logos-storage/plonky2
1
0
Fork 0
mirror of https://github.com/logos-storage/plonky2.git synced 2026-01-05 07:13:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #950 from toposware/keccak_sponge

Browse Source 
Implement KeccakSpongeStark constraints and fix associated CTL
This commit is contained in:
Daniel Lubarov 2023-04-09 21:15:39 -07:00 committed by GitHub
commit 8130a8a659
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 232 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
evm/src/all_stark.rs
View File

@ -91,7 +91,6 @@ impl Table {
pub(crate) fn all_cross_table_lookups<F: Field>() -> Vec<CrossTableLookup<F>> {
let mut ctls = vec![ctl_keccak_sponge(), ctl_keccak(), ctl_logic(), ctl_memory()];
// TODO: Some CTLs temporarily disabled while we get them working.
disable_ctl(&mut ctls[0]);
disable_ctl(&mut ctls[3]);
ctls
}

10
evm/src/cpu/kernel/keccak_util.rs
View File

@ -32,24 +32,28 @@ pub(crate) fn keccakf_u8s(state_u8s: &mut [u8; KECCAK_WIDTH_BYTES]) {
mod tests {
use tiny_keccak::keccakf;
use crate::cpu::kernel::keccak_util::keccakf_u32s;
use crate::cpu::kernel::keccak_util::{keccakf_u32s, keccakf_u8s};
#[test]
#[rustfmt::skip]
fn test_consistency() {
// We will hash the same data using keccakf and keccakf_u32s.
// We will hash the same data using keccakf, keccakf_u32s and keccakf_u8s.
// The inputs were randomly generated in Python.
let mut state_u64s: [u64; 25] = [0x5dc43ed05dc64048, 0x7bb9e18cdc853880, 0xc1fde300665b008f, 0xeeab85e089d5e431, 0xf7d61298e9ef27ea, 0xc2c5149d1a492455, 0x37a2f4eca0c2d2f2, 0xa35e50c015b3e85c, 0xd2daeced29446ebe, 0x245845f1bac1b98e, 0x3b3aa8783f30a9bf, 0x209ca9a81956d241, 0x8b8ea714da382165, 0x6063e67e202c6d29, 0xf4bac2ded136b907, 0xb17301b461eae65, 0xa91ff0e134ed747c, 0xcc080b28d0c20f1d, 0xf0f79cbec4fb551c, 0x25e04cb0aa930cad, 0x803113d1b541a202, 0xfaf1e4e7cd23b7ec, 0x36a03bbf2469d3b0, 0x25217341908cdfc0, 0xe9cd83f88fdcd500];
let mut state_u32s: [u32; 50] = [0x5dc64048, 0x5dc43ed0, 0xdc853880, 0x7bb9e18c, 0x665b008f, 0xc1fde300, 0x89d5e431, 0xeeab85e0, 0xe9ef27ea, 0xf7d61298, 0x1a492455, 0xc2c5149d, 0xa0c2d2f2, 0x37a2f4ec, 0x15b3e85c, 0xa35e50c0, 0x29446ebe, 0xd2daeced, 0xbac1b98e, 0x245845f1, 0x3f30a9bf, 0x3b3aa878, 0x1956d241, 0x209ca9a8, 0xda382165, 0x8b8ea714, 0x202c6d29, 0x6063e67e, 0xd136b907, 0xf4bac2de, 0x461eae65, 0xb17301b, 0x34ed747c, 0xa91ff0e1, 0xd0c20f1d, 0xcc080b28, 0xc4fb551c, 0xf0f79cbe, 0xaa930cad, 0x25e04cb0, 0xb541a202, 0x803113d1, 0xcd23b7ec, 0xfaf1e4e7, 0x2469d3b0, 0x36a03bbf, 0x908cdfc0, 0x25217341, 0x8fdcd500, 0xe9cd83f8];
