refactor: remove keccak constants from aggregator (#752)

darth-cy · lispc · kunxian-xia · web-flow · commit 1d190ba7bd46 · 2023-08-17T10:12:36.000+08:00
* add row counting interface for keccak * add class level capacity calculator for keccak * remove f capacity from core * remove capacity calculator in aggregator util * remove unnecessary imports * replace max keccak round in core * replace reference for max keccak * remove unnecessary keccak imports and constants * remove max keccak constant * remove constants in hash cell parsing * remove constant column sanity check * add state column usage log * adjust input bytes column * add long column padding * correct fmt * fix fmt * minor fixes * fix * Fix: allow skipping of L1Msg tx part 2 (calculate num_all_txs in tx circuit) (#778) * calculate num_l1_msgs and num_l2_txs in tx circuit * fix * fmt and clippy * fix: non-last tx requires next is calldata * add NumAllTxs in block table and copy it from pi to block table * add lookup for NumAllTxs in tx circuit * clippy * add block num diff check to avoid two real block have same num * clippy * address comments * Fix the bugs in RLP/Tx/PI circuit which are reported by Zellic & KALOS auditors (#572) * fix finding 3 (#575) * Fix zellic finding 4 (#576) * fix finding 3 (#575) * fix finding 4 --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * add range check on diffs (#586) * Fix finding 10 (#578) * fix finding 3 (#575) * fix finding 10 * Fix finding 13 (#579) * fix finding 3 (#575) * fix finding 13 * Fix zellic finding 14 (#580) * fix finding 3 (#575) * fix finding 14 * Fix zellic finding 5 (#584) * fix finding 3 (#575) * fix finding 5 * refine comments * fmt * Fix finding 17 (#602) * add q_last * fix * add more diff range check * fix finding 7 (#625) * tx_id = 1 when sm starts * Fix finding 11 : use length for rlc in rlp table (#719) * fix: use tag_bytes_rlc and tag_length to copy tag's bytes around * fix lookup input for Len & RLC & GasCost fields in tx circuit * refactor * fix * refactor * fix col phase issue * refactor bytes_rlc type * Fix the bugs in Tx & PI circuits reported by Zellic & KALOS auditors (#612) * lookup chain_id to RLP table * fix finding 22 (#614) * fix finding 21 (#613) * fix finding 23 (#618) * fix finding 26 (#622) * fix finding 28 (#624) Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * fix finding 29 (#623) Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * enforce is_final is true at the last row and fix RLC related vul (#735) * Fix finding 30 (#733) * enforce all txs in a block are included in the tx table * clippy --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * Fix Zellic / Kalos finding25 (#619) * fix finding 25 * add comment --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> * fix conflicts --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> Co-authored-by: Zhang Zhuo <mycinbrin@gmail.com> * use q_first instead * fmt --------- Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com> Co-authored-by: Zhang Zhuo <mycinbrin@gmail.com> * add pi comments * rename preimage col idx * add keccak rows check * rename input bytes col finder fn * modify keccak row env constaint * modify keccak row env constaint * add named constant setup vars * modify keccak row check * clippy advised * add comments on chunk hash * fmt * avoid constant lookup table * avoid repetitive computation of input_bytes_col_idx --------- Co-authored-by: Zhuo Zhang <mycinbrin@gmail.com> Co-authored-by: xkx <xiakunxian130@gmail.com> Co-authored-by: Rohit Narurkar <rohit.narurkar@protonmail.com>
diff --git a/aggregator/src/aggregation/config.rs b/aggregator/src/aggregation/config.rs
@@ -83,18 +83,10 @@ impl AggregationConfig {
             params.degree as usize,
         );
 
-        // The current code base is hardcoded for KeccakCircuit configured
-        // with 300 rows and 87 columns per hash call.
         let columns = keccak_circuit_config.cell_manager.columns();
 
-        assert_eq!(
-            columns.len(),
-            87,
-            "cell manager configuration does not match the hard coded setup"
-        );
-
         // enabling equality for preimage column
-        meta.enable_equality(columns[6].advice);
+        meta.enable_equality(columns[keccak_circuit_config.preimage_column_index].advice);
         // enable equality for the digest column
         meta.enable_equality(columns.last().unwrap().advice);
         // enable equality for the data RLC column
diff --git a/aggregator/src/constants.rs b/aggregator/src/constants.rs
@@ -11,15 +11,6 @@ pub(crate) const DIGEST_LEN: usize = 32;
 /// Input length per round
 pub(crate) const INPUT_LEN_PER_ROUND: usize = 136;
 
