+#[derive(Clone, Debug, Default)]
 pub struct LayerWitness<E: ExtensionField> {
     pub bases: Vec<Vec<E::BaseField>>,
     pub exts: Vec<Vec<E>>,

gkr_iop/src/precompiles/faster_keccak.rs

@@ -314,6 +314,8 @@ pub const AND_LOOKUPS_PER_ROUND: usize = 200;
 pub const XOR_LOOKUPS_PER_ROUND: usize = 608;
 pub const RANGE_LOOKUPS_PER_ROUND: usize = 290;
 pub const LOOKUPS_PER_ROUND: usize =
+    AND_LOOKUPS_PER_ROUND + XOR_LOOKUPS_PER_ROUND + RANGE_LOOKUPS_PER_ROUND;
+pub const LOOKUP_FELTS_PER_ROUND: usize =
     3 * AND_LOOKUPS_PER_ROUND + 3 * XOR_LOOKUPS_PER_ROUND + RANGE_LOOKUPS_PER_ROUND;
 
 pub const AND_LOOKUPS: usize = ROUNDS * AND_LOOKUPS_PER_ROUND;
@@ -348,14 +350,15 @@ impl<E: ExtensionField> ProtocolBuilder for KeccakLayout<E> {
 
     fn build_gkr_phase(&mut self, chip: &mut Chip) {
         let final_outputs =
-            chip.allocate_output_evals::<{ KECCAK_OUTPUT_SIZE + KECCAK_INPUT_SIZE + LOOKUPS_PER_ROUND * ROUNDS }>();
+            chip.allocate_output_evals::<{ KECCAK_OUTPUT_SIZE + KECCAK_INPUT_SIZE + LOOKUP_FELTS_PER_ROUND * ROUNDS }>();
 
         let mut final_outputs_iter = final_outputs.iter();
 
         let [keccak_output32, keccak_input32, lookup_outputs] = [
             KECCAK_OUTPUT_SIZE,
             KECCAK_INPUT_SIZE,
-            LOOKUPS_PER_ROUND * ROUNDS,
+            //LOOKUPS_PER_ROUND
+            LOOKUP_FELTS_PER_ROUND * ROUNDS,
         ]
         .map(|many| final_outputs_iter.by_ref().take(many).collect_vec());
 
@@ -656,12 +659,18 @@ impl<E: ExtensionField> ProtocolBuilder for KeccakLayout<E> {
                 let beta = Constant::Base(0);
 
                 // Send all lookups to the final output layer
+                // for (i, lookup) in chain!(and_lookups, xor_lookups, range_lookups)
+                //     .flatten()
+                //     .enumerate()
+                // {
+                //     expressions.push(lookup.clone());
                 for (i, lookup) in chain!(and_lookups, xor_lookups, range_lookups)
                     .flatten()
                     .enumerate()
                 {
-                    expressions.push(lookup.clone());
-                    expr_names.push(format!("{i}th: {:?}", lookup));
+                    expressions.push(lookup);
+                    //expressions.push(lookup.compress(alpha.clone(), beta.clone()));
+                    expr_names.push(format!("{i}th: aha"));
                     evals.push(lookup_outputs[lookup_index].clone());
                     lookup_index += 1;
                 }
@@ -686,7 +695,7 @@ impl<E: ExtensionField> ProtocolBuilder for KeccakLayout<E> {
             },
         );
 
-        assert!(lookup_index == LOOKUPS_PER_ROUND * ROUNDS);
+        assert!(lookup_index == LOOKUP_FELTS_PER_ROUND * ROUNDS);
 
         let (state8, _) = chip.allocate_wits_in_layer::<200, 0>();
 
@@ -743,16 +752,6 @@ pub struct KeccakTrace {
     pub instances: Vec<[u32; KECCAK_INPUT_SIZE]>,
 }
 
-use p3_field::Field;
-
-impl<F: Field> From<RowMajorMatrix<F>> for KeccakTrace {
-    fn from(rmm: RowMajorMatrix<F>) -> Self {
-        // clarify rmm encoding for large_ecall_dummy to obtain input
-        //unimplemented!();
-        KeccakTrace { instances: vec![] }
-    }
-}
-
 impl<E> ProtocolWitnessGenerator<E> for KeccakLayout<E>
 where
     E: ExtensionField,
@@ -842,8 +841,9 @@ where
                 if layer_wits[curr_layer].bases.is_empty() {
                     layer_wits[curr_layer] = LayerWitness::new(nest::<E>(&felts), vec![]);
                 } else {
-                    for (i, bases) in layer_wits[curr_layer].bases.iter_mut().enumerate() {
-                        bases.push(felts[i]);
+                    assert_eq!(felts.len(), layer_wits[curr_layer].bases.len());
+                    for (i, base) in layer_wits[curr_layer].bases.iter_mut().enumerate() {
+                        base.push(felts[i]);
                     }
                 }
                 curr_layer += 1;
@@ -1065,6 +1065,8 @@ where
             );
         }
 
+        dbg!(layer_wits.len());
+
         let len = layer_wits.len() - 1;
         layer_wits[..len].reverse();
 
@@ -1075,7 +1077,6 @@ where
 pub fn run_faster_keccakf(states: Vec<[u64; 25]>, verify: bool, test: bool) -> () {
     let params = KeccakParams {};
     let (layout, chip) = KeccakLayout::build(params);
-    let gkr_circuit = chip.gkr_circuit();
 
     let mut instances = vec![];
     for state in states {
@@ -1094,6 +1095,7 @@ pub fn run_faster_keccakf(states: Vec<[u64; 25]>, verify: bool, test: bool) -> (
         );
     }
 
+    dbg!(instances.len());
     let phase1_witness = layout.phase1_witness(KeccakTrace { instances });
 
     let mut prover_transcript = BasicTranscript::<E>::new(b"protocol");
@@ -1139,6 +1141,11 @@ pub fn run_faster_keccakf(states: Vec<[u64; 25]>, verify: bool, test: bool) -> (
         // }
 
         let len = final_output1.len();
+        assert_eq!(
+            len,
+            KECCAK_INPUT_SIZE + KECCAK_OUTPUT_SIZE + LOOKUP_FELTS_PER_ROUND * ROUNDS
+        );
+        assert!(final_output1.len() == final_output2.len());
         let gkr_outputs = chain!(
             zip(final_output1, once(point1).cycle().take(len)),
             zip(final_output2, once(point2).cycle().take(len))
@@ -1152,6 +1159,8 @@ pub fn run_faster_keccakf(states: Vec<[u64; 25]>, verify: bool, test: bool) -> (
             .collect_vec()
     };
 
+    let gkr_circuit = chip.gkr_circuit();
+    dbg!(&gkr_circuit.layers.len());
     let GKRProverOutput { gkr_proof, .. } = gkr_circuit
         .prove(gkr_witness, &out_evals, &vec![], &mut prover_transcript)
         .expect("Failed to prove phase");