let mut state_u8s: [u8; 200] = [0x48, 0x40, 0xc6, 0x5d, 0xd0, 0x3e, 0xc4, 0x5d, 0x80, 0x38, 0x85, 0xdc, 0x8c, 0xe1, 0xb9, 0x7b, 0x8f, 0x0, 0x5b, 0x66, 0x0, 0xe3, 0xfd, 0xc1, 0x31, 0xe4, 0xd5, 0x89, 0xe0, 0x85, 0xab, 0xee, 0xea, 0x27, 0xef, 0xe9, 0x98, 0x12, 0xd6, 0xf7, 0x55, 0x24, 0x49, 0x1a, 0x9d, 0x14, 0xc5, 0xc2, 0xf2, 0xd2, 0xc2, 0xa0, 0xec, 0xf4, 0xa2, 0x37, 0x5c, 0xe8, 0xb3, 0x15, 0xc0, 0x50, 0x5e, 0xa3, 0xbe, 0x6e, 0x44, 0x29, 0xed, 0xec, 0xda, 0xd2, 0x8e, 0xb9, 0xc1, 0xba, 0xf1, 0x45, 0x58, 0x24, 0xbf, 0xa9, 0x30, 0x3f, 0x78, 0xa8, 0x3a, 0x3b, 0x41, 0xd2, 0x56, 0x19, 0xa8, 0xa9, 0x9c, 0x20, 0x65, 0x21, 0x38, 0xda, 0x14, 0xa7, 0x8e, 0x8b, 0x29, 0x6d, 0x2c, 0x20, 0x7e, 0xe6, 0x63, 0x60, 0x7, 0xb9, 0x36, 0xd1, 0xde, 0xc2, 0xba, 0xf4, 0x65, 0xae, 0x1e, 0x46, 0x1b, 0x30, 0x17, 0xb, 0x7c, 0x74, 0xed, 0x34, 0xe1, 0xf0, 0x1f, 0xa9, 0x1d, 0xf, 0xc2, 0xd0, 0x28, 0xb, 0x8, 0xcc, 0x1c, 0x55, 0xfb, 0xc4, 0xbe, 0x9c, 0xf7, 0xf0, 0xad, 0xc, 0x93, 0xaa, 0xb0, 0x4c, 0xe0, 0x25, 0x2, 0xa2, 0x41, 0xb5, 0xd1, 0x13, 0x31, 0x80, 0xec, 0xb7, 0x23, 0xcd, 0xe7, 0xe4, 0xf1, 0xfa, 0xb0, 0xd3, 0x69, 0x24, 0xbf, 0x3b, 0xa0, 0x36, 0xc0, 0xdf, 0x8c, 0x90, 0x41, 0x73, 0x21, 0x25, 0x0, 0xd5, 0xdc, 0x8f, 0xf8, 0x83, 0xcd, 0xe9];
// The first output was generated using tiny-keccak; the second was derived from it.
// The first output was generated using tiny-keccak; the others were derived from it.
let out_u64s: [u64; 25] = [0x8a541df597e79a72, 0x5c26b8c84faaebb3, 0xc0e8f4e67ca50497, 0x95d98a688de12dec, 0x1c837163975ffaed, 0x9481ec7ef948900e, 0x6a072c65d050a9a1, 0x3b2817da6d615bee, 0x7ffb3c4f8b94bf21, 0x85d6c418cced4a11, 0x18edbe0442884135, 0x2bf265ef3204b7fd, 0xc1e12ce30630d105, 0x8c554dbc61844574, 0x5504db652ce9e42c, 0x2217f3294d0dabe5, 0x7df8eebbcf5b74df, 0x3a56ebb61956f501, 0x7840219dc6f37cc, 0x23194159c967947, 0x9da289bf616ba14d, 0x5a90aaeeca9e9e5b, 0x885dcdc4a549b4e3, 0x46cb188c20947df7, 0x1ef285948ee3d8ab];