-// Each round requires (NUM_ROUNDS+1) * DEFAULT_KECCAK_ROWS = 300 rows.
-// This library is hard coded for this parameter.
-// Modifying the following parameters may result into bugs.
-// Adopted from keccak circuit
-pub(crate) const DEFAULT_KECCAK_ROWS: usize = 12;
-// Adopted from keccak circuit
-pub(crate) const NUM_ROUNDS: usize = 24;
-pub(crate) const ROWS_PER_ROUND: usize = (NUM_ROUNDS + 1) * DEFAULT_KECCAK_ROWS;
-
 // TODO(ZZ): update to the right degree
 #[allow(dead_code)]
 pub(crate) const LOG_DEGREE: u32 = 19;
@@ -58,9 +49,3 @@ pub(crate) const BITS: usize = 88;
 /// will be padded.
 // TODO: update me(?)
 pub const MAX_AGG_SNARKS: usize = 10;
-
-/// The number of keccak rounds is the sum of
-/// - batch public input hash: 2 rounds
-/// - chunk's public input hash: 2 * MAX_AGG_SNARKS
-/// - batch data hash: (32 * MAX_AGG_SNARKS)/136 = 3
-pub(crate) const MAX_KECCAK_ROUNDS: usize = 2 * MAX_AGG_SNARKS + 5;
diff --git a/aggregator/src/core.rs b/aggregator/src/core.rs
@@ -23,18 +23,18 @@ use snark_verifier_sdk::{
     Snark,
 };
 use zkevm_circuits::{
-    keccak_circuit::{keccak_packed_multi::multi_keccak, KeccakCircuitConfig},
-    table::LookupTable,
+    keccak_circuit::{
+        keccak_packed_multi::{self, multi_keccak},
+        KeccakCircuit, KeccakCircuitConfig,
+    },
+    table::{KeccakTable, LookupTable},
     util::Challenges,
 };
 
 use crate::{
-    constants::{
-        CHAIN_ID_LEN, DIGEST_LEN, INPUT_LEN_PER_ROUND, LOG_DEGREE, MAX_AGG_SNARKS,
-        MAX_KECCAK_ROUNDS, ROWS_PER_ROUND,
-    },
+    constants::{CHAIN_ID_LEN, DIGEST_LEN, INPUT_LEN_PER_ROUND, LOG_DEGREE, MAX_AGG_SNARKS},
     util::{
-        assert_conditional_equal, assert_equal, assert_exist, get_indices, keccak_round_capacity,
+        assert_conditional_equal, assert_equal, assert_exist, get_indices, get_max_keccak_updates,
         parse_hash_digest_cells, parse_hash_preimage_cells, parse_pi_hash_rlc_cells,
     },
     AggregationConfig, RlcConfig, CHUNK_DATA_HASH_INDEX, POST_STATE_ROOT_INDEX,
@@ -185,7 +185,9 @@ pub(crate) fn extract_hash_cells(
     preimages: &[Vec<u8>],
 ) -> Result<ExtractedHashCells, Error> {
     let mut is_first_time = true;
-    let num_rows = 1 << LOG_DEGREE;
+    let keccak_capacity = KeccakCircuit::<Fr>::capacity_for_row(1 << LOG_DEGREE);
+    let max_keccak_updates = get_max_keccak_updates(MAX_AGG_SNARKS);
+    let keccak_f_rows = keccak_packed_multi::get_num_rows_per_update();
 
     let timer = start_timer!(|| ("multi keccak").to_string());
     // preimages consists of the following parts
@@ -202,7 +204,7 @@ pub(crate) fn extract_hash_cells(
     // (3) batchDataHash preimage =
     //      (chunk[0].dataHash || ... || chunk[k-1].dataHash)
     // each part of the preimage is mapped to image by Keccak256
-    let witness = multi_keccak(preimages, challenges, keccak_round_capacity(num_rows))
+    let witness = multi_keccak(preimages, challenges, keccak_capacity)
         .map_err(|e| Error::AssertionFailure(format!("multi keccak assignment failed: {e:?}")))?;
     end_timer!(timer);
 