let out_u32s: [u32; 50] = [0x97e79a72, 0x8a541df5, 0x4faaebb3, 0x5c26b8c8, 0x7ca50497, 0xc0e8f4e6, 0x8de12dec, 0x95d98a68, 0x975ffaed, 0x1c837163, 0xf948900e, 0x9481ec7e, 0xd050a9a1, 0x6a072c65, 0x6d615bee, 0x3b2817da, 0x8b94bf21, 0x7ffb3c4f, 0xcced4a11, 0x85d6c418, 0x42884135, 0x18edbe04, 0x3204b7fd, 0x2bf265ef, 0x630d105, 0xc1e12ce3, 0x61844574, 0x8c554dbc, 0x2ce9e42c, 0x5504db65, 0x4d0dabe5, 0x2217f329, 0xcf5b74df, 0x7df8eebb, 0x1956f501, 0x3a56ebb6, 0xdc6f37cc, 0x7840219, 0x9c967947, 0x2319415, 0x616ba14d, 0x9da289bf, 0xca9e9e5b, 0x5a90aaee, 0xa549b4e3, 0x885dcdc4, 0x20947df7, 0x46cb188c, 0x8ee3d8ab, 0x1ef28594];
let out_u8s: [u8; 200] = [0x72, 0x9a, 0xe7, 0x97, 0xf5, 0x1d, 0x54, 0x8a, 0xb3, 0xeb, 0xaa, 0x4f, 0xc8, 0xb8, 0x26, 0x5c, 0x97, 0x4, 0xa5, 0x7c, 0xe6, 0xf4, 0xe8, 0xc0, 0xec, 0x2d, 0xe1, 0x8d, 0x68, 0x8a, 0xd9, 0x95, 0xed, 0xfa, 0x5f, 0x97, 0x63, 0x71, 0x83, 0x1c, 0xe, 0x90, 0x48, 0xf9, 0x7e, 0xec, 0x81, 0x94, 0xa1, 0xa9, 0x50, 0xd0, 0x65, 0x2c, 0x7, 0x6a, 0xee, 0x5b, 0x61, 0x6d, 0xda, 0x17, 0x28, 0x3b, 0x21, 0xbf, 0x94, 0x8b, 0x4f, 0x3c, 0xfb, 0x7f, 0x11, 0x4a, 0xed, 0xcc, 0x18, 0xc4, 0xd6, 0x85, 0x35, 0x41, 0x88, 0x42, 0x4, 0xbe, 0xed, 0x18, 0xfd, 0xb7, 0x4, 0x32, 0xef, 0x65, 0xf2, 0x2b, 0x5, 0xd1, 0x30, 0x6, 0xe3, 0x2c, 0xe1, 0xc1, 0x74, 0x45, 0x84, 0x61, 0xbc, 0x4d, 0x55, 0x8c, 0x2c, 0xe4, 0xe9, 0x2c, 0x65, 0xdb, 0x4, 0x55, 0xe5, 0xab, 0xd, 0x4d, 0x29, 0xf3, 0x17, 0x22, 0xdf, 0x74, 0x5b, 0xcf, 0xbb, 0xee, 0xf8, 0x7d, 0x1, 0xf5, 0x56, 0x19, 0xb6, 0xeb, 0x56, 0x3a, 0xcc, 0x37, 0x6f, 0xdc, 0x19, 0x2, 0x84, 0x7, 0x47, 0x79, 0x96, 0x9c, 0x15, 0x94, 0x31, 0x2, 0x4d, 0xa1, 0x6b, 0x61, 0xbf, 0x89, 0xa2, 0x9d, 0x5b, 0x9e, 0x9e, 0xca, 0xee, 0xaa, 0x90, 0x5a, 0xe3, 0xb4, 0x49, 0xa5, 0xc4, 0xcd, 0x5d, 0x88, 0xf7, 0x7d, 0x94, 0x20, 0x8c, 0x18, 0xcb, 0x46, 0xab, 0xd8, 0xe3, 0x8e, 0x94, 0x85, 0xf2, 0x1e];
keccakf(&mut state_u64s);
keccakf_u32s(&mut state_u32s);
keccakf_u8s(&mut state_u8s);
assert_eq!(state_u64s, out_u64s);
assert_eq!(state_u32s, out_u32s);
assert_eq!(state_u8s, out_u8s);
}
}

237
evm/src/keccak_sponge/keccak_sponge_stark.rs
View File

@ -170,7 +170,6 @@ pub struct KeccakSpongeStark<F, const D: usize> {
}
impl<F: RichField + Extendable<D>, const D: usize> KeccakSpongeStark<F, D> {
#[allow(unused)] // TODO: Should be used soon.