@@ -237,21 +239,24 @@ pub(crate) fn extract_hash_cells(
 
                 let timer = start_timer!(|| "assign row");
                 log::trace!("witness length: {}", witness.len());
+                let input_bytes_col_idx =
+                    keccak_packed_multi::get_input_bytes_col_idx_in_cell_manager()
+                        + <KeccakTable as LookupTable<Fr>>::columns(&keccak_config.keccak_table)
+                            .len()
+                        - 1;
                 for (offset, keccak_row) in witness.iter().enumerate() {
                     let row = keccak_config.set_row(&mut region, offset, keccak_row)?;
 
                     if cur_preimage_index.is_some() && *cur_preimage_index.unwrap() == offset {
-                        // 10-th column is Keccak input in Keccak circuit
-                        hash_input_cells.push(row[10].clone());
+                        hash_input_cells.push(row[input_bytes_col_idx].clone());
                         cur_preimage_index = preimage_indices_iter.next();
                     }
                     if cur_digest_index.is_some() && *cur_digest_index.unwrap() == offset {
                         // last column is Keccak output in Keccak circuit
                         hash_output_cells.push(row.last().unwrap().clone()); // sage unwrap
                         cur_digest_index = digest_indices_iter.next();
                     }
-                    if offset % ROWS_PER_ROUND == 0 && offset / ROWS_PER_ROUND <= MAX_KECCAK_ROUNDS
-                    {
+                    if offset % keccak_f_rows == 0 && offset / keccak_f_rows <= max_keccak_updates {
                         // first column is is_final
                         is_final_cells.push(row[0].clone());
                         // second column is data rlc
@@ -268,7 +273,7 @@ pub(crate) fn extract_hash_cells(
                 // sanity
                 assert_eq!(
                     hash_input_cells.len(),
-                    MAX_KECCAK_ROUNDS * INPUT_LEN_PER_ROUND
+                    max_keccak_updates * INPUT_LEN_PER_ROUND
                 );
                 assert_eq!(hash_output_cells.len(), (MAX_AGG_SNARKS + 4) * DIGEST_LEN);
 
diff --git a/aggregator/src/tests/rlc/dynamic_hashes.rs b/aggregator/src/tests/rlc/dynamic_hashes.rs
@@ -9,17 +9,14 @@ use snark_verifier::loader::halo2::halo2_ecc::halo2_base::utils::fs::gen_srs;
 use snark_verifier_sdk::{gen_pk, gen_snark_shplonk, verify_snark_shplonk, CircuitExt};
 use zkevm_circuits::{
     keccak_circuit::{
-        keccak_packed_multi::multi_keccak, KeccakCircuitConfig, KeccakCircuitConfigArgs,
+        keccak_packed_multi::{self, multi_keccak},
+        KeccakCircuit, KeccakCircuitConfig, KeccakCircuitConfigArgs,
     },
     table::{KeccakTable, LookupTable},
     util::{Challenges, SubCircuitConfig},
 };
 
-use crate::{
-    aggregation::RlcConfig,
-    constants::{LOG_DEGREE, ROWS_PER_ROUND},
-    util::keccak_round_capacity,
-};
+use crate::{aggregation::RlcConfig, constants::LOG_DEGREE};
 
 #[derive(Default, Debug, Clone)]
 struct DynamicHashCircuit {
@@ -78,6 +75,7 @@ impl Circuit<Fr> for DynamicHashCircuit {
         mut layouter: impl Layouter<Fr>,
     ) -> Result<(), Error> {
         let (config, challenges) = config;
+        let keccak_f_rows = keccak_packed_multi::get_num_rows_per_update();
 
         config
             .keccak_circuit_config
@@ -95,7 +93,7 @@ impl Circuit<Fr> for DynamicHashCircuit {
         let witness = multi_keccak(
             &[hash_preimage.clone()],
             challenge,
-            keccak_round_capacity(1 << LOG_DEGREE),
+            KeccakCircuit::<Fr>::capacity_for_row(1 << LOG_DEGREE),
         )
         .unwrap();
 
@@ -113,7 +111,7 @@ impl Circuit<Fr> for DynamicHashCircuit {
                         config
                             .keccak_circuit_config
                             .set_row(&mut region, offset, keccak_row)?;
-                    if offset % ROWS_PER_ROUND == 0 && data_rlc_cells.len() < 4 {
+                    if offset % keccak_f_rows == 0 && data_rlc_cells.len() < 4 {
                         // second element is data rlc
                         data_rlc_cells.push(row[1].clone());
                     }
diff --git a/aggregator/src/util.rs b/aggregator/src/util.rs
@@ -1,3 +1,7 @@
+use crate::{
+    aggregation::RlcConfig,
+    constants::{DIGEST_LEN, INPUT_LEN_PER_ROUND, MAX_AGG_SNARKS},
+};
 use eth_types::Field;
 use halo2_proofs::{
     circuit::{AssignedCell, Region},
@@ -9,29 +13,35 @@ use snark_verifier::loader::halo2::halo2_ecc::halo2_base::{
     gates::{flex_gate::FlexGateConfig, GateInstructions},
     AssignedValue, Context,
 };
-
-use crate::{
-    aggregation::RlcConfig,
-    constants::{DIGEST_LEN, INPUT_LEN_PER_ROUND, MAX_AGG_SNARKS},
-    DEFAULT_KECCAK_ROWS, NUM_ROUNDS,
+use zkevm_circuits::keccak_circuit::keccak_packed_multi::{
+    get_num_rows_per_round, get_num_rows_per_update,
 };
 