pub(crate) fn generate_trace(
&self,
operations: Vec<KeccakSpongeOp>,
@ -361,40 +360,242 @@ impl<F: RichField + Extendable<D>, const D: usize> Stark<F, D> for KeccakSpongeS
fn eval_packed_generic<FE, P, const D2: usize>(
&self,
vars: StarkEvaluationVars<FE, P, { Self::COLUMNS }>,
_yield_constr: &mut ConstraintConsumer<P>,
yield_constr: &mut ConstraintConsumer<P>,
) where
FE: FieldExtension<D2, BaseField = F>,
P: PackedField<Scalar = FE>,
{
let _local_values: &KeccakSpongeColumnsView<P> = vars.local_values.borrow();
let local_values: &KeccakSpongeColumnsView<P> = vars.local_values.borrow();
let next_values: &KeccakSpongeColumnsView<P> = vars.next_values.borrow();
// TODO: Each flag (full-input block, final block or implied dummy flag) must be boolean.
// TODO: before_rate_bits, block_bits and is_final_input_len must contain booleans.
// Each flag (full-input block, final block or implied dummy flag) must be boolean.
let is_full_input_block = local_values.is_full_input_block;
yield_constr.constraint(is_full_input_block * (is_full_input_block - P::ONES));
// TODO: Sum of is_final_input_len should equal is_final_block (which will be 0 or 1).
let is_final_block = local_values.is_final_block;
yield_constr.constraint(is_final_block * (is_final_block - P::ONES));
// TODO: If this is the first row, the original sponge state should be 0 and already_absorbed_bytes = 0.
// TODO: If this is a final block, the next row's original sponge state should be 0 and already_absorbed_bytes = 0.
for &is_final_len in local_values.is_final_input_len.iter() {
yield_constr.constraint(is_final_len * (is_final_len - P::ONES));
}
// TODO: If this is a full-input block, the next row's address, time and len must match.
// TODO: If this is a full-input block, the next row's "before" should match our "after" state.
// TODO: If this is a full-input block, the next row's already_absorbed_bytes should be ours plus 136.
// Ensure that full-input block and final block flags are not set to 1 at the same time.
yield_constr.constraint(is_final_block * is_full_input_block);
// TODO: A dummy row is always followed by another dummy row, so the prover can't put dummy rows "in between" to avoid the above checks.
// Sum of is_final_input_len should equal is_final_block (which will be 0 or 1).
let is_final_input_len_sum: P = local_values.is_final_input_len.iter().copied().sum();
yield_constr.constraint(is_final_input_len_sum - is_final_block);
// TODO: is_final_input_len implies `len - already_absorbed == i`.
// If this is a full-input block, is_final_input_len should contain all 0s.
yield_constr.constraint(is_full_input_block * is_final_input_len_sum);
// If this is the first row, the original sponge state should be 0 and already_absorbed_bytes = 0.
let already_absorbed_bytes = local_values.already_absorbed_bytes;
yield_constr.constraint_first_row(already_absorbed_bytes);
for &original_rate_elem in local_values.original_rate_u32s.iter() {
yield_constr.constraint_first_row(original_rate_elem);
}
for &original_capacity_elem in local_values.original_capacity_u32s.iter() {
yield_constr.constraint_first_row(original_capacity_elem);
}
// If this is a final block, the next row's original sponge state should be 0 and already_absorbed_bytes = 0.
yield_constr.constraint_transition(is_final_block * next_values.already_absorbed_bytes);
for &original_rate_elem in next_values.original_rate_u32s.iter() {
yield_constr.constraint_transition(is_final_block * original_rate_elem);
}
for &original_capacity_elem in next_values.original_capacity_u32s.iter() {
yield_constr.constraint_transition(is_final_block * original_capacity_elem);
}
// If this is a full-input block, the next row's address, time and len must match as well as its timestamp.
yield_constr.constraint_transition(
is_full_input_block * (local_values.context - next_values.context),
);
yield_constr.constraint_transition(
is_full_input_block * (local_values.segment - next_values.segment),
);
yield_constr
.constraint_transition(is_full_input_block * (local_values.virt - next_values.virt));
yield_constr.constraint_transition(
is_full_input_block * (local_values.timestamp - next_values.timestamp),
);
// If this is a full-input block, the next row's "before" should match our "after" state.
for (&current_after, &next_before) in local_values
.updated_state_u32s
.iter()
.zip(next_values.original_rate_u32s.iter())
{
yield_constr.constraint_transition(is_full_input_block * (next_before - current_after));
}
for (&current_after, &next_before) in local_values
.updated_state_u32s
.iter()
.skip(KECCAK_RATE_U32S)
.zip(next_values.original_capacity_u32s.iter())
{
yield_constr.constraint_transition(is_full_input_block * (next_before - current_after));
}
// If this is a full-input block, the next row's already_absorbed_bytes should be ours plus 136.
yield_constr.constraint_transition(
is_full_input_block
* (already_absorbed_bytes + P::from(FE::from_canonical_u64(136))
- next_values.already_absorbed_bytes),
);
// A dummy row is always followed by another dummy row, so the prover can't put dummy rows "in between" to avoid the above checks.
let is_dummy = P::ONES - is_full_input_block - is_final_block;
yield_constr.constraint_transition(
is_dummy * (next_values.is_full_input_block + next_values.is_final_block),
);
// If this is a final block, is_final_input_len implies `len - already_absorbed == i`.
let offset = local_values.len - already_absorbed_bytes;
for (i, &is_final_len) in local_values.is_final_input_len.iter().enumerate() {
let entry_match = offset - P::from(FE::from_canonical_usize(i));
yield_constr.constraint(is_final_len * entry_match);
}
}
fn eval_ext_circuit(
&self,
_builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder<F, D>,
builder: &mut plonky2::plonk::circuit_builder::CircuitBuilder<F, D>,
vars: StarkEvaluationTargets<D, { Self::COLUMNS }>,
_yield_constr: &mut RecursiveConstraintConsumer<F, D>,
yield_constr: &mut RecursiveConstraintConsumer<F, D>,
) {
let _local_values: &KeccakSpongeColumnsView<ExtensionTarget<D>> =
vars.local_values.borrow();
let local_values: &KeccakSpongeColumnsView<ExtensionTarget<D>> = vars.local_values.borrow();
let next_values: &KeccakSpongeColumnsView<ExtensionTarget<D>> = vars.next_values.borrow();
// TODO
let one = builder.one_extension();
// Each flag (full-input block, final block or implied dummy flag) must be boolean.
let is_full_input_block = local_values.is_full_input_block;
let constraint = builder.mul_sub_extension(
is_full_input_block,
is_full_input_block,
is_full_input_block,
);
yield_constr.constraint(builder, constraint);
let is_final_block = local_values.is_final_block;
let constraint = builder.mul_sub_extension(is_final_block, is_final_block, is_final_block);
yield_constr.constraint(builder, constraint);
for &is_final_len in local_values.is_final_input_len.iter() {
let constraint = builder.mul_sub_extension(is_final_len, is_final_len, is_final_len);
yield_constr.constraint(builder, constraint);
}
// Ensure that full-input block and final block flags are not set to 1 at the same time.
let constraint = builder.mul_extension(is_final_block, is_full_input_block);
yield_constr.constraint(builder, constraint);
// Sum of is_final_input_len should equal is_final_block (which will be 0 or 1).
let mut is_final_input_len_sum = builder.add_extension(
local_values.is_final_input_len[0],
local_values.is_final_input_len[1],
);
for &input_len in local_values.is_final_input_len.iter().skip(2) {
is_final_input_len_sum = builder.add_extension(is_final_input_len_sum, input_len);
}
let constraint = builder.sub_extension(is_final_input_len_sum, is_final_block);
yield_constr.constraint(builder, constraint);
// If this is a full-input block, is_final_input_len should contain all 0s.
let constraint = builder.mul_extension(is_full_input_block, is_final_input_len_sum);
yield_constr.constraint(builder, constraint);
// If this is the first row, the original sponge state should be 0 and already_absorbed_bytes = 0.
let already_absorbed_bytes = local_values.already_absorbed_bytes;
yield_constr.constraint_first_row(builder, already_absorbed_bytes);
for &original_rate_elem in local_values.original_rate_u32s.iter() {
yield_constr.constraint_first_row(builder, original_rate_elem);
}
for &original_capacity_elem in local_values.original_capacity_u32s.iter() {
yield_constr.constraint_first_row(builder, original_capacity_elem);
}
// If this is a final block, the next row's original sponge state should be 0 and already_absorbed_bytes = 0.