-use std::env::var;
+// Calculates the maximum keccak updates (1 absorb, or 1 f-box invoke)
+// needed for the number of snarks
+pub(crate) fn get_max_keccak_updates(max_snarks: usize) -> usize {
+    // The public input hash for the batch is derived from hashing
+    // chain_id || chunk_0's prev_state || chunk_k-1's post_state ||
+    // chunk_k-1's withdraw_root || batch_data_hash.
+    // In total there're 168 bytes. Therefore 2 pi rounds are required.
+    let pi_rounds = 2;
+    // Hash for each chunk is derived from hashing the chunk's
+    // chain_id || prev_state || post_state || withdraw_root || data_hash
+    // Each chunk hash therefore also requires 2 keccak rounds for 168 bytes.
+    let chunk_hash_rounds = 2 * max_snarks;
+    let data_hash_rounds = get_data_hash_keccak_updates(max_snarks);
 
-pub(crate) fn keccak_round_capacity(num_rows: usize) -> Option<usize> {
-    if num_rows > 0 {
-        // Subtract two for unusable rows
-        Some(num_rows / ((NUM_ROUNDS + 1) * get_num_rows_per_round()) - 2)
-    } else {
-        None
-    }
+    pi_rounds + chunk_hash_rounds + data_hash_rounds
 }
+pub(crate) fn get_data_hash_keccak_updates(max_snarks: usize) -> usize {
+    let data_hash_rounds = (32 * max_snarks) / INPUT_LEN_PER_ROUND;
+    let padding_round = if data_hash_rounds * INPUT_LEN_PER_ROUND < 32 * max_snarks {
+        1
+    } else {
+        0
+    };
 
-pub(crate) fn get_num_rows_per_round() -> usize {
-    var("KECCAK_ROWS")
-        .unwrap_or_else(|_| format!("{DEFAULT_KECCAK_ROWS}"))
-        .parse()
-        .expect("Cannot parse KECCAK_ROWS env var as usize")
+    data_hash_rounds + padding_round
 }
 
 /// Return
@@ -42,9 +52,14 @@ pub(crate) fn get_indices(preimages: &[Vec<u8>]) -> (Vec<usize>, Vec<usize>) {
     let mut digest_indices = vec![];
     let mut round_ctr = 0;
 
+    let keccak_f_rows = get_num_rows_per_update();
+    let inner_round_rows = get_num_rows_per_round();
+
     for preimage in preimages.iter().take(MAX_AGG_SNARKS + 1) {
         //  136 = 17 * 8 is the size in bytes of each
         //  input chunk that can be processed by Keccak circuit using absorb
+
+        //  For example, if num_rows_per_inner_round for Keccak is 12, then
         //  each chunk of size 136 needs 300 Keccak circuit rows to prove
         //  which consists of 12 Keccak rows for each of 24 + 1 Keccak circuit rounds
         //  digest only happens at the end of the last input chunk with
@@ -53,38 +68,47 @@ pub(crate) fn get_indices(preimages: &[Vec<u8>]) -> (Vec<usize>, Vec<usize>) {
         let mut preimage_padded = preimage.clone();
         preimage_padded.resize(INPUT_LEN_PER_ROUND * num_rounds, 0);
         for (i, round) in preimage_padded.chunks(INPUT_LEN_PER_ROUND).enumerate() {
+            let f_round_offset = round_ctr * keccak_f_rows;
             // indices for preimages
             for (j, _chunk) in round.chunks(8).into_iter().enumerate() {
+                let inner_offset = f_round_offset + (j + 1) * inner_round_rows;
                 for k in 0..8 {
-                    preimage_indices.push(round_ctr * 300 + j * 12 + k + 12)
+                    preimage_indices.push(inner_offset + k);
                 }
             }
             // indices for digests
             if i == num_rounds - 1 {
                 for j in 0..4 {
+                    let inner_offset = f_round_offset
+                        + j * inner_round_rows
+                        + (keccak_f_rows - inner_round_rows * (DIGEST_LEN / 8));
                     for k in 0..8 {
-                        digest_indices.push(round_ctr * 300 + j * 12 + k + 252)
+                        digest_indices.push(inner_offset + k);
                     }
                 }
             }
             round_ctr += 1;
         }
     }
     // last hash is for data_hash and has various length, so we output all the possible cells
-    for _i in 0..3 {
+    for _i in 0..get_data_hash_keccak_updates(MAX_AGG_SNARKS) {
         for (j, _) in (0..INPUT_LEN_PER_ROUND)
             .into_iter()
             .chunks(8)
             .into_iter()
             .enumerate()
         {
+            let inner_offset = round_ctr * keccak_f_rows + (j + 1) * inner_round_rows;
             for k in 0..8 {
-                preimage_indices.push(round_ctr * 300 + j * 12 + k + 12)
+                preimage_indices.push(inner_offset + k);
             }
         }
         for j in 0..4 {
+            let inner_offset = round_ctr * keccak_f_rows
+                + j * inner_round_rows
+                + (keccak_f_rows - inner_round_rows * (DIGEST_LEN / 8));
             for k in 0..8 {
-                digest_indices.push(round_ctr * 300 + j * 12 + k + 252)
+                digest_indices.push(inner_offset + k);
             }
         }
         round_ctr += 1;
diff --git a/zkevm-circuits/src/keccak_circuit.rs b/zkevm-circuits/src/keccak_circuit.rs
@@ -65,6 +65,8 @@ pub struct KeccakCircuitConfig<F> {
     normalize_6: [TableColumn; 2],
     chi_base_table: [TableColumn; 2],
     pack_table: [TableColumn; 2],
+    /// The column for enabling copy constraints in aggregator
+    pub preimage_column_index: usize,
     _marker: PhantomData<F>,
 }
 
@@ -138,6 +140,8 @@ impl<F: Field> SubCircuitConfig<F> for KeccakCircuitConfig<F> {
                 s_next[i][j] = cell.at_offset(meta, get_num_rows_per_round() as i32).expr();
             }
         }
+        log::debug!("- Post states:");
+        log::debug!("Columns: {}", cell_manager.get_width());
         // Absorb data
         let absorb_from = cell_manager.query_cell(meta);
         let absorb_data = cell_manager.query_cell(meta);
@@ -185,6 +189,7 @@ impl<F: Field> SubCircuitConfig<F> for KeccakCircuitConfig<F> {
         log::debug!("- Post absorb:");
         log::debug!("Lookups: {}", lookup_counter);
         log::debug!("Columns: {}", cell_manager.get_width());
+        let preimage_column_index: usize = cell_manager.get_width() + 1;
         total_lookup_counter += lookup_counter;
 
         // Process inputs.
@@ -863,6 +868,7 @@ impl<F: Field> SubCircuitConfig<F> for KeccakCircuitConfig<F> {
             normalize_6,
             chi_base_table,
             pack_table,
+            preimage_column_index,
             _marker: PhantomData,
         }
     }
@@ -1065,9 +1071,15 @@ impl<F: Field> KeccakCircuit<F> {
 
     /// The number of keccak_f's that can be done in this circuit
     pub fn capacity(&self) -> Option<usize> {
-        if self.num_rows > 0 {
+        Self::capacity_for_row(self.num_rows)
+    }
+
+    /// The number of keccak_f's that can be done for
+    /// a particular row number depending on current Keccak params
+    pub fn capacity_for_row(num_rows: usize) -> Option<usize> {
+        if num_rows > 0 {
             // Subtract two for unusable rows
-            Some(self.num_rows / ((NUM_ROUNDS + 1) * get_num_rows_per_round()) - 2)
+            Some(num_rows / ((NUM_ROUNDS + 1) * get_num_rows_per_round()) - 2)
         } else {
             None
         }
diff --git a/zkevm-circuits/src/keccak_circuit/keccak_packed_multi.rs b/zkevm-circuits/src/keccak_circuit/keccak_packed_multi.rs
diff --git a/zkevm-circuits/src/keccak_circuit/param.rs b/zkevm-circuits/src/keccak_circuit/param.rs
diff --git a/zkevm-circuits/src/keccak_circuit/test.rs b/zkevm-circuits/src/keccak_circuit/test.rs