let constraint = builder.mul_extension(is_final_block, next_values.already_absorbed_bytes);
yield_constr.constraint_transition(builder, constraint);
for &original_rate_elem in next_values.original_rate_u32s.iter() {
let constraint = builder.mul_extension(is_final_block, original_rate_elem);
yield_constr.constraint_transition(builder, constraint);
}
for &original_capacity_elem in next_values.original_capacity_u32s.iter() {
let constraint = builder.mul_extension(is_final_block, original_capacity_elem);
yield_constr.constraint_transition(builder, constraint);
}
// If this is a full-input block, the next row's address, time and len must match as well as its timestamp.
let context_diff = builder.sub_extension(local_values.context, next_values.context);
let constraint = builder.mul_extension(is_full_input_block, context_diff);
yield_constr.constraint_transition(builder, constraint);
let segment_diff = builder.sub_extension(local_values.segment, next_values.segment);
let constraint = builder.mul_extension(is_full_input_block, segment_diff);
yield_constr.constraint_transition(builder, constraint);
let virt_diff = builder.sub_extension(local_values.virt, next_values.virt);
let constraint = builder.mul_extension(is_full_input_block, virt_diff);
yield_constr.constraint_transition(builder, constraint);
let timestamp_diff = builder.sub_extension(local_values.timestamp, next_values.timestamp);
let constraint = builder.mul_extension(is_full_input_block, timestamp_diff);
yield_constr.constraint_transition(builder, constraint);
// If this is a full-input block, the next row's "before" should match our "after" state.
for (&current_after, &next_before) in local_values
.updated_state_u32s
.iter()
.zip(next_values.original_rate_u32s.iter())
{
let diff = builder.sub_extension(next_before, current_after);
let constraint = builder.mul_extension(is_full_input_block, diff);
yield_constr.constraint_transition(builder, constraint);
}
for (&current_after, &next_before) in local_values
.updated_state_u32s
.iter()
.skip(KECCAK_RATE_U32S)
.zip(next_values.original_capacity_u32s.iter())
{
let diff = builder.sub_extension(next_before, current_after);
let constraint = builder.mul_extension(is_full_input_block, diff);
yield_constr.constraint_transition(builder, constraint);
}
// If this is a full-input block, the next row's already_absorbed_bytes should be ours plus 136.
let absorbed_bytes =
builder.add_const_extension(already_absorbed_bytes, F::from_canonical_u64(136));
let absorbed_diff =
builder.sub_extension(absorbed_bytes, next_values.already_absorbed_bytes);
let constraint = builder.mul_extension(is_full_input_block, absorbed_diff);
yield_constr.constraint_transition(builder, constraint);
// A dummy row is always followed by another dummy row, so the prover can't put dummy rows "in between" to avoid the above checks.
let is_dummy = {
let tmp = builder.sub_extension(one, is_final_block);
builder.sub_extension(tmp, is_full_input_block)
};
let constraint = {
let tmp =
builder.add_extension(next_values.is_final_block, next_values.is_full_input_block);
builder.mul_extension(is_dummy, tmp)
};
yield_constr.constraint_transition(builder, constraint);
// If this is a final block, is_final_input_len implies `len - already_absorbed == i`.
let offset = builder.sub_extension(local_values.len, already_absorbed_bytes);
for (i, &is_final_len) in local_values.is_final_input_len.iter().enumerate() {
let index = builder.constant_extension(F::from_canonical_usize(i).into());
let entry_match = builder.sub_extension(offset, index);
let constraint = builder.mul_extension(is_final_len, entry_match);
yield_constr.constraint(builder, constraint);
}
}
fn constraint_degree(&self) -> usize {

7
evm/src/witness/operation.rs
View File

@ -127,7 +127,12 @@ pub(crate) fn generate_keccak_general<F: Field>(
log::debug!("Hashing {:?}", input);
let hash = keccak(&input);
let log_push = stack_push_log_and_fill(state, &mut row, hash.into_uint())?;
let val_u64s: [u64; 4] =
core::array::from_fn(|i| u64::from_le_bytes(core::array::from_fn(|j| hash.0[i * 8 + j])));
let hash_int = U256(val_u64s);
let mut log_push = stack_push_log_and_fill(state, &mut row, hash_int)?;
log_push.value = hash.into_uint();
keccak_sponge_log(state, base_address, input